Login/Register
Integration Test WebAuthN as an 2FA option
Asked Answered
javaspring-bootintegration-testingwebauthnmulti-factor-authentication
G

1

10

I want to add WebAuthN as an option for multi factor authentication to an Angular & Spring application. I use the WebAuthN java-webauthn-server library from Yubico.

What is the best way to integration test my WebAuthN server, without a hardware client? Is there any software that can handle the cryptography in an automated test? I want to run these tests automatically in the CI/CD pipeline (GitLab).

In a best case scenario I want to be able to test the whole process, creating credentials as well as logging in. An alternative scenario could be that I use known credentials in the backend and only log in with these.

My API is REST/JSON based, with relying party, user, challenge, pubKey etc...

My integration tests are Java based (spring boot starter test)

I am mainly interested in how to integration test the server without the client side. Are there utility programs or libraries that can handle authenticators and return the correct data/json objects?

I have looked at Testing WebAuthn via REST tool, however, I am not interested in testing the specification, since I am using a library, I only want to ensure that I applied the library correctly to my code.

Gantline answered 15/5, 2020 at 7:50 Comment(3)
I'm also interested in being able to do this. In should in theory not be too hard to emulate an authenticator but I'm not aware of any out there at the moment. For now our automated testing simply doesn't cover WebAuthn and we only do hands on testing with real devices. One option may be to simply replace navigator.credentials with a testing specific shim but it probably wouldn't be trivial to have it correctly respond in all cases.Hanus
If you're using pure java sdk, (not GCP, GAE), you can use the package PKCS#11 from java. With pkcs11 you can "emulate" a fisical drive like Yubico, in software. I used a pure java implementation in conjunction with OpenSC (open smart card) implementation, it was not used in a pipeline but i was able to do it in a docker container pipeline execution.Hofuf
RestAssured might also work for you. if you want to have in CI/CD pipelineArytenoid
H
2

If you are only interested in testing the server side, you can write a simple webpage with buttons that exercise your endpoints and call navigator.credentials.(create|get). You can then instrument a browser using Selenium 4+, set up Virtual Authenticators, and run tests against that webpage. Take a look at the selenium tests for an example. The code to set up the authenticators looks like this in java:

    VirtualAuthenticatorOptions options = new VirtualAuthenticatorOptions();
    options.setTransport(Transport.INTERNAL)
           .setHasUserVerification(true)
           .setIsUserVerified(true);
    VirtualAuthenticator authenticator =
        ((HasVirtualAuthenticator) driver).addVirtualAuthenticator(options);

Pay attention to setting up the authenticator with the right settings to match your webauthn call. You should pick the right user verification support, resident keys support, and internal (i.e. platform) vs usb / nfc / ble (i.e. cross-platform) transport.

If you're using an older version of selenium, you'll have to manually define the commands yourself. The code should look like

browser.driver.getExecutor().defineCommand(
    "AddVirtualAuthenticator", "POST", "/session/:sessionId/webauthn/authenticator");

// ...

Command addVirtualAuthCommand = new Command("AddVirtualAuthenticator");
addVirtualAuthCommand.setParameter("protocol", "ctap2");
addVirtualAuthCommand.setParameter("transport", "usb");
browser.driver.getExecutor().execute(addVirtualAuthCommand);

Running selenium tests might take a bit of work if you aren't already using it for integration testing. However, this implementation will very closely match reality. From the browser's perspective, the virtual authenticator is real hardware. The response from the authenticator will be processed by the browser as if it was real.

At the moment, only chromium based browsers support Virtual Authenticators.

Harijan answered 22/9, 2020 at 4:56 Comment(1)
Is there a standalone library of any kind that would be able to provide the same functionality as webauthn API + chrome's virtual authenticator (create + get)? Would be super handy for browserless backend REST API testing.Reductive

© 2022 - 2024 — McMap. All rights reserved.