Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Sign In with WebAuthn without email #559

Open
1 of 2 tasks
xmlking opened this issue Sep 2, 2024 · 7 comments
Open
1 of 2 tasks

Feature: Sign In with WebAuthn without email #559

xmlking opened this issue Sep 2, 2024 · 7 comments
Assignees
@dbarrosop

Comments

@xmlking
Copy link
Contributor

xmlking commented Sep 2, 2024
edited by dbarrosop
Loading

when I login to website that support login with security keys (eg, github), it didn't prompt me to enter email. I even tried with incognito mode, and it sill show me prompt to select a previously registered security key.

wonder if we can do same with hasura-auth signIn user experience?

await nhost.auth.signIn({
  email: '[email protected]',
  securityKey: true
})

Tasks
Beta Give feedback
  1. feat: migrate signin/webauthn to go and add possibility to login with userHandle #587
    Review effort [1-5]: 4
  2. sdk: webauthn: modern flow nhost#3031
    enhancement
    onehassan
@dbarrosop
Copy link
Member

Hello,
I am afraid I am not sure I understand what you are asking. Could you add more details? Based on the title though, the email is required in the webauthn protocol so you can't authenticate with webauthn without it.

@xmlking
Copy link
Contributor Author

xmlking commented Sep 4, 2024

When signin with passkeys in GitHub wonder why it didn’t need email id !
IMG_0359
IMG_0360

@dbarrosop
Copy link
Member

Ok, you mean that. I thought you wanted to create a user that could sign in with webauthn without having an email address associated.

You still need the email the difference is that your authenticator is providing that information. The following website is quite good at providing general information on how webathn works:

https://webauthn.wtf/how-it-works/authenticators#discoverable-credentials

@xmlking
Copy link
Contributor Author

xmlking commented Sep 4, 2024

thanks for sharing the link , I think I need to explore this option to lookup user with passkey’s ID

the Relying Party can use the selected passkey’s ID to look up the user that registered that passkey and authenticate them without requiring the user to enter their email address or username

@dbarrosop
Copy link
Member

I suspect hasura-auth (and the SDK) will need support for this, I need to read the spec for this particular scenario but my suspicion is that the discovery process will return the credential ID, not the email.

@dbarrosop
Copy link
Member

Ok, after a quick read my assumption was correct:

https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get

The browser would have to initiate the process providing the credential.id instead of the email so something like this needs a small change in the SDK and another one in hasura-auth.

@dbarrosop dbarrosop self-assigned this Sep 4, 2024
@dbarrosop
Copy link
Member

Quick update, hasura-auth supports now logging in using the userHandle embedded in the security key. We need to update the SDK and the various components but if people is in a hurry for this there is nothing stopping you from using your own frontend components.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbarrosop dbarrosop

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xmlking @dbarrosop