fido-u2f


U2F with multi-facet App ID


We have been directly using U2F on our auth web app with the hostname as our app ID (https://auth.company.com) and that's working fine. However, we'd like to be able to authenticate with the auth server from other apps (and hostnames, e.g. https://customer.app.com) that communicate with the auth server via HTTP API.
I can generate the sign requests and what-not through API calls and return them to the client apps, but it fails server-side (auth server) because the app ID doesn't validate (clients are using their own hostnames as app ID). This is understandable, but how should I handle this? I've read about facets but I cannot get it to work at all.
The client app JS is like:
var registerRequests = // ...
var signRequests = // ...
u2f.register('http://localhost:3000/facets', registerRequests, signRequests, function(registerResponse) {
if (registerResponse.errorCode) {
return alert("Registration error: " + registerResponse.errorCode);
}
// etc.
});
This gives me an Error code 5 (timeout error) after a while. I don't see any request to /facets . Is there a way around this or am I barking up the wrong tree (or a different forest)?
————
Okay, so after a few hours of researching this; I'm pretty sure this fiendish bit of the Firefox U2F plugin is the source of some of my woes:
if (u.scheme == "http")
if (url2str(u, true) == url2str(ou, true))
return resolve(challenge);
else
return reject("Not matching appID");
https://github.com/prefiks/u2f4moz/blob/master/ext/appIdValidator.js#L106-L110
It's essentially saying, if the appID's scheme is http, only allow it if it's exactly the same as the page's host (it goes on to do the behaviour for fetching the trusted facets JSON but only for https).
Still not sure if I'm on the right track though in how I'm trying to design this.
I didn't need to worry about facets for my particular situation. In the end I just pass the client app hostname through to the Auth server via the secure API interface and it uses that as the App ID. Seems to work okay so far.
The issue I was having with facets was due to using http in dev and the Firefox U2F plugin not permitting that with JSON facets.

Related Links

Why is U2F login a two-step protocol?
U2F with multi-facet App ID
U2F integration with multiple FacetIDs without Chrome Extension but u2f-api.js

Categories

HOME
focus
adobe
azure-mobile-services
mithril.js
migrate
fasm
documentum
feature-extraction
google-awareness
closures
uima
user-defined-types
pickle
cloudsim
significance
adobe-illustrator
spyder
pe
anova
maven-surefire-plugin
multi-upload
quantitative-finance
restier
morris.js
guice
toad
listjs
kendo-listview
bean-validation
orchardcms-1.8
ng-repeat
reset
grunt-contrib-watch
classnotfoundexception
fluid-mac-app-engine
audio-converter
qvtkwidget
maven-jaxb2-plugin
predicates
msxml
google-shopping-api
d3v4
email-injection
yargs
ipywidgets
deviare
livereload
jpda
nvda
unsigned
vaadin4spring
swiffy
mercurial-extension
cortana
dsa
apple
360-degrees
domino-designer-eclipse
textscan
scala-macros
text-align
rfc5545
tidyr
maven-shade-plugin
lifetime
squeezebox
otl
lync-2010
assetic
lsa
spring-security-acl
pacman
xs
jquery-cycle
django-filebrowser
multiscaleimage
sfinae
cewolf
eaccelerator
explicit
odac
aspbutton
yahoo-maps
source-code-protection
twitter-feed
remote-working

Resources

Encrypt Message