Description
This project provides a low-level and a high-level API to use the Web Authentication API (WebAuthn).
webauthn alternatives and similar packages
Based on the "Authentication & OAuth" category.
Alternatively, view webauthn alternatives based on common mentions on social networks and blogs.
-
oauth2
Successor of goauth2. Generic OAuth 2.0 package that comes with JWT, Google APIs, Compute Engine and App Engine support. -
goth
provides a simple, clean, and idiomatic way to use OAuth and OAuth2. Handles multiple provides out of the box. -
authboss
A modular authentication system for the web. It tries to remove as much boilerplate and "hard things" as possible so that each time you start a new web project in Go, you can plug it in, configure, and start building your app without having to build an authentication system each time. -
go-jose
A fairly complete implementation of the JOSE working group's JSON Web Token, JSON Web Signatures, and JSON Web Encryption specs. -
permissions2
Library for keeping track of users, login states and permissions. Uses secure cookies and bcrypt. -
yubigo
a Yubikey client package that provides a simple API to integrate the Yubico Yubikey into a go application. -
sessions
A dead simple, highly performant, highly customizable sessions service for go http servers. -
Facecontrol
Simple yet powerful authentication, single sign-on and (optinal) authorization solution.
Get performance insights in less than 4 minutes
Do you think we are missing an alternative of webauthn or a related project?
README
webauthn : Web Authentication API in Go
Overview

This project provides a low-level and a high-level API to use the Web Authentication API (WebAuthn).
Install
go get github.com/koesie10/webauthn
Attestation
By default, this library does not support any attestation statement formats. To use the default attestation formats,
you will need to import github.com/koesie10/webauthn/attestation
or any of its subpackages if you would just like
to support some attestation statement formats.
Please note that the Android SafetyNet attestation statement format depends on
gopkg.in/square/go-jose.v2
, which means that this package will be imported
when you import either github.com/koesie10/webauthn/attestation
or
github.com/koesie10/webauthn/attestation/androidsafetynet
.
High-level API
The high-level API can be used with the net/http
package and simplifies the low-level API. It is located in the webauthn
subpackage. It is intended
for use with e.g. fetch
or XMLHttpRequest
JavaScript clients.
First, make sure your user entity implements User
. Then, create a new entity
implements Authenticator
that stores each authenticator the user
registers.
Then, either make your existing repository implement AuthenticatorStore
or create a new repository.
Finally, you can create the main WebAuthn
struct supplying the
Config
options:
w, err := webauthn.New(&webauthn.Config{
// A human-readable identifier for the relying party (i.e. your app), intended only for display.
RelyingPartyName: "webauthn-demo",
// Storage for the authenticator.
AuthenticatorStore: storage,
})
Then, you can use the methods defined, such as StartRegistration
to handle registration and login. Every handler requires a Session
, which stores
intermediate registration/login data. If you use gorilla/sessions
, use
webauthn.WrapMap
(session.Values)
. Read the documentation for complete information
on what parameters need to be passed and what values are returned.
For example, a handler for finishing the registration might look like this:
func (r *http.Request, rw http.ResponseWriter) {
ctx := r.Context()
// Get the user in some way, in this case from the context
user, ok := UserFromContext(ctx)
if !ok {
rw.WriteHeader(http.StatusForbidden)
return
}
// Get or create a session in some way, in this case from the context
sess := SessionFromContext(ctx)
// Then call FinishRegistration to register the authenticator to the user
h.webauthn.FinishRegistration(r, rw, user, webauthn.WrapMap(sess))
}
A complete demo application using the high-level API which implements all of these interfaces and stores data in memory is available here.
JavaScript examples
[This class](webauthn.js) is an example that can be used to handle the registration and login phases. It can be used as follows:
const w = new WebAuthn();
// Registration
w.register().then(() => {
alert('This authenticator has been registered.');
}).catch(err => {
console.error(err);
alert('Failed to register: ' + err);
});
// Login
w.login().then(() => {
alert('You have been logged in.');
}).catch(err => {
console.error(err);
alert('Failed to login: ' + err);
});
Or, with latest async/await
paradigm:
const w = new WebAuthn();
// Registration
try {
await w.register();
alert('This authenticator has been registered.');
} catch (err) {
console.error(err)
alert('Failed to register: ' + err);
}
// Login
try {
await w.login();
alert('You have been logged in.');
} catch(err) {
console.error(err);
alert('Failed to login: ' + err);
}
Low-level API
The low-level closely resembles the specification and the high-level API should be preferred. However, if you would like to use the low-level API, the main entry points are:
License
MIT.
*Note that all licence references and agreements mentioned in the webauthn README section above
are relevant to that project's source code only.