Description
This project provides a low-level and a high-level API to use the Web Authentication API (WebAuthn).
webauthn alternatives and similar packages
Based on the "Authentication & OAuth" category.
Alternatively, view webauthn alternatives based on common mentions on social networks and blogs.
-
casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN -
aws-doc-sdk-examples
Welcome to the AWS Code Examples Repository. This repo contains code examples used in the AWS documentation, AWS SDK Developer Guides, and more. For more information, see the Readme.md file below. -
jwt-go
DISCONTINUED. ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at: -
goth
Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications. -
loginsrv
JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, .. -
github.com/lestrrat-go/jwx/v2
Implementation of various JWx (Javascript Object Signing and Encryption/JOSE) technologies -
permissions2
DISCONTINUED. :closed_lock_with_key: Middleware for keeping track of users, login states and permissions -
yubigo
Yubigo is a Yubikey client API library that provides an easy way to integrate the Yubico Yubikey into your existing Go-based user authentication infrastructure. -
sessions
A dead simple, highly performant, highly customizable sessions middleware for go http servers.
SaaSHub - Software Alternatives and Reviews
Do you think we are missing an alternative of webauthn or a related project?
README
webauthn : Web Authentication API in Go
Overview
This project provides a low-level and a high-level API to use the Web Authentication API (WebAuthn).
Install
go get github.com/koesie10/webauthn
Attestation
By default, this library does not support any attestation statement formats. To use the default attestation formats,
you will need to import github.com/koesie10/webauthn/attestation
or any of its subpackages if you would just like
to support some attestation statement formats.
Please note that the Android SafetyNet attestation statement format depends on
gopkg.in/square/go-jose.v2
, which means that this package will be imported
when you import either github.com/koesie10/webauthn/attestation
or
github.com/koesie10/webauthn/attestation/androidsafetynet
.
High-level API
The high-level API can be used with the net/http
package and simplifies the low-level API. It is located in the webauthn
subpackage. It is intended
for use with e.g. fetch
or XMLHttpRequest
JavaScript clients.
First, make sure your user entity implements User
. Then, create a new entity
implements Authenticator
that stores each authenticator the user
registers.
Then, either make your existing repository implement AuthenticatorStore
or create a new repository.
Finally, you can create the main WebAuthn
struct supplying the
Config
options:
w, err := webauthn.New(&webauthn.Config{
// A human-readable identifier for the relying party (i.e. your app), intended only for display.
RelyingPartyName: "webauthn-demo",
// Storage for the authenticator.
AuthenticatorStore: storage,
})
Then, you can use the methods defined, such as StartRegistration
to handle registration and login. Every handler requires a Session
, which stores
intermediate registration/login data. If you use gorilla/sessions
, use
webauthn.WrapMap
(session.Values)
. Read the documentation for complete information
on what parameters need to be passed and what values are returned.
For example, a handler for finishing the registration might look like this:
func (r *http.Request, rw http.ResponseWriter) {
ctx := r.Context()
// Get the user in some way, in this case from the context
user, ok := UserFromContext(ctx)
if !ok {
rw.WriteHeader(http.StatusForbidden)
return
}
// Get or create a session in some way, in this case from the context
sess := SessionFromContext(ctx)
// Then call FinishRegistration to register the authenticator to the user
h.webauthn.FinishRegistration(r, rw, user, webauthn.WrapMap(sess))
}
A complete demo application using the high-level API which implements all of these interfaces and stores data in memory is available here.
JavaScript examples
[This class](webauthn.js) is an example that can be used to handle the registration and login phases. It can be used as follows:
const w = new WebAuthn();
// Registration
w.register().then(() => {
alert('This authenticator has been registered.');
}).catch(err => {
console.error(err);
alert('Failed to register: ' + err);
});
// Login
w.login().then(() => {
alert('You have been logged in.');
}).catch(err => {
console.error(err);
alert('Failed to login: ' + err);
});
Or, with latest async/await
paradigm:
const w = new WebAuthn();
// Registration
try {
await w.register();
alert('This authenticator has been registered.');
} catch (err) {
console.error(err)
alert('Failed to register: ' + err);
}
// Login
try {
await w.login();
alert('You have been logged in.');
} catch(err) {
console.error(err);
alert('Failed to login: ' + err);
}
Low-level API
The low-level closely resembles the specification and the high-level API should be preferred. However, if you would like to use the low-level API, the main entry points are:
License
MIT.
*Note that all licence references and agreements mentioned in the webauthn README section above
are relevant to that project's source code only.