Merge pull request #9 from GluuFederation/agama-lab-flow-designer

fix(agama-passkeys): Aligning with FIDO server

Author: maduvena

lib/org/gluu/agama/passkey/ScimFido2Helper.java

@@ -33,9 +33,11 @@ public Map<String, Object> getFidoDeviceByUser(String userInum) throws IOExcepti
             StringJoiner joiner = new StringJoiner("&");
             Map.of("userId", userInum).forEach((k, v) -> joiner.add(k + "=" + v));
             request.setQuery(joiner.toString());
-
+            log.info("userId:"+userInum)
+            log.info("request:"+request)
+            
             String response = sendRequest(request, true, true).getContentAsJSONObject().toJSONString();
-            log.debug("Response scim fido2 devices: {}", response);
+            log.info("Response scim fido2 devices: {}", response);
             JSONObject resObject = new JSONObject(response);
             int count = resObject.getInt("totalResults");
             List<Map<String, String>> mapList = new ArrayList<>();

lib/org/gluu/agama/passkey/ScimWSBase.java

@@ -48,7 +48,7 @@ public ScimWSBase(boolean doHealthCheck, ScimSetting scimSetting) throws IOExcep
             String authz = scimSetting.getScimClientId() + ":" + scimSetting.getScimClientSecret();
             String authzEncoded = new String(Base64.getEncoder().encode(authz.getBytes(UTF_8)), UTF_8);
             basicAuthnHeader = "Basic " + authzEncoded;
-            log.debug("Scim loaded successfully, basicAuthnHeader: {}, apiBase: {}", authz, apiBase);
+            log.info("Scim loaded successfully, basicAuthnHeader: {}, apiBase: {}", authz, apiBase);
         }
     }
 
@@ -66,7 +66,7 @@ protected HTTPResponse sendRequest(HTTPRequest request, boolean checkOK, boolean
         if (withToken) {
             refreshToken();
             request.setAuthorization("Bearer " + token);
-            log.debug("--> Header Authorization: Bearer {}", token);
+            log.info("--> Header Authorization: Bearer {}", token);
         }
 
         HTTPResponse r = request.send();
@@ -83,7 +83,7 @@ protected String encode(String str) {
     private void ensureScimAvailability() throws IOException {
         try {
             URL url = new URL(serverBase + "/jans-scim/sys/health-check");
-            log.debug("Scim health-check url: {}", url);
+            log.info("Scim health-check url: {}", url);
             HTTPRequest request = new HTTPRequest(HTTPRequest.Method.GET, url);
             sendRequest(request, true, false);
         } catch (Exception e) {
@@ -103,10 +103,10 @@ private void refreshToken() throws IOException {
         setTimeouts(request);
         request.setQuery(joiner.toString());
         request.setAuthorization(basicAuthnHeader);
-
+        log.info("request : " +request.getURI().toURL().toString());
         try {
             Map<String, Object> jobj = request.send().getContentAsJSONObject();
-
+            log.info("jobj : "+jobj)
             long exp = Long.parseLong(jobj.get("expires_in").toString()) * 1000;
             tokenExp = System.currentTimeMillis() + exp;
             token = jobj.get("access_token").toString();

lib/org/gluu/agama/passkey/authn/FidoValidator.java

@@ -2,23 +2,26 @@
 
 import io.jans.fido2.client.AssertionService;
 import io.jans.fido2.client.Fido2ClientFactory;
+
+import io.jans.fido2.model.assertion.AssertionOptions;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.ws.rs.core.Response;
 import net.minidev.json.JSONObject;
 import org.gluu.agama.passkey.NetworkUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-
+import io.jans.fido2.model.assertion.AssertionResult;
 import java.io.IOException;
 import java.util.Map;
 
 public class FidoValidator {
 
     private static final Logger logger = LoggerFactory.getLogger(FidoValidator.class);
-
+    private static ObjectMapper mapper = new ObjectMapper();
     private final String metadataConfiguration;
 
     public FidoValidator() throws IOException {
-        logger.debug("Inspecting fido2 configuration discovery URL");
+        logger.info("Inspecting fido2 configuration discovery URL");
         String metadataUri = NetworkUtils.urlBeforeContextPath() + "/.well-known/fido2-configuration";
 
         try (Response response = Fido2ClientFactory.instance().createMetaDataConfigurationService(metadataUri).getMetadataConfiguration()) {
@@ -34,17 +37,20 @@ public FidoValidator() throws IOException {
     }
 
     public String assertionRequest(String uid) throws IOException {
-        logger.debug("Building an assertion request for {}", uid);
+        logger.info("Building an assertion request for {}", uid);
         // Using assertionService as a private class field gives serialization trouble...
         AssertionService assertionService = Fido2ClientFactory.instance().createAssertionService(metadataConfiguration);
         String content;
+        AssertionOptions assertionRequest = new AssertionOptions()
         if (uid == null) {
             content = JSONObject.toJSONString(Map.of("timeout", 90000));
         } else {
             content = JSONObject.toJSONString(Map.of("timeout", 90000, "username", uid));
+            assertionRequest.setUsername(uid);
         }
-
-        try (Response response = (uid == null ? assertionService.generateAuthenticate(content) : assertionService.authenticate(content))) {
+        
+        
+        try (Response response = ( assertionService.authenticate(assertionRequest))) {
             content = response.readEntity(String.class);
             int status = response.getStatus();
 
@@ -58,24 +64,25 @@ public String assertionRequest(String uid) throws IOException {
     }
 
     public String verify(String tokenResponse) throws IOException {
-        logger.debug("Verifying fido token response");
+        logger.info("Verifying fido token response : "+tokenResponse);
         AssertionService assertionService = Fido2ClientFactory.instance().createAssertionService(metadataConfiguration);
-
-        Response response = assertionService.verify(tokenResponse);
+        AssertionResult assertionResult = mapper.readValue(tokenResponse, AssertionResult.class);
+        Response response = assertionService.verify(assertionResult);
         int status = response.getStatus();
         if (status != Response.Status.OK.getStatusCode()) {
             org.json.JSONObject jsonNode = new org.json.JSONObject(response.readEntity(String.class));
             StringBuilder sb = new StringBuilder(String.format("Verification step failed, status: %s", status));
             if (jsonNode.has("error_description")) {
                 sb.append(String.format(", description: %s", jsonNode.getString("error_description")));
             }
-            logger.error(sb.toString());
+            logger.info(sb.toString());
             throw new IOException(sb.toString());
         }
 
         String resString = response.readEntity(String.class);
+        logger.info("Response : "+resString)
         org.json.JSONObject jsonNode = new org.json.JSONObject(resString);
-        logger.error("Status: {}, Response: {}", status, jsonNode);
+        logger.info("Status: {}, Response: {}", status, jsonNode);
         if (jsonNode.has("username")) {
             String user = jsonNode.getString("username");
             logger.debug("User returned: {}", user);

lib/org/gluu/agama/passkey/enroll/FidoEnroller.java

@@ -24,16 +24,19 @@ public String getAttestationMessage(String id) throws IOException {
             HTTPRequest request = new HTTPRequest(HTTPRequest.Method.GET, new URL(getApiBase() + "/enrollment/fido2/attestation"));
 
             StringJoiner joiner = new StringJoiner("&");
-            Map.of("userid", id, "platformAuthn", "false").forEach((k, v) -> joiner.add(k + "=" + encode(v)));
+            // Map.of("userid", id, "platformAuthn", "false").forEach((k, v) -> joiner.add(k + "=" + encode(v)));
+            
+            Map.of("userid", id).forEach((k, v) -> joiner.add(k + "=" + encode(v)));
             request.setQuery(joiner.toString());
 
-            log.debug("Generating an attestation message for {}", id);
+            log.info("Generating an attestation message for {}", id);
             HTTPResponse response = sendRequest(request, false, true);
             String responseContent = response.getContent();
             int status = response.getStatusCode();
-
+            log.info("Status of attestation :"+ status);
+            log.info("responseContent : "+ responseContent);
             if (status != 200) {
-                log.error("Attestation response was: ({}) {}", status, responseContent);
+                log.info("Attestation response was: ({}) {}", status, responseContent);
                 throw new Exception(response.getContentAsJSONObject().get("code").toString());
             }
             return responseContent;
@@ -49,11 +52,12 @@ public String verifyRegistration(String id, String tokenResponse) throws IOExcep
                     new URL(getApiBase() + "/enrollment/fido2/registration/" + encode(id)));
             request.setQuery(tokenResponse);
 
-            log.debug("Verifying registration");
+            log.info("Verifying registration : "+id +":"+ tokenResponse);
             HTTPResponse response = sendRequest(request, false, true);
             int status = response.getStatusCode();
+            log.info("Status : "+status)
             Map<String, Object> map = response.getContentAsJSONObject();
-
+            log.info("Map: "+map)
             if (status != 201) {
                 log.error("Verification response was: ({}) {}", status, response.getContent());
                 throw new Exception(map.get("code").toString());
@@ -75,11 +79,11 @@ public boolean nameIt(String id, String nickname, String key) throws IOException
             request.setContentType(APPLICATION_JSON);
             request.setQuery(body);
 
-            log.debug("Naming fido credential for {}", nickname);
+            log.info("Naming fido credential for {}", nickname);
             HTTPResponse response = sendRequest(request, false, true);
             int status = response.getStatusCode();
 
-            log.debug("Response was ({}): {}", status, response.getContent());
+            log.info("Response was ({}): {}", status, response.getContent());
             return status == 200;
         } catch (Exception e) {
             throw new IOException("Failed to name fido credential", e);

web/nickname.ftlh

@@ -1,65 +1,63 @@
-<!doctype html>
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
-<head>
-    <title>Passkey nickname</title>
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="icon" href="${webCtx.contextPath}/servlet/favicon" type="image/x-icon">
-    <script src="https://cdn.tailwindcss.com"></script>
-    <script>
-        tailwind.config = {
-            darkMode: 'class'
-        }
-    </script>
-</head>
+[#ftl output_format="HTML"]
+<!DOCTYPE html>
+<html lang="en">
+<head><meta name="viewport" content="width=device-width, initial-scale=1"><title>Passkey nickname
+	</title><link rel="icon" href="${webCtx.contextPath}/servlet/favicon" type="image/x-icon"></head>
 <body>
-<section class="bg-gray-100 dark:bg-gray-900">
-    <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
-        <div class="flex flex-col items-center mb-6 text-2xl font-semibold text-gray-900 dark:text-white">
-            <img class="w-40 mr-2"
-                 src="https://gluu.org/wp-content/uploads/2021/02/janssen-project-transparent-630px-182px-300x86.png"
-                 alt="logo">
-        </div>
-        <div class="w-full bg-white rounded-lg shadow-lg dark:border md:mt-0 sm:max-w-md xl:p-0 dark:bg-gray-800 dark:border-gray-700">
-            <form method="post" enctype="application/x-www-form-urlencoded"
-                  class="p-6 space-y-4 md:space-y-6 sm:p-8">
-                <div class="flex items-center justify-center">
-                    <svg height="32" aria-hidden="true" viewBox="0 0 24 24" version="1.1" width="32"
-                         data-view-component="true" class="!fill-green-700 w-8 h-8">
-                        <path d="M17.28 9.28a.75.75 0 0 0-1.06-1.06l-5.97 5.97-2.47-2.47a.75.75 0 0 0-1.06 1.06l3 3a.75.75 0 0 0 1.06 0l6.5-6.5Z"></path>
-                        <path d="M12 1c6.075 0 11 4.925 11 11s-4.925 11-11 11S1 18.075 1 12 5.925 1 12 1ZM2.5 12a9.5 9.5 0 0 0 9.5 9.5 9.5 9.5 0 0 0 9.5-9.5A9.5 9.5 0 0 0 12 2.5 9.5 9.5 0 0 0 2.5 12Z"></path>
-                    </svg>
-                </div>
 
-                <h1 class="text-xl text-center font-medium text-gray-900 md:text-2xl dark:text-white">
-                    Successfully added a passkey
-                </h1>
-
-                <p class="text-gray-600 leading-tight">
-                    From now on, you can use this passkey to sign-in.
-                </p>
-
-                <div class="w-full border-t border-gray-300"></div>
-
-                <div class="space-y-2">
-                    <label class="text-gray-800" for="nickname">
-                        Passkey nickname
-                    </label>
-                    <p class="text-gray-600 leading-tight">
-                        This is a hardware passkey - you may want to nickname it by its manufacturer or device model.
-                    </p>
-                </div>
-
-                <input type="text" name="nickname" id="nickname"
-                       class="bg-gray-50 border border-gray-300 text-gray-900 sm:text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2.5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-blue-500 dark:focus:border-blue-500"
-                       placeholder="" required="" autocomplete="off">
-
-                <button type="submit"
-                        class="w-full text-white bg-green-600 hover:bg-green-700 font-medium rounded-lg text-sm px-5 py-2.5 text-center dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">
-                    Done
-                </button>
-            </form>
-        </div>
-    </div>
-</section>
+  
+	
+	
+	
+  
+  
+	<section class="bg-gray-100 dark:bg-gray-900">
+	  <div class="flex flex-col items-center justify-center px-6 py-8 mx-auto md:h-screen lg:py-0">
+		<div class="flex flex-col items-center mb-6 text-2xl font-semibold text-gray-900 dark:text-white">
+		  <img src="https://gluu.org/wp-content/uploads/2021/02/janssen-project-transparent-630px-182px-300x86.png" alt="logo" class="w-40 mr-2">
+		</div>
+		<div class="w-full bg-white rounded-lg shadow-lg dark:border md:mt-0 sm:max-w-md xl:p-0 dark:bg-gray-800 dark:border-gray-700">
+		  <form method="post" enctype="application/x-www-form-urlencoded" class="p-6 space-y-4 md:space-y-6 sm:p-8">
+			<div class="flex items-center justify-center">
+			  <svg height="32" aria-hidden="true" viewBox="0 0 24 24" version="1.1" width="32" data-view-component="true" class="-fill-green-700 w-8 h-8">
+				<path d="M17.28 9.28a.75.75 0 0 0-1.06-1.06l-5.97 5.97-2.47-2.47a.75.75 0 0 0-1.06 1.06l3 3a.75.75 0 0 0 1.06 0l6.5-6.5Z">
+				</path>
+				<path d="M12 1c6.075 0 11 4.925 11 11s-4.925 11-11 11S1 18.075 1 12 5.925 1 12 1ZM2.5 12a9.5 9.5 0 0 0 9.5 9.5 9.5 9.5 0 0 0 9.5-9.5A9.5 9.5 0 0 0 12 2.5 9.5 9.5 0 0 0 2.5 12Z">
+				</path>
+			  </svg>
+			</div>
+			<h1 class="text-xl text-center font-medium text-gray-900 md:text-2xl dark:text-white">
+			  Successfully added a passkey
+			</h1>
+			<p class="text-gray-600 leading-tight">
+			  From now on, you can use this passkey to sign-in.
+			</p>
+			<div class="w-full border-t border-gray-300">
+			</div>
+			<div class="space-y-2">
+			  <label for="nickname" class="text-gray-800">
+				Passkey nickname
+			  </label>
+			  <p class="text-gray-600 leading-tight">
+				You may want to nickname it by its manufacturer or device model.
+			  </p>
+			</div>
+			<input type="text" name="nickname" id="nickname" placeholder="" required="" autocomplete="off" class="bg-gray-50 border border-gray-300 text-gray-900 sm:text-sm rounded-lg focus:ring-primary-600 focus:border-primary-600 block w-full p-2-5 dark:bg-gray-700 dark:border-gray-600 dark:placeholder-gray-400 dark:text-white dark:focus:ring-blue-500 dark:focus:border-blue-500">
+			<button type="submit" class="w-full text-white bg-green-600 hover:bg-green-700 font-medium rounded-lg text-sm px-5 py-2-5 text-center dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800">
+			  Done
+			</button>
+		  </form>
+		</div>
+	  </div>
+	</section>
+  
+  
+  
 </body>
-</html>
+
+<script src="https://cdn.tailwindcss.com"></script><script>
+	tailwind.config = {
+	  darkMode: 'class'
+	}
+  </script>
+</html>