This project provides a semi-generic backend API for supporting WebAuthn credential registration and authentication. It is intended to be run in a manner as to be shared between multiple consuming applications. It uses an API key and secret to authenticate requests, and further uses that secret as the encryption key. Loss of the API secret would mean loss of all WebAuthn credentials stored.
This application can be run in two ways:
- As a standalone server using the builtin webserver available in the
server/folder - As a AWS Lambda function using the
lambda/implementation. This implementation can also use the Serverless Framework to help automate build/deployment. It should also be noted that thelambdaformat depends on some resources already existing in AWS. There is alambda/terraform/folder with the Terraform configurations needed to provision them.
Yes, as you'll see below this API makes heavy use of custom headers for things that seem like they could go into the request body. We chose to use headers though so that what is sent in the body can be handed off directly to the WebAuthn library and fit the structures it was expecting without causing any conflicts, etc.
x-mfa-apikey- The API Keyx-mfa-apisecret- The API Key Secretx-mfa-RPDisplayName- The Relay Party Display Name, ex:ACME Inc.x-mfa-RPID- The Relay Party ID, ex:domain.com(should only be the top level domain, no subdomain, protocol, or path)x-mfa-RPOrigin- The browser Origin for the request, ex:https://sub.domain.com(include appropriate subdomain and protocol, no path or port)x-mfa-UserUUID- The UUID for the user attempting to register or authenticate with WebAuthn. This has nothing to do with WebAuthn, but is the primary key for finding the right records in DynamoDBx-mfa-Username- The user's username of your servicex-mfa-UserDisplayName- The user's display name
POST /webauthn/register
PUT /webauthn/register
POST /webauthn/login
PUT /webauthn/login
DELETE /webauthn/user
DELETE /webauthn/credential