Skip to content

Commit

Permalink
Merge branch 'main' into agama-lab-flow-designer
Browse files Browse the repository at this point in the history
Signed-off-by: gasmyr <[email protected]>
  • Loading branch information
syntrydy authored Nov 29, 2024
2 parents c71f1c5 + 7a928ff commit 4eac5f2
Show file tree
Hide file tree
Showing 2 changed files with 102 additions and 50 deletions.
150 changes: 101 additions & 49 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,68 @@
[![Issues][issues-shield]][issues-url]
[![Apache License][license-shield]][license-url]

# Agama Passkey
# About Agama Passkey

Welcome to the https://github.com/GluuFederation/agama-passkey project. This project is governed by Gluu and published under an Apache 2.0 license.
This repo is home to the Gluu Agama-passkey project. Use this project to add
user authentication with **Passkey**(passwordless authentication that uses
a device to verify a user's identity before allowing them to access an account)
2-factor authentication.

Use this project to add user authentication with **Passkey**(passwordless authentication that uses a device to verify a user's identity before allowing them to access an account) 2-factor authentication.
## Where To Deploy

For more information you can also see
* [Passkey](https://passkey.io)
* [FIDO Specs](https://www.w3.org/TR/webauthn-1)
The project can be deployed to any IAM server that runs an implementation of
the [Agama Framework](https://docs.jans.io/head/agama/introduction/) like
[Janssen Server](https://jans.io) and [Gluu Flex](https://gluu.org/flex/).

## Requirements

* Register a client to integrate with SCIM (Used to list passkeys and edit), minimum scopes:
- https://jans.io/scim/fido2.read
- https://jans.io/scim/fido2.write
## How To Deploy

## Supported IDPs
Different IAM servers may provide different methods and
user interfaces from where an Agama project can be deployed on that server.
The steps below show how the Agama-passkey project can be deployed on the
[Janssen Server](https://jans.io).

| IDP | Description |
|:-----------------|:--------------------------------------------------------------------|
| Jans Auth Server | [Deployment instructions](jans-deploy.md) |
| Gluu Flex | [Deployment instructions](https://docs.jans.io/head/admin/install/) |
Deployment of an Agama project involves three steps.

## Flows
- [Downloading the `.gama` package from the project repository](#download-the-project)
- [Adding the `.gama` package to the IAM server](#add-the-project-to-the-server)
- [Configure the project](#configure-the-project)

| Qualified Name | Description |
|-----------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `org.gluu.agama.passkey.main` | This is the main flow which you can directly launch from the browser. If you have not configured a passkey, you must first log in with your credentials and register your passkey(s) `org.gluu.agama.passkey.list`. If you have at least 1 passkey configured, then you can click the "Login with passkey" button. |
| `org.gluu.agama.passkey.list` | This flow is used to list the passkeys that the logged-in user has registered. If you do not have a passkey, an option to add a new passkey `org.gluu.agama.passkey.add` is enabled. If you already have at least one passkey, you can click `Login with passkey`. |
| `org.gluu.agama.passkey.add` | This flow is used to register a new passkey. The user has to validate his FIDO device, which can be a (Yubico key, Device fingerprint, Windows Hello, Apple Face ID, etc.). |
| `org.gluu.agama.passkey.nickname` | This flow is used to add a nickname to the newly registered passkey. Once completed this stream returns to the `org.gluu.agama.passkey.list` | |

## Configuration
#### Pre-Requisites

| Flow | Property | Value Description |
|-------------------------------|:-----------------|:-------------------|
| `org.gluu.agama.passkey.main` | scimClientId | SCIM Client id |
| `org.gluu.agama.passkey.main` | scimClientSecret | SCIM Client secret |
* Register a client to integrate with SCIM (used to list passkeys and edit), minimum scopes:
- https://jans.io/scim/fido2.read
- https://jans.io/scim/fido2.write


### Download The Project

> [!TIP]
> Skip this step if you use the Janssen Server TUI tool to
> configure this project. The TUI tool enables the download and adding of this
> project directly from the tool, as part of the `community projects` listing.
The project is bundled as
[.gama package](https://docs.jans.io/head/agama/gama-format/).
Visit the `Assets` section of the
[Releases](https://github.com/GluuFederation/agama-passkey/releases) to download
the `.gama` package.


### Add The Project To The Server

The Janssen Server provides multiple ways an Agama project can be
deployed and configured. Either use the command-line tool, REST API, or a
TUI (text-based UI). Refer to the [Agama project configuration page](https://docs.jans.io/head/admin/config-guide/auth-server-config/agama-project-configuration/) in the Janssen Server documentation for more details.

### Configure The Project

The Agama project accepts configuration parameters in the JSON format. Every Agama
project comes with a basic sample configuration file for reference.

Below is a typical configuration of the Agama-passkey project. As shown, it contains
configuration parameters for the [flows contained in it](#flows-in-the-project):

Sample JSON:

Expand All @@ -55,40 +79,68 @@ Sample JSON:
}
```

## Demo

### Use case 1:

Login with credentials and configure your first passkey device and as a last step complete the login with your new configured key.
### Test The Flow

![TEST_USE_CASE_1](https://github.com/GluuFederation/agama-passkey/assets/86965029/0e5cc346-a576-499a-a9e3-6069d6932a4b)
Use any relying party implementation (like [jans-tarp](https://github.com/JanssenProject/jans/tree/main/demos/jans-tarp))
to send an authentication request that triggers the flow.

### Use case 2:
From the incoming authentication request, the Janssen Server reads the `ACR`
parameter value to identify which authentication method should be used.
To invoke the `org.gluu.agama.passkey.main` flow contained in the Agama-passkey
project, specify the ACR value as `agama_<qualified-name-of-the-top-level-flow>`,
i.e `agama_org.gluu.agama.passkey.main`.

Log in without credentials, use the `Login with passkey` button.
## Customize and Make It Your Own

Fork this repo to start customizing the Agama-passkey project. It is possible to
customize the user interface provided by the flow to suit your organisation's
branding
guidelines. Or customize the overall flow behavior. Follow the best
practices and steps listed
[here](https://docs.jans.io/head/admin/developer/agama/agama-best-practices/#project-reuse-and-customizations)
to achieve these customizations in the best possible way.
This project can be reused in other Agama projects to create more complex
authentication journeys.  To reuse, trigger the
[org.gluu.agama.passkey.main](#flows-in-the-project) flow from other Agama projects.

To make it easier to visualise and customize the Agama Project, use
[Agama Lab](https://cloud.gluu.org/agama-lab/login).


## Flows In The Project

| Qualified Name | Description |
|-----------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `org.gluu.agama.passkey.main` | This is the main flow, which you can directly launch from the browser. If you have not configured a passkey, you must first log in with your credentials and register your passkey(s) at `org.gluu.agama.passkey.list`. If you have at least 1 passkey configured, then you can click the "Login with passkey" button. |
| `org.gluu.agama.passkey.list` | This flow is used to list the passkeys that the logged-in user has registered. If you do not have a passkey, an option to add a new passkey, `org.gluu.agama.passkey.add` is enabled. If you already have at least one passkey, you can click `Login with passkey`. |
| `org.gluu.agama.passkey.add` | This flow is used to register a new passkey. The user has to validate his FIDO device, which can be a (Yubico key, device fingerprint, Windows Hello, Apple Face ID, etc.). |
| `org.gluu.agama.passkey.nickname` | This flow is used to add a nickname to the newly registered passkey. Once completed, this stream returns to the `org.gluu.agama.passkey.list`


![TEST_USE_CASE_2](https://github.com/GluuFederation/agama-passkey/assets/86965029/200328ec-888a-4767-8242-1c50a126a979)

# Contributors
## Demo

Check out this video to see the **agama-passkey** authentication flow in action.
Also check the
[Agama Project Of The Week](https://gluu.org/agama-project-of-the-week/) video
series for a quick demo on this flow.

*Note:*
While the video shows how the flow works overall, it may be dated. Do check the
[Test The Flow](#test-the-flow) section to understand the current
method of passing the ACR parameter when invoking the flow.

<table>
<tr>
<td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
<a href=https://github.com/Milton-Ch>
<img src=https://avatars.githubusercontent.com/u/86965029?v=4 width="100;" style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Milton Ch/>
<br />
<sub style="font-size:14px"><b>Milton Ch.</b></sub>
</a>
</td>
</tr>
</table>

# License
* Login with credentials and configure your first passkey device, and as a last step, complete the login with your new configured key.
![TEST_USE_CASE_1](https://github.com/GluuFederation/agama-passkey/assets/86965029/0e5cc346-a576-499a-a9e3-6069d6932a4b)

* Log in without credentials; use the `Login with passkey` button.
![TEST_USE_CASE_2](https://github.com/GluuFederation/agama-passkey/assets/86965029/200328ec-888a-4767-8242-1c50a126a979)

This project is licensed under the [Apache 2.0](https://github.com/GluuFederation/agama-security-key/blob/main/LICENSE)

<!-- This are stats url reference for this repository -->
<!-- This is the stats url reference for this repository -->

[contributors-shield]: https://img.shields.io/github/contributors/GluuFederation/agama-passkey.svg?style=for-the-badge

Expand Down
2 changes: 1 addition & 1 deletion project.json
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"description": "Agama Passkey",
"type": "community",
"author": "Milton-Ch",
"version": "0.0.1",
"version": "0.0.2",
"authorWebsite": "https://github.com/GluuFederation/agama-passkey",
"githubUri": "https://github.com/GluuFederation/agama-passkey",
"license": "apache-2.0",
Expand Down

0 comments on commit 4eac5f2

Please sign in to comment.