-
-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove footgun related to random user IDs #530
Comments
I am using them now for the userID. I suspect that they would fit within your proposed 64 byte Uint8Array type, but have not tested to determine if this would break my code. Please consider using ULIDs for your userID generation given their benefits in data storage: more info |
I still think by default it's a good idea for me to generate completely random values when |
I have not... I'm having some trouble with this - I let py_webauthn generate a user id from the backend (it gets encoded to "OPclcKTH6cjyjoRncpBrvKaepPz4eagbzFtOVnYCmANpUx0Vntm1lzlabOri5BF97CLNfTL440SIhbqwd459eQ") and then I'm converting that to a Uint8Array:
I get 64 elements: But then startRegistration() has an exception "TypeError: User ID was not between 1 and 64 characters". Any tips? |
@rimu Are you feeding output from |
Ah, yes, now I can see where startRegistration does the conversion. I still get the same error, though. I'm using 9.0.1 which is a bit old. That is the version that |
Solved by using a shorter user_id: duo-labs/py_webauthn#199 (comment) |
Can undo this when MasterKale/SimpleWebAuthn#530 is fixed
These changes are now available in the recently-published @simplewebauthn/browser@10.0.0, @simplewebauthn/server@10.0.0, and @simplewebauthn/types@10.0.0 ✌️ |
@MasterKale Is it required to save the random generated user ID value in the database? From my understanding, it is randomly generated in |
@P4sca1, The userId is the userId, if you aren't using the userId how are you identifying who the user is? |
I create a HTTP session when the authentication / registration process starts which contains the user id and WebAuthn challenge. |
Okay, I found it in the spec (emphasis mine):
https://www.w3.org/TR/webauthn-3/#user-handle For the secondary use case, it reads like the spec suggests to use the same user id for all authenticators that belong to the same user. This would imply that using random user ids is not ideal? |
From https://www.w3.org/TR/webauthn-3/#sctn-user-handle-privacy:
|
There's also a subtle nuance in here that credential IDs are chosen by the authenticator, but user IDs are chosen by the RP. That makes user IDs "better" from the RP's perspective because it's a value that the RP controls and can predict the shape of vs the variability observable in credential ID lengths.
One of the main goals of using random identifiers for |
(That said I still personally think it's okay to simply look up users by credential ID; I haven't heard of anyone running into issues with this approach. It's stuff like this that makes it hard to suggest the "best" way to do anything with SimpleWebAuthn: RP use cases and risk models are so varied I try to find a middle ground that'll not make a ton of work for any one type of RP...) |
Thank you for the detailed answer and your continued work on the SimpleWebAuthn library! |
This is another reason I started looking up users by credential ID and never really looked back. Nowadays |
Describe the issue
Recent discussion over in the py_webauthn project (duo-labs/py_webauthn#187) focused on how allowing strings for user IDs when generating registration options can encourage the use of PII since e.g. "emails are strings, so why not use that?" However, the WebAuthn spec specifically discourages this pattern and encourages RPs to use random 64 bytes as IDs:
Additionally, in L3, new JSON serialization types have been defined that also say user.id should be a "Base64URLString" (an alias for DOMString but trying to communicate an encoding) when calling the upcoming PublicKeyCredential.parseCreationOptionsFromJSON() method:
https://w3c.github.io/webauthn/#dom-publickeycredentialuserentityjson-id
And the new PublicKeyCredential.toJSON() method will also base64url-encode userHandle bytes to make them JSON-friendly:
https://w3c.github.io/webauthn/#dom-publickeycredential-tojson
In this project, though, I treat
userID
anduserHandle
as UTF-8 strings because it'd been my belief that this was better developer experience to keep these values human-readable.I think I need to give up my "developer experience" crusade here, though, as it runs counter to explicit user privacy goals in WebAuthn and just follow the spec more closely here.
To achieve this I should make similar behavior changes here that correspond to the ones I made to py_webauthn in duo-labs/py_webauthn#197 and...
userID
argument ingenerateRegistrationOptions()
an optionalUint8Array
userID
is not specified then generate 64 random bytes and return that (with instructions to RPs to associate these bytes with whatever user account the RP's site uses internally.)userHandle
to base64url string instead instartAuthentication()
The text was updated successfully, but these errors were encountered: