Since the Google Summer of Code 2021 comes to an end, I got to say the experience that I got from this program is indeed amazing. During these 10 weeks, I got to learn a lot of skills and it indeed helped me become a better Software Engineering student. All the credit goes to the very welcoming XWiki community and the wonderful bunch of experienced mentors that we have, here.
About me
My name is Mohammad Humayun Khan. I am currently a 5th-semester Computer Engineering student from ZHCET, AMU, India. I am working on the project "Add WebAuthn support to XWiki" as a GSoC 2021 student here, at XWiki.
Add WebAuthn support to XWiki
The aim of the project is to add Web Authentication (or WebAuthn) support to XWiki open source software which will allow the users of XWiki to authenticate themselves without having to type their password every time they try logging in (removing passwords from the picture, itself). Through this project, we want to go a long way in minimizing some untoward incidents like ‘phishing’, ‘stolen credentials’ and ‘replay attacks', etc. The fact that a password is a shared secret makes it vulnerable. Public-key authentication doesn’t have that weakness, and the WebAuthn API enables servers to register and authenticate users using public-key cryptography instead of a password.
Description
The way we implement this is, we take in the 'username' of an already existing standard XWiki user and then we have the following options:
- Register WebAuthn credentials for this user. These credentials will be saved as custom xobjects in the XWiki user profile.
- Authenticate the user: The xobjects saved in the XWiki user profile of a standard XWiki user will be used to authenticate the user.
- Delete credentials: All the xobjects that have WebAuthn credentials for a particular user will be deleted.
We will also have an option to Skip WebAuthn if we are not on a supported browser. This is a fallback to default login form.
Work summary
Community Bonding Period
(May 17, 2021 - June 7, 2021)
The community bonding period started with a video chat between me and my mentors, it was indeed a good session where the mentors told me about the existing practices and the workflow that I should follow while working on the project. After that, I started polishing the skills that were required of me to work on the project (mostly Java and Maven). I looked into some existing authenticators that were already present and used, and I also looked into XWiki's APIs (JavaDoc) in order to better understand their code. I also tried solving existing issues in the main XWiki repo: https://github.com/xwiki/xwiki-platform and in OIDC: https://github.com/xwiki-contrib/oidc in order to learn more about the authentication framework and tools that are being used in XWiki.
First Phase
(June 7, 2021 - July 16, 2021)
I started coding in the first phase on June 14 since I was involved in the end-semester examinations at my university. One of the first tasks involved setting up the maven project for this authenticator. After that, I tried to create a basic authenticator which extended XWikiAuthServiceImpl (the authenticator's only public API which is exposed is recommended to extend it).
I looked into the library, that is supposed to be used for this project: https://github.com/yubico/java-webauthn-server and did detailed research into the JavaDoc in order to get to know about the integration points that it provides. After that, I started adding the data transfer objects that were intrinsically the request objects that were supposed to be given as arguments to the WebAuthn API JS calls: navigator.credentials.create() and navigator.credentials.get(). Also, I added the basic structure for the module and added more utility classes till the end of the first phase and planned on building on the same.
Final Phase
(July 16, 2021 - August 16, 2021)
In the start, I added the events that were to be sent while authenticating the users as well as after adding xobjects to the XWiki user profile, I prepared local cache storage which essentially extended the CredentialRepository: https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/1.7.0/com/yubico/webauthn/CredentialRepository.html interface (one of the integration points for the library) and wrote functions which were supposed to manipulate the database lookups by the library.
The main problem that started to occur was during instantiating the https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/1.7.0/com/yubico/webauthn/RelyingParty.html class which was an entry point into the library. The problem was that this library didn't have anything to do with HTTP requests/responses and only relied upon an embedded server/framework that can send the WebAuthn JS API calls by taking request objects as their parameter, what it did the best was to perform the validation logic after receiving the response from the client. The construction of instances using builders gave me a nightmarish deal as well as I did get a lot of errors while building using maven (the funny part was that, the IDE didn't give any sort of errors as such then). I then commented those classes to at least perform a clean build. In general, in both the registration as well as authentication part of WebAuthn, the whole thing of serializing these requests objects to JSON and then passing it to .create/.get JS calls and then receiving the response from the client, and deserializing it to save in a custom Java object was indeed the most challenging part to me.
During the end of this period, I created the velocity template that will be shown to users when they set it as an authenticator. But I was not able to make it perform the registration and authentication operations due to the limitations of the library. Implementing WebAuthn obviously requires a library that can take care of the requests/responses and the complex server-side cryptographic operations, that are actually the core part of it.
Future plans
I intend to continue working on this project after GSoC as it is my 5th-semester college project as well. The end goal is to provide a cool authenticator to the XWiki open source project which would be future-proof as well as compliant to one of the most sought-after security protocols that are currently being implemented to enhance security in various platforms.
I will try to study the library again, and see/plan with Thomas (authenticators expert at XWiki) about what can we do on the XWiki side to send these requests to the WebAuthn JS API calls and thereafter take care of the serialization and deserialization as well as manipulating the database lookups. If it will not be possible to implement the WebAuthn operations using this library, then I will switch to the https://github.com/webauthn4j/webauthn4j library which is the only other library that supports the WebAuthn based server-side operations in Java. Hoping to make it work!
I will also try to find ways in which I can help the XWiki open source project since I still have 2 years left to graduate and plenty of room for improvements and learnings. I will stay connected with the amazing XWiki community and will try to help newcomers and will also inform if I'll come across an interesting idea to work here, on a project as well.
Lastly
And most importantly, I would like to thank my mentors: Thomas Mortagne and Fawad Ali for taking their time out to help me in resolving my issues and queries whenever I needed them. I seriously could not have wished for any better mentors while working on my first-ever real-world open-source project, they were indeed wonderful.
Also, a big thanks to Eduard (Enygma), Vincent, Simon, Sachin, Manuel, Marius, Clément, and everyone else in the Mentors team for their help throughout the program. Congratulations to the co-GSoC student Sanchita for the work that she has done on her project, it is quite appreciable.
Working as a student here at XWiki has been a fun and enriching experience for me during which I learned a lot of things: debugging, testing, doing a release, communicating in a team, best practices related to software development, etc just to name a few and I am quite indebted to XWiki, for the same.
Some Useful Links
Forum post: https://forum.xwiki.org/t/add-webauthn-support-to-xwiki-gsoc21-project/8812
Design page: https://design.xwiki.org/xwiki/bin/view/Proposal/AddWebAuthnsupporttoXWiki
XWiki Dev project page: https://dev.xwiki.org/xwiki/bin/view/GoogleSummerOfCode/AddWebAuthnsupport2021
XWiki extensions project page: https://extensions.xwiki.org/xwiki/bin/view/Extension/WebAuthn