Metadata-Version: 2.1
Name: webauthn-rp
Version: 0.0.11
Summary: WebAuthn-RP is a Python 3 library to manage credentials that conform to the Web Authentication specification.
Home-page: https://github.com/enceladus-rex/webauthn-rp
License: MIT
Author: enceladus-rex
Requires-Python: >=3.6.1,<4.0.0
Classifier: Development Status :: 4 - Beta
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Topic :: Security :: Cryptography
Provides-Extra: examples
Requires-Dist: cbor2 (>=5.2.0,<6.0.0)
Requires-Dist: cryptography (>=3.4.7,<4.0.0)
Requires-Dist: pyasn1 (>=0.4.8,<1.0.0)
Project-URL: Documentation, https://webauthn-rp.readthedocs.io/en/latest/
Project-URL: Repository, https://github.com/enceladus-rex/webauthn-rp
Description-Content-Type: text/markdown

<p align="center">
<br />
<img src="https://raw.githubusercontent.com/enceladus-rex/webauthn-rp/master/docs/source/_static/webauthn-rp-logo.png" />
</p>
<br />
<hr />

<span>
    <img src="https://img.shields.io/travis/com/enceladus-rex/webauthn-rp/master.svg" />
    <img src="https://img.shields.io/readthedocs/webauthn-rp/latest.svg" />
    <img src="https://img.shields.io/codecov/c/github/enceladus-rex/webauthn-rp/master.svg" />
    <img src="https://img.shields.io/lgtm/grade/python/github/enceladus-rex/webauthn-rp.svg" />
    <img src="https://img.shields.io/lgtm/alerts/github/enceladus-rex/webauthn-rp.svg" />
</span>
<br />
<br />

WebAuthn-RP is a Python 3 library to manage credentials that conform to the 
[Web Authentication specification](https://www.w3.org/TR/webauthn/).

The following is an overview and some highlights of the library. To see the autogenerated docs and
the getting started guide (which covers the Flask example under `/examples/flask`)
please visit the [readthedocs](https://webauthn-rp.readthedocs.io/en/latest/) page.

### Overview

The aim of this project is to enable Relying Parties to easily use public key credentials
in Python backend web applications. Support is only for Python 3.x considering that 
Python 2.x reached its end of life in early 2020. This allows for the use of many 
features of Python 3 such as built-in type hinting and static type checking with mypy.

The general flow diagram for web authentication is shown in the diagrams below (from the spec):

<p align="center">
    <img src="https://raw.githubusercontent.com/enceladus-rex/webauthn-rp/master/docs/source/_static/webauthn-registration-flow-01.svg" align="center" width="750px" alt="WebAuthn Registration Flow" />
    <h4 align="center">WebAuthn Registration Flow (Figure 1 of WebAuthn Standard)</h4>
</p>

In the case of registration, the Relying Party server must send a challenge along with
information about the user that is to be registered and the specific Relying Party to
which that user is associated. This library is meant to aid in the generation of messages
used in step 1 and the validation performed in step 6. Steps 0 and 5 are typically
handled by an application-specific client library while the routing and parsing operations
of steps 1 and 6 will need to be managed by the application-specific backend although
some utilities are provided. Steps 2, 3, and 4, however, are completely managed by the
browser and authenticator and are not part of this library. In fact, they are
mostly covered by a different specification (the Client To Authenticator Protocol, or CTAP).

Authentication is very much like registration, however some of the message formats are
different and consequently the parsing and validation operations as well. The steps
and how they are handled mirror those of the registration flow:

<p align="center">
    <img src="https://raw.githubusercontent.com/enceladus-rex/webauthn-rp/master/docs/source/_static/webauthn-authentication-flow-01.svg" align="center" width="750px" alt="WebAuthn Registration Flow" />
    <h4 align="center">WebAuthn Authentication Flow (Figure 2 of WebAuthn Standard)</h4>
</p>

The WebAuthn specification is designed for modern browsers and so most of the data
types and functions have JavaScript and JSON in mind. Although all of the necessary
data types are provided as Python objects in the `types` module, these objects need
to be convertable into JSON for use in the browser. The `jsonify` function provided 
in the `converters` module does this for all available data types and
allows one to work directly with typed Python objects. There is also a `parsers` module that provides functions
that can take JSON objects of specific types of data and parse them into their 
Python object counterparts. Note that given JSON cannot represent raw bytes
directly, bytes are base64 encoded when converted into JSON and base64 decoded
when being parsed from JSON. This becomes important when passing data
to the browser API functions described below because there, JavaScript ArrayBuffers
are expected in place of base64 encoded strings.

Both the registration and authentication ceremonies have corresponding API functions
available in the browser as part of the `Navigator` interface. The available
functions are `navigator.credentials.create` and `navigator.credentials.get` 
respectively. These functions take a single options argument which corresponds to 
the data types `CredentialCreationOptions` and `CredentialRequestOptions` 
respectively. These data types have a number of configurable options that may 
need to be set using nested objects. To simply their construction there are
builder classes available which can also provide a way to encapsulate
shared options across different users (see the `builders` module).

All of this is summarized in the following two tables which describe
some of the different functions and types that'll need to be considered
when performing user registration and user authentication.

<table align="center">
    <caption>
        <strong>User Registration Ceremony</strong>
    </caption>
    <tr>
        <td><i>WebAuthn Browser API Function</i></td>
        <td>navigator.credentials.create</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Options Python Data Type</i></td>
        <td>webauthn_rp.types.CredentialCreationOptions</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Options Builder</i></td>
        <td>webauthn_rp.builders.CredentialCreationOptionsBuilder</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Options JSON Converter</i></td>
        <td>webauthn_rp.converters.jsonify</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Public Key Credential Parser</i></td>
        <td>webauthn_rp.parsers.parse_public_key_credential</td>
    </tr>
</table>

<table align="center">
    <caption>
        <strong>User Authentication Ceremony</strong>
    </caption>
    <tr>
        <td><i>WebAuthn Browser API Function</i></td>
        <td>navigator.credentials.get</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Options Python Data Type</i></td>
        <td>webauthn_rp.types.CredentialRequestOptions</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Options Builder</i></td>
        <td>webauthn_rp.builders.CredentialRequestOptionsBuilder</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Options JSON Converter</i></td>
        <td>webauthn_rp.converters.jsonify</td>
    </tr>
    <tr>
        <td><i>WebAuthn-RP Public Key Credential Parser</i></td>
        <td>webauthn_rp.parsers.parse_public_key_credential</td>
    </tr>
</table>

Note that `parse_public_key_credential` takes a `Dict` type corresponding to
a JSON-encoded version of the public key credential JavaScript object returned by the 
WebAuthn browser function. Data that was originally bytes is expected to have been 
encoded using standard base64. Please see the Flask example `app.html` file to
see how this conversion is done in JavaScript.

### Examples

As mentioned, the [readthedocs](https://webauthn-rp.readthedocs.io/en/latest/) page has
a getting started guide that goes into depth with the Flask example, however, if you want
to be able to directly run the example from this GitHub repository follow these steps
after cloning this project locally:

1. Make sure you have a version of Python >= 3.6.1.
2. Install poetry by following the [guide](https://python-poetry.org/docs/#installation).
3. Open a poetry shell and install the dependencies from the project root using:
    
    ```bash
    $ poetry shell
    $ poetry install
    $ pip install Flask Flask-SQLAlchemy
    ```

4. Run the Flask example from the root using::
    
    ```bash
    $ python -m examples.flask.app
    ```

5. Open a browser to `localhost:5000` and register a credential to a username.
6. Authenticate using the same username and credential.
7. Exit the example program.


### References

* [WebAuthn Standard](https://www.w3.org/TR/webauthn/)
* [WebAuthn Browser API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API)
* [Navigator Interface](https://developer.mozilla.org/en-US/docs/Web/API/Navigator)

