WebAuthn Advanced Usage Example

4 septembre 2025 · Composants

Voici un exemple Delphi plus complet qui démontre des endpoints personnalisés, des politiques de challenge, le stockage d'identifiants en base de données, la validation des métadonnées FIDO, et la prise en charge des iframes cross-origin. Le code met en avant une gestion avancée des événements pour appliquer des politiques de sécurité.

sgcWebSockets serveur WebAuthn Exemple

procedure TForm1.ConfigureWebAuthn;
begin
  // Component setup
  FWebAuthn := TsgcWSAPIServer_WebAuthn.Create(nil);
  FWebAuthn.Server := FHTTPServer;
  FWebAuthn.Enabled := True;
  // Endpoint remapping
  FWebAuthn.EndpointOptions.AuthenticationOptions := '/auth/options';
  FWebAuthn.EndpointOptions.AuthenticationVerify  := '/auth/verify';
  FWebAuthn.EndpointOptions.RegistrationOptions   := '/reg/options';
  FWebAuthn.EndpointOptions.RegistrationVerify    := '/reg/verify';
  // Relying-party definition
  with FWebAuthn.WebAuthnOptions do
  begin
    RelyingParty := 'secure.example.com';
    Origins      := 'https://app.example.com;https://login.example.net';
    TopOrigins   := 'https://host.example.org';
    AllowCrossOrigins := True;
    // Cryptographic & UX policies
    Algorithms       := 'ES256,RS256';
    UserVerification := 'preferred';
    Attestation      := 'direct';
    TimeoutMS        := 60000;
    // Challenge settings
    ChallengeOptions.ChallengeSize := 64; // 512-bit challenges
    ChallengeOptions.RandomFunc    := MyCryptoRandom; // custom RNG
    // Metadata Service configuration
    MDS.Enabled            := True;
    MDS.MDS_FileName       := 'mds.json';
    MDS.RootCert_FileName  := 'root.pem';
  end;
  // Hook events
  FWebAuthn.OnWebAuthnRegistrationOptionsRequest := AuthnRegOptionsRequest;
  FWebAuthn.OnWebAuthnRegistrationVerify         := AuthnRegVerify;
  FWebAuthn.OnWebAuthnRegistrationSuccessful     := AuthnRegSuccess;
  FWebAuthn.OnWebAuthnAuthenticationOptionsRequest := AuthnOptionsRequest;
  FWebAuthn.OnWebAuthnAuthenticationVerify         := AuthnVerify;
  FWebAuthn.OnWebAuthnAuthenticationSuccessful     := AuthnSuccess;
end;

Implémentations d'événements

procedure TForm1.AuthnRegOptionsRequest(Sender: TObject;
  const Request: TsgcWebAuthnRequestOptions; Response: TsgcWebAuthnResponseOptions);
begin
  // Verify user is eligible for registration
  if UserExists(Request.Username) then
    raise Exception.Create('Username already registered');
  // Optionally assign a user handle (binary identifier)
  Response.User.ID := HexToBin(UserGUIDToHex(GenerateGUID));
  Response.AuthenticatorSelection.AuthenticatorAttachment := 'platform';
end;
procedure TForm1.AuthnRegVerify(Sender: TObject; const Credential: TsgcWebAuthnCredential; var Success: Boolean);
begin
  // Perform extra attestation validation against MDS entries
  Success := ValidateAttestationWithMDS(Credential);
end;
procedure TForm1.AuthnRegSuccess(Sender: TObject; const Credential: TsgcWebAuthnCredential);
begin
  // Persist credential details in database
  SaveCredentialToDB(
    Credential.Username,
    Credential.CredentialID,
    Credential.PublicKey,
    Credential.SignCount,
    Credential.UserHandle
  );
end;
procedure TForm1.AuthnOptionsRequest(Sender: TObject;
  const Request: TsgcWebAuthnRequestOptions; Response: TsgcWebAuthnResponseOptions);
begin
  // Retrieve all credential IDs for user
  Response.AllowCredentials := LoadCredentialIdsFromDB(Request.Username);
end;
procedure TForm1.AuthnVerify(Sender: TObject; const Credential: TsgcWebAuthnCredential; var Success: Boolean);
var
  StoredCounter: Cardinal;
begin
  // Ensure sign counter increases
  StoredCounter := GetSignCounterFromDB(Credential.CredentialID);
  if Credential.SignCount <= StoredCounter then
    Success := False
  else
    Success := True;
end;
procedure TForm1.AuthnSuccess(Sender: TObject; const Credential: TsgcWebAuthnCredential);
begin
  UpdateSignCounterInDB(Credential.CredentialID, Credential.SignCount);
  IssueSessionToken(Credential.Username);
end;

Points clés

Durcissement des challenges – En augmentant la taille du challenge et et en utilisant un RNG cryptographiquement sécurisé, les attaques par rejeu sont davantage atténuées.
Identifiants utilisateur personnalisés – Attribuer un identifiant utilisateur binaire unique permet à l'authenticator de store a privacy-preserving identifier independent de usernames.
Metadata-Based Attestation Validation – Le ValidateAttestationWithMDS routine cross-checks authenticator model, status reports, et revocation lists, ensuring seulement trusted devices are registered.
Sign Counter Enforcement – AuthnVerify rejects responses que ne pas strictly increment le authenticator's counter, detecting cloned credentials.
Base de données Integration – Credential data, sign counters, et session tokens are stored et updated via external persistence functions, demonstrating comment integrate le composant avec un real-world backend.
Cross-Origin Iframe Support – Enabled through AllowCrossOrigins et configured TopOrigins, allowing WebAuthn flows initiated depuis embedded frames (par ex. login widget on different domain).
Attestation Policy – Direct attestation coupled avec MDS ensures seulement approved authenticators peut register, useful for enterprise compliance scenarios.
Transport Selection – Though not shown, événements peut constrain acceptable transports (par ex. USB,NFC,BLE) to tailor qui types de authenticators are permitted.