hngopher.com

       [HN Gopher] A Tour of WebAuthn
       ___________________________________________________________________
        
       A Tour of WebAuthn
        
       Author : caust1c
       Score  : 110 points
       Date   : 2024-12-26 18:27 UTC (4 hours ago)
        
 (HTM) web link (www.imperialviolet.org)
 (TXT) w3m dump (www.imperialviolet.org)
        
       | xenophonf wrote:
       | I've always wanted to write a serverless OIDC provider/SAML IdP
       | but got stymied by the WebAuthn standards, which don't seem to be
       | written for normal people. :( But this e-book looks like it might
       | have enough actual code interleaved with exposition to serve as
       | more than just a high-level intro.
        
         | caust1c wrote:
         | Adam Langley is probably one of the most gifted teachers when
         | it comes to explaining cryptography concepts. Very clear,
         | concise, precise, and makes it simple enough for me to follow
         | without getting my neurons all knotted up.
        
           | jf wrote:
           | Agreed, I implemented TLS key pinning for a project at Okta
           | using one of Adam's blog posts
        
         | cyberax wrote:
         | OIDC providers are surprisingly NOT complicated! I created one
         | to implement single sign-on with AWS, and it ended up being
         | only around 200 lines of code in Go. All you need to do is
         | create a JSON blob that is signed by a public key that is known
         | to the consumer of the IDP.
         | 
         | I'll need to do a write-up for it.
        
       | treve wrote:
       | Looks like an amazing resource for webauthn. Currently diving
       | into this so it comes at a nice time for me.
       | 
       | But it's also great advertising against WebAuthn. Hard to believe
       | that this kind of complexity is needed, but as with OpenID
       | Connect it feels like enterprise interests are running the ship,
       | not end-users. Ease of implementation seems like a non-goal.
        
       | ggm wrote:
       | It interested me how quickly all of my auth methods started to
       | include "pick the right one of three presented numbers" tests
       | after TOTP got widespread. I'm guessing there is some replay
       | method which they wanted to prevent? This is distinct from in
       | protocol large random value challenges, it must be to ensure a
       | Hooman, or very numerate dog is actually present.
        
       ___________________________________________________________________
       (page generated 2024-12-26 23:00 UTC)