WebAuthnCredentialRepository

Owned by Philip Smart
Last updated: Nov 04, 2024
2 min read

Overview

The plugin's critical component is the credential repository which stores and loads credential registrations. The default credential repository utilizes the Shibboleth Storage Service, but it's also possible to utilize other repository implementations by extending the WebAuthnCredentialRepository interface. The default repository uses the configured shibboleth.StorageService, although it is possible to override this by specifying a different bean in the idp.authn.webauthn.StorageService property.

In theory, any implementation of a storage service should be compatible, but it's important to consider its capabilities before using it. For example, for testing, you can use client-storage by referencing (in that property) the bean shibboleth.ClientSessionStorageService. But that will store your credential registrations in the browser and is not portable across browsers—although the credentials will survive an IdP restart so it might be useful during initial testing.

JDBC Example

In production, you may want to consider using a JDBC storage option. Assuming you do not already have a database suitable for use with the Shibboleth Storage Service (if you do, you can skip to step 3), then:

  1. Install the JDBC storage plugin and create a new schema/database (e.g. webauthn) and a new table (e.g. webauthn.StorageRecords):

## This example is specific to MySQL ## Needed to support case sensitive queries in MySQL CREATE SCHEMA IF NOT EXISTS `webauthn` DEFAULT CHARACTER SET latin1 COLLATE latin1_general_cs ; CREATE TABLE webauthn.StorageRecords ( context varchar(255) NOT NULL, id varchar(255) NOT NULL, expires bigint DEFAULT NULL, value text NOT NULL, version bigint NOT NULL, PRIMARY KEY (context, id) );

  1. Then, configure a suitable JDBC connection by following the JDBC storage plugin documentation.

  1. Finally, set the storage service bean you want to use for WebAuthn using the property idp.authn.webauthn.StorageService in conf/authn/webauthn.properties

 

Credential Registration Data Model

 

Reference

 

Â