/
WebAuthnCredentialRepository

WebAuthnCredentialRepository

Owned by Philip Smart
Last updated: Jan 14, 2025
2 min read

Overview

A critical component of the plugin is the credential repository, which stores and loads credential registrations. The default credential repository utilizes the Shibboleth Storage Service, but it's also possible to utilize other repository implementations by extending the WebAuthnCredentialRepository interface. By default, whatever storage service referenced by the IdP property shibboleth.StorageService is used. However, you can override this by specifying a different bean in the idp.authn.webauthn.StorageService property in conf/authn/webauthn.properties.

In theory, any implementation of a storage service should be compatible, but it's important to consider its capabilities before using it. For example, for testing, you can use client-storage by referencing the bean shibboleth.ClientSessionStorageService. But that will store your credential registrations in the browser and is not portable across browsers—although the credentials will survive an IdP restart so it might be useful during initial testing.

JDBC Example

In production, you may want to consider using a JDBC storage option. Assuming you do not already have a database suitable for use with the Shibboleth Storage Service (if you do, you can skip to step 3), then:

  1. Install the JDBC storage plugin and create a new schema/database (e.g. webauthn) and a new table (e.g. webauthn.StorageRecords):

## This example is specific to MySQL ## Needed to support case sensitive queries in MySQL CREATE SCHEMA IF NOT EXISTS `webauthn` DEFAULT CHARACTER SET latin1 COLLATE latin1_general_cs ; CREATE TABLE webauthn.StorageRecords ( context varchar(255) NOT NULL, id varchar(255) NOT NULL, expires bigint DEFAULT NULL, value text NOT NULL, version bigint NOT NULL, PRIMARY KEY (context, id) );

  1. Then, configure a suitable JDBC connection by following the JDBC storage plugin documentation.

  1. Finally, set the storage service bean you want to use for WebAuthn using the property idp.authn.webauthn.StorageService in conf/authn/webauthn.properties

 

Credential Registration Data Model

The credential registration data model is captured by the CredentialRecord. This record is serialized into JSON for storage. An example record is shown below.

[ { "userIdentity": { "name": "name", "displayName": "disp name", "id": "IUTFXv137bZfIWr10YFSAGGGlt9U-A8Sj78SuyEjZFFyD8R10MxvzM1xOtu9D62kz32WFwwv" }, "username": "username", "transports": [ "internal" ], "registrationTime": 1731413429.716813000, "discoverable": true, "credential": { "credentialId": "fwrgERGewrgw_gwrhgwbhwbh", "userHandle": "FGWRGWgwrgwr-fwfwwfgFGWEGHWR", "publicKeyCose": "REGWgvwergtWERTwetGWWregw", "signatureCount": 0 }, "aaguid": "rc4AAjW8xgpkiwsl8fBVAw", "userVerified": false, "nickname": "My Credential" } ]

Related pages

WebAuthnAuthnConfiguration
WebAuthnAuthnConfiguration
Identity Provider Plugins
Read with this
WebAuthnRegistration
WebAuthnRegistration
Identity Provider Plugins
Read with this
JDBCStorageService
JDBCStorageService
Identity Provider Plugins
Read with this
WebAuthnAuthentication
WebAuthnAuthentication
Identity Provider Plugins
Read with this
WebAuthnExamplesAndVideos
WebAuthnExamplesAndVideos
Identity Provider Plugins
Read with this
WebAuthnCredentialManagement
WebAuthnCredentialManagement
Identity Provider Plugins
Read with this