The Symfony Way
An official bundle is provided in the package web-auth/webauthn-symfony-bundle.
Starting at v3.2.4, the bundle can be installed on Symfony 4.4 or 5.0+.
If you use Laravel, you may be interested in this project: https://github.com/asbiin/laravel-webauthn
Before installing it, please make sure you installed and configured:
The package
symfony/psr-http-message-bridge,The package
nyholm/psr7or any other PSR-7 package,The SensioFrameworkExtraBundle and enabled the PSR-7 support.
composer require symfony/psr-http-message-bridge nyholm/psr7 annotations
config/packages/sensio_framework_extra.yamlsensio_framework_extra:psr_message:enabled: true
If you are using Symfony Flex then the bundle will automatically be installed and the default configuration will be set. Otherwise you need to add it in your AppKernel.php file:
src/AppKernel.php<?phppublic function registerBundles(){$bundles = [// ...new Webauthn\Bundle\WebauthnBundle(),];}
And add the Webauthn Route Loader:
config/routes/webauthn_routes.php<?phpdeclare(strict_types=1);use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;return function (RoutingConfigurator $routes) {$routes->import('.', 'webauthn');};
The first step is to create your credential and user entity repositories.
Only Doctrine ORM based repositories are provided. Other storage systems like filesystem or Doctrine ODM may be added in the future but, at the moment, you have to create these from scratch.
With Flex, you have a minimal configuration file installed through a Flex Recipe. You must set the repositories you have just created. You also have to modify the environment variables RELAYING_PARTY_ID and RELAYING_PARTY_NAME.
You may also need to adjust other parameters.
If you don’t use Flex, hereafter an example of configuration file:
config/packages/webauthn.yamlwebauthn:# logger: null # PSR-3 compatible logging servicecredential_repository: 'Webauthn\Bundle\Repository\DummyPublicKeyCredentialSourceRepository' # CREATE YOUR REPOSITORY AND CHANGE THIS!user_repository: 'Webauthn\Bundle\Repository\DummyPublicKeyCredentialUserEntityRepository' # CREATE YOUR REPOSITORY AND CHANGE THIS!token_binding_support_handler: 'Webauthn\TokenBinding\IgnoreTokenBindingHandler' # We ignore the token binding instructions by defaultcreation_profiles: # Authenticator registration profilesdefault: # Unique name of the profilerp: # Relaying Party informationname: '%env(RELAYING_PARTY_NAME)%' # CHANGE THIS! or create the corresponding env variableid: '%env(RELAYING_PARTY_ID)%' # Please adapt the env file with the correct relaying party ID or set null# icon: null # Secured image (data:// scheme)# challenge_length: 32# timeout: 60000# authenticator_selection_criteria:# attachment_mode: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE# require_resident_key: false# user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED# extensions:# loc: true# public_key_credential_parameters: # You should not change this list# - !php/const Cose\Algorithms::COSE_ALGORITHM_EdDSA #Order is important. Preferred algorithms go first# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES256# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES256K# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES384# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES512# - !php/const Cose\Algorithms::COSE_ALGORITHM_RS256# - !php/const Cose\Algorithms::COSE_ALGORITHM_RS384# - !php/const Cose\Algorithms::COSE_ALGORITHM_RS512# - !php/const Cose\Algorithms::COSE_ALGORITHM_PS256# - !php/const Cose\Algorithms::COSE_ALGORITHM_PS384# - !php/const Cose\Algorithms::COSE_ALGORITHM_PS512# attestation_conveyance: !php/const Webauthn\PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONErequest_profiles: # Authentication profilesdefault: # Unique name of the profilerp_id: '%env(RELAYING_PARTY_ID)%' # Please adapt the env file with the correct relaying party ID or set null# challenge_length: 32# timeout: 60000# user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED# extensions:# loc: true# metadata_service:# enabled: false# repository: 'App\Repository\MetadataStatementRepository'
The credential_repository and user_repository parameters correspond to the services we created above.
Please refer to this page. You should let the default value as it is.
If you don't create the creation_profiles section, a default profile is set.
The realying Party corresponds to your application. Please refer to this page for more information.
The parameter id is optional but highly recommended.
By default, the length of the challenge is 32 bytes. You may need to select a smaller or higher length. This length can be configured for each profile:
app/config/webauthn.yamlwebauthn:creation_profiles:acme:rp:name: 'ACME Webauthn Server'challenge_length: 16
The default timeout is set to 60 seconds (60 000 milliseconds). You can change this value as follows:
app/config/webauthn.yamlwebauthn:creation_profiles:acme:rp:name: 'ACME Webauthn Server'timeout: 30000
This set of options allows you to select authenticators depending on their capabilities. The values are described in the advanced concepts of the protocol.
app/config/webauthn.yamlwebauthn:creation_profiles:acme:rp:name: 'ACME Webauthn Server'authenticator_selection_criteria:attachment_mode: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORMrequire_resident_key: trueuser_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED
This option indicates the algorithms allowed for your application. By default, a large list of algorithms is defined, but you can add custom algorithms or reduce the list.
The order is important. Preferred algorithms go first.
It is not recommended changing the default list unless you exactly know what you are doing.
app/config/webauthn.yamlwebauthn:creation_profiles:acme:rp:name: 'ACME Webauthn Server'public_key_credential_parameters:- !php/const Cose\Algorithms::COSE_ALGORITHM_ES256- !php/const Cose\Algorithms::COSE_ALGORITHM_RS256
If you need the attestation of the authenticator, you can specify the preference regarding attestation conveyance during credential generation.
Please note that the metadata service is mandatory when you use this option.
The use of Attestation Statements is generally not recommended unless you REALLY need this information.
app/config/webauthn.yamlwebauthn:creation_profiles:acme:rp:name: 'ACME Webauthn Server'attestation_conveyance: !php/const Webauthn\PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT
You can set as many extensions as you want in the profile. Please also refer to this page for more information.
The example below is totally fictive. Some extensions are defined in the specification but the support depends on the authenticators, on the browsers and on the relaying parties (your applications).
app/config/webauthn.yamlwebauthn:creation_profiles:acme:rp:name: 'ACME Webauthn Server'extensions:loc: truetxAuthSimple: 'Please add your new authenticator'
If you don't create the creation_profiles section, a default profile is set.
The parameters for the request profiles (i.e. the authentication) are very similar to the creation profiles. The only difference is that you don’t need all the detail of the Relaying Party, but only its ID (i.e. its domain).
app/config/webauthn.yamlwebauthn:request_profiles:acme:rp_id: 'example.com'
Please note that all parameters are optional. The following configuration is perfectly valid. However, and as mentioned above, the parameter id is highly recommended.
app/config/webauthn.yamlwebauthn:request_profiles:acme: ~
Now you have a fully configured bundle, you can protect your routes and manage the user registration and authenticatin through the Symfony Firewall.
