Add support for passkeys (login interface only)

AB-xdev · AB-xdev · commit cc3009e3b500 · 2025-02-13T15:46:12.000+01:00
diff --git a/spring-security-advanced-authentication-ui-demo/README.md b/spring-security-advanced-authentication-ui-demo/README.md
@@ -3,3 +3,17 @@
 * Start the [development infrastructure](../dev_infra/)
 * Run the application
 * Open ``http://localhost:8080``
+
+## Special Login information
+
+### Username + Password
+
+Example user:
+* Username: ``test``
+* Password: ``test``
+
+### Passkeys
+
+The browser needs to support passkeys and you also need an appropriate store (usually the OS handles this).
+
+NOTE: Passkeys are lost when rebooting the server
diff --git a/spring-security-advanced-authentication-ui-demo/pom.xml b/spring-security-advanced-authentication-ui-demo/pom.xml
@@ -64,6 +64,13 @@
 			<artifactId>spring-boot-starter-oauth2-client</artifactId>
 		</dependency>
 
+		<!-- Required to showcase passkeys -->
+		<dependency>
+			<groupId>com.webauthn4j</groupId>
+			<artifactId>webauthn4j-core</artifactId>
+			<version>0.28.5.RELEASE</version>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-devtools</artifactId>
diff --git a/spring-security-advanced-authentication-ui-demo/src/main/java/software/xdev/security/MainWebSecurity.java b/spring-security-advanced-authentication-ui-demo/src/main/java/software/xdev/security/MainWebSecurity.java
@@ -8,12 +8,15 @@
 import java.util.List;
 import java.util.Map;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
@@ -30,12 +33,14 @@
 @EnableConfigurationProperties(AdditionalOAuth2ClientProperties.class)
 public class MainWebSecurity
 {
-	@Bean(name = "mainSecurityFilterChainBean")
-	public SecurityFilterChain configure(
+	private static final Logger LOG = LoggerFactory.getLogger(MainWebSecurity.class);
+	
+	protected void customizeLogin(
 		final HttpSecurity http,
 		final AdditionalOAuth2ClientProperties additionalOAuth2ClientProperties) throws Exception
 	{
-		http.with(new AdvancedLoginPageAdapter<>(http), c -> c
+		http.with(
+			new AdvancedLoginPageAdapter<>(http), c -> c
 				.customizePages(p -> p
 					// No remote communication -> Use local resources
 					.setHeaderElements(List.of(
@@ -62,27 +67,46 @@ public SecurityFilterChain configure(
 						+ " href='https://xdev.software' target='_blank'>"
 						+ "    XDEV Software"
 						+ "  </a>"
-						+ "</p>")))
+						+ "</p>")));
+	}
+	
+	@Bean(name = "mainSecurityFilterChainBean")
+	public SecurityFilterChain configure(
+		final HttpSecurity http,
+		final AdditionalOAuth2ClientProperties additionalOAuth2ClientProperties) throws Exception
+	{
+		this.customizeLogin(http, additionalOAuth2ClientProperties);
+		
+		http
 			.headers(h -> h
 				.referrerPolicy(r -> r.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN))
 				.contentSecurityPolicy(csp -> csp.policyDirectives(this.getCSP())))
 			.formLogin(Customizer.withDefaults())
 			.oneTimeTokenLogin(c -> c.tokenGenerationSuccessHandler(
-				(request, response, oneTimeToken) -> {
-					// Do nothing - Dummy
-				}))
+				(request, response, oneTimeToken) ->
+					LOG.info(
+						"OneTimeToken should be sent for {} with value {}",
+						oneTimeToken.getUsername(),
+						oneTimeToken.getTokenValue())))
+			.webAuthn(c -> c.rpName("Spring Security Localhost Relying Party")
+				.rpId("localhost")
+				.allowedOrigins("http://localhost:8080"))
 			.oauth2Login(c -> c.defaultSuccessUrl("/"))
 			.authorizeHttpRequests(urlRegistry -> urlRegistry.anyRequest().authenticated())
 			.requestCache(c -> c.requestCache(new NullRequestCache()));
 		
 		return http.build();
 	}
 	
-	// Required for OTT
 	@Bean
+	@SuppressWarnings({"java:S6437", "deprecation"})
 	public UserDetailsService userDetailsService()
 	{
-		return new InMemoryUserDetailsManager();
+		return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
+			.username("test")
+			.password("test")
+			.roles("USER")
+			.build());
 	}
 	
 	// Example CSP
diff --git a/spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/advanced/filters/AdvancedLoginPageGeneratingFilter.java b/spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/advanced/filters/AdvancedLoginPageGeneratingFilter.java
@@ -23,6 +23,7 @@
 import java.util.Optional;
 import java.util.function.Consumer;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import jakarta.servlet.http.HttpServletRequest;
 
@@ -33,6 +34,7 @@
 import software.xdev.spring.security.web.authentication.ui.extendable.filters.ExtendableDefaultLoginPageGeneratingFilter;
 
 
+@SuppressWarnings("unused") // This is an API ;)
 public class AdvancedLoginPageGeneratingFilter
 	extends ExtendableDefaultLoginPageGeneratingFilter
 	implements AdvancedSharedPageGeneratingFilter<AdvancedLoginPageGeneratingFilter>
@@ -51,6 +53,8 @@ public class AdvancedLoginPageGeneratingFilter
 	
 	protected String header = "";
 	
+	protected String passKeysWebAuthnScriptLocation = "/login/webauthn.js";
+	
 	protected String formLoginUsernameText = "Username";
 	
 	protected String formLoginPasswordText = "Password";
@@ -67,6 +71,10 @@ public class AdvancedLoginPageGeneratingFilter
 	
 	protected String oneTimeTokenSendTokenText = "Send token";
 	
+	protected String passkeyLoginHeaderText = "Login with Passkeys";
+	
+	protected String passkeySignInSubmitText = "Sign in with a passkey";
+	
 	protected String ssoLoginHeaderText = "Login with";
 	
 	protected String footer = "";
@@ -188,6 +196,18 @@ public AdvancedLoginPageGeneratingFilter oneTimeTokenSendTokenText(final String
 		return this;
 	}
 	
+	public AdvancedLoginPageGeneratingFilter passkeyLoginHeaderText(final String passkeyLoginHeaderText)
+	{
+		this.passkeyLoginHeaderText = passkeyLoginHeaderText;
+		return this;
+	}
+	
+	public AdvancedLoginPageGeneratingFilter passkeySignInSubmitText(final String passkeySignInSubmitText)
+	{
+		this.passkeySignInSubmitText = passkeySignInSubmitText;
+		return this;
+	}
+	
 	public AdvancedLoginPageGeneratingFilter ssoLoginHeaderText(final String ssoLoginHeaderText)
 	{
 		this.ssoLoginHeaderText = ssoLoginHeaderText;
@@ -217,25 +237,94 @@ protected String generateLoginPageHtml(
 		final boolean loginError,
 		final boolean logoutSuccess)
 	{
+		final String contextPath = request.getContextPath();
+		
 		return "<!DOCTYPE html>"
 			+ "<html lang='en' style='height:100%'>"
-			+ this.generateHeader()
-			+ this.generateBody(request, loginError, logoutSuccess)
+			+ this.generateHeader(request, contextPath)
+			+ this.generateBody(request, contextPath, loginError, logoutSuccess)
 			+ "</html>";
 	}
 	
-	protected String generateHeader()
+	// region Header
+	
+	protected String generateHeader(
+		final HttpServletRequest request,
+		final String contextPath)
+	{
+		return this.generateHeader(
+			this.headerMetas,
+			this.pageTitle,
+			this.requiresAdditionalHeaderElements()
+				? Stream.concat(
+					this.headerElements.stream(),
+					this.additionalHeaderElements(request, contextPath).stream())
+				.toList()
+				: this.headerElements);
+	}
+	
+	protected boolean requiresAdditionalHeaderElements()
+	{
+		return this.passkeysEnabled;
+	}
+	
+	protected List<String> additionalHeaderElements(
+		final HttpServletRequest request,
+		final String contextPath)
+	{
+		final List<String> additionalHeaderElements = new ArrayList<>();
+		
+		if(this.passkeysEnabled)
+		{
+			additionalHeaderElements.addAll(this.createPassKeyHeaderElements(request, contextPath));
+		}
+		
+		return additionalHeaderElements;
+	}
+	
+	protected List<String> createPassKeyHeaderElements(
+		final HttpServletRequest request,
+		final String contextPath)
+	{
+		return List.of(
+			"<script type=\"text/javascript\" src=\"" + contextPath + this.passKeysWebAuthnScriptLocation
+				+ "\"></script>",
+			this.createPassKeyScript(request, contextPath)
+		);
+	}
+	
+	protected String createPassKeyScript(
+		final HttpServletRequest request,
+		final String contextPath)
+	{
+		return """
+			<script type="text/javascript">
+			document.addEventListener("DOMContentLoaded",\
+			() => setupLogin(%s, "%s", document.getElementById('passkey-signin')));
+			</script>
+			""".formatted(this.renderHeadersForFetchAPI(request), contextPath);
+	}
+	
+	protected String renderHeadersForFetchAPI(final HttpServletRequest request)
 	{
-		return this.generateHeader(this.headerMetas, this.pageTitle, this.headerElements);
+		return "{ "
+			+ this.resolveHeaders.apply(request).entrySet()
+			.stream()
+			.map(e -> "\"" + e.getKey() + "\": \"" + e.getValue() + "\"")
+			.collect(Collectors.joining(", "))
+			+ " }";
 	}
 	
+	// endregion
+	// region Body
+	
 	protected String generateBody(
 		final HttpServletRequest request,
+		final String contextPath,
 		final boolean loginError,
 		final boolean logoutSuccess)
 	{
 		final String errorMsg = loginError ? this.getLoginErrorMessage(request) : "Invalid credentials";
-		final String contextPath = request.getContextPath();
 		
 		return "  " + this.createBodyElement()
 			+ "     " + this.createContainerElement()
@@ -245,6 +334,7 @@ protected String generateBody(
 			+ this.header
 			+ this.createFormLogin(request, contextPath)
 			+ this.createOneTimeTokenLogin(request, contextPath)
+			+ this.createPasskeyFormLogin()
 			+ (this.hasSSOLogin() ? this.createHeaderLoginWith() : "")
 			+ this.createOAuth2LoginPagePart(contextPath)
 			+ this.createSaml2LoginPagePart(contextPath)
@@ -347,9 +437,7 @@ protected String createRememberMe(final String paramName)
 	
 	protected String createFormLoginSignInButton()
 	{
-		return "<button class=\"btn btn-block btn-primary w-100 mt-1\" type=\"submit\">"
-			+ this.formLoginSignInText
-			+ "</button>";
+		return this.createFormSubmitButton(this.formLoginSignInText);
 	}
 	
 	// endregion
@@ -377,15 +465,40 @@ protected String createOneTimeTokenLogin(final HttpServletRequest request, final
 	
 	protected String createOneTimeTokenLoginHeader()
 	{
-		return "<h5 class=\"h5 mb-2 fw-normal\">"
-			+ this.oneTimeTokenHeaderText
-			+ "</h5>";
+		return this.createLoginMethodHeader(this.oneTimeTokenHeaderText);
 	}
 	
 	protected String createOneTimeTokenLoginSignInButton()
 	{
-		return "<button class=\"btn btn-block btn-primary w-100 mt-1\" type=\"submit\">"
-			+ this.oneTimeTokenSendTokenText
+		return this.createFormSubmitButton(this.oneTimeTokenSendTokenText);
+	}
+	
+	// endregion
+	// region Render Passkeys
+	
+	protected String createPasskeyFormLogin()
+	{
+		if(!this.passkeysEnabled)
+		{
+			return "";
+		}
+		
+		return this.createPasskeyFormLoginHeader()
+			// This needs to be a div and not a form
+			+ "<div id=\"passkey-form\" class=\"mb-3 login-form\">"
+			+ this.createPasskeyForSignInButton()
+			+ "</div>";
+	}
+	
+	protected String createPasskeyFormLoginHeader()
+	{
+		return this.createLoginMethodHeader(this.passkeyLoginHeaderText);
+	}
+	
+	protected String createPasskeyForSignInButton()
+	{
+		return "<button id=\"passkey-signin\" class=\"btn btn-block btn-primary w-100 mt-1\" type=\"submit\">"
+			+ this.passkeySignInSubmitText
 			+ "</button>";
 	}
 	
@@ -399,9 +512,7 @@ protected boolean hasSSOLogin()
 	
 	protected String createHeaderLoginWith()
 	{
-		return "<h5 class=\"h5 mb-2 fw-normal\">"
-			+ this.ssoLoginHeaderText
-			+ "</h5>";
+		return this.createLoginMethodHeader(this.ssoLoginHeaderText);
 	}
 	
 	protected String createOAuth2LoginPagePart(final String contextPath)
@@ -465,11 +576,25 @@ protected String createSSOLoginPagePart(
 	
 	// endregion
 	
+	protected String createLoginMethodHeader(final String text)
+	{
+		return "<h5 class=\"h5 mb-2 fw-normal\">" + text + "</h5>";
+	}
+	
+	public String createFormSubmitButton(final String text)
+	{
+		return "<button class=\"btn btn-block btn-primary w-100 mt-1\" type=\"submit\">"
+			+ text
+			+ "</button>";
+	}
+	
 	protected String renderHiddenInputs(final HttpServletRequest request)
 	{
 		return this.renderHiddenInputs(this.resolveHiddenInputs.apply(request).entrySet());
 	}
 	
+	// endregion
+	
 	protected record ButtonBuildingData(
 		String url,
 		String name,
diff --git a/spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/extendable/filters/ExtendableDefaultLoginPageGeneratingFilter.java b/spring-security-advanced-authentication-ui/src/main/java/software/xdev/spring/security/web/authentication/ui/extendable/filters/ExtendableDefaultLoginPageGeneratingFilter.java
