Add PIN Entry API for Webauthn hardware tokens (FIDO2) to CEF
Rene Schneider
Branch: S1artie/cef:pullreq/webauthn
S1artie/cef:pullreq/webauthn
Branch: chromiumembedded/cef:master
chromiumembedded/cef:master
Open
#698 · Created · Last updated
Description
I have added an API interface to the Alloy runtime which allows the embedding application to provide PIN entry capabilities (typically in the form of a UI dialog) to handle PIN-enforcing FIDO2 Webauthn requests.
The interface works similar to the GetAuthCredentials handler, but it’s a bit more complex because hardware authentication tokens have more options and failure modes (for example PIN entry might be optional and dependent on whether the application is currently capable of requesting a PIN from the user, the authenticator may be pulled out at any time during the process, the user might not confirm authentication by touching the hardware key, …). I have attempted to design a concise interface that covers all the possibilities and failure situations that are also covered by the Chromium UI implementation.
As we have the requirement to provide custom PIN entry UI in a Java application, I have also written an extension of java-cef which forwards the full extent of this new API into Java applications. I will submit a second Pull Request to java-cef with that code if this extension here (on which it naturally depends) is deemed worthy to be upstreamed.
The extension has been tested on macOS, Linux and Windows and was found to be working on all three with Yubikey FIDO2 authenticators connected via USB (though Windows brings its own PIN entry UI and forces Chromium to use it, so this API “working” on Windows basically means that it’s not breaking the Windows UI path).
I have added an API interface to the Alloy runtime which allows the embedding application to provide PIN entry capabilities (typically in the form of a UI dialog) to handle PIN-enforcing FIDO2 Webauthn requests.
The interface works similar to the GetAuthCredentials handler, but it’s a bit more complex because hardware authentication tokens have more options and failure modes (for example PIN entry might be optional and dependent on whether the application is currently capable of requesting a PIN from the user, the authenticator may be pulled out at any time during the process, the user might not confirm authentication by touching the hardware key, …). I have attempted to design a concise interface that covers all the possibilities and failure situations that are also covered by the Chromium UI implementation.
As we have the requirement to provide custom PIN entry UI in a Java application, I have also written an extension of java-cef which forwards the full extent of this new API into Java applications. I will submit a second Pull Request to java-cef with that code if this extension here (on which it naturally depends) is deemed worthy to be upstreamed.
The extension has been tested on macOS, Linux and Windows and was found to be working on all three with Yubikey FIDO2 authenticators connected via USB (though Windows brings its own PIN entry UI and forces Chromium to use it, so this API “working” on Windows basically means that it’s not breaking the Windows UI path).