Describe the bug WebAuthn persistence only works using in-memory SessionRepository? 1. PublicKeyCredentialCreationOptions 2. PublicKeyCredentialRequestOptions
Persistence doesn't seem to work out-of-the-box (OOTB) if using WebAuthn + Redis.
1. Redis defaultSerializer seems to be JdkSerializationRedisSerializer.
2. WebAuthn data classes in https://github.com/spring-projects/spring-security/tree/fd267dfb71bfc8e1ab5bcc8270c12fbaad46fddf/web/src/main/java/org/springframework/security/web/webauthn/api don't seem to implement the Serializable interface required for JdkSerializationRedisSerializer to work.
To Reproduce
I created a GitHub repo https://github.com/justincranford/spring-security-webauthn-redis to:
1. Reproduce and demonstrate the initial RedisSessionRepository JdkSerializationRedisSerializer issue
2. Reproduce and demonstrate all of the issues I encountered switching Redis to GenericJackson2JsonRedisSerializer, and the incremental workarounds I had to apply to make the WebAuthn service data classes serialize/deserialize OK
3. Demonstrate what I tried to get a custom RedisHttpSessionConfiguration redisHttpSessionConfiguration bean to work, so I can override the default UUIDSessionGenerator. I could not figure out a workaround.
Expected behavior 1. WebAuthn service data classes should work with JdkSerializationRedisSerializer out-of-the-box. 2. WebAuthn service data classes should work with GenericJackson2JsonRedisSerializer out-of-the-box too, or with minimal boilerplate. 3. Document example how to configure WebAuthn + Redis to use JdkSerializationRedisSerializer. 4. Document example how to configure WebAuthn + Redis to use GenericJackson2JsonRedisSerializer. 5. Document example how to configure Redis to override RedisHttpSessionConfiguration.java#. I found a one-line mention in EnableRedisHttpSession.java. However, I think EnableRedisHttpSession and overriding care mutually exclusive, so it would be nice to see an example of overriding RedisHttpSessionConfiguration outside of EnableRedisHttpSession (i.e. in docs).
Sample See GitHub repo README for a numbered list of the issues for Redis+WebAuthn JdkSerializationRedisSerializer, Redis+WebAuthn GenericJackson2JsonRedisSerializer, and RedisHttpSessionConfiguration override issue. https://github.com/justincranford/spring-security-webauthn-redis
Timeline 1. I posted my original question on Stack Exchange on Dec 15, 2024. - https://stackoverflow.com/questions/79281677/how-to-use-spring-security-6-4-0-passkeys-with-redishttpsessionrepository/79299083
- I partially answered the question myself in a follow up on Dec 21, 2024.
-
https://stackoverflow.com/a/79299083/747004
-
I posted links to my GitHub repo and this Spring Security Issue #16328 on Dec 23, 2024.
-
I added two TL;DR comments, and appended this timeline, to the original description of this Spring Security Issue #16328 on Dec 26, 2024.
Comment From: justincranford
TL;DR Here are the interesting bits for creating an ObjectMapper that allowed me to serialize/deserialize WebAuthn PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptionsin in Redis using GenericJackson2JsonRedisSerializer (JSON) instead of the non-working, Redis default JdkSerializationRedisSerializer...
@NoArgsConstructor(access=AccessLevel.PRIVATE)
@Slf4j
public final class ObjectMapperFactory {
private static final ClassLoader CLASS_LOADER = ObjectMapperFactory.class.getClassLoader();
public static ObjectMapper objectMapper(
final boolean addDefaultSecurityJacksonModules,
final boolean addMissingWebauthnJacksonModule,
final boolean addMissingWebauthnJacksonMixins,
final boolean overrideDefaultTypingFromDefaultJacksonSecurityModules,
final boolean ignoreTrailingTokensDuringJacksonDeserialize
) {
final ObjectMapper objectMapper = new ObjectMapper()
.registerModule(new JavaTimeModule())
.registerModule(new Jdk8Module())
.setSerializationInclusion(JsonInclude.Include.NON_EMPTY)
.enable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION)
.configure(SerializationFeature.INDENT_OUTPUT, true)
.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false)
.configure(SerializationFeature.WRITE_DURATIONS_AS_TIMESTAMPS, false)
.configure(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS, true)
.configure(DeserializationFeature.FAIL_ON_NULL_FOR_PRIMITIVES, true)
.configure(DeserializationFeature.FAIL_ON_NUMBERS_FOR_ENUMS, true)
.configure(DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY, true)
.configure(DeserializationFeature.FAIL_ON_IGNORED_PROPERTIES, true)
.configure(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES, false)
.configure(DeserializationFeature.FAIL_ON_TRAILING_TOKENS, true)
.configure(DeserializationFeature.FAIL_ON_UNEXPECTED_VIEW_PROPERTIES, true)
.configure(DeserializationFeature.ACCEPT_FLOAT_AS_INT, false)
;
if (addDefaultSecurityJacksonModules) {
objectMapper.registerModules(SecurityJackson2Modules.getModules(CLASS_LOADER));
}
if (addMissingWebauthnJacksonModule) {
objectMapper.registerModule(new WebauthnJackson2Module());
}
if (addMissingWebauthnJacksonMixins) {
// objectMapper.addMixIn(Bytes.class, WebauthnBytesMixIn.class);
objectMapper.addMixIn(PublicKeyCredentialCreationOptions.class, PublicKeyCredentialCreationOptionsMixIn.class);
objectMapper.addMixIn(ImmutablePublicKeyCredentialUserEntity.class, PublicKeyCredentialUserEntityMixIn.class);
objectMapper.addMixIn(PublicKeyCredentialUserEntity.class, PublicKeyCredentialUserEntityMixIn.class);
objectMapper.addMixIn(PublicKeyCredentialRpEntity.class, PublicKeyCredentialRpEntityMixIn.class);
objectMapper.addMixIn(PublicKeyCredentialParameters.class, PublicKeyCredentialParametersMixIn.class);
// objectMapper.addMixIn(PublicKeyCredentialType.class, PublicKeyCredentialTypeMixIn.class);
// objectMapper.addMixIn(COSEAlgorithmIdentifier.class, COSEAlgorithmIdentifierMixIn.class);
objectMapper.addMixIn(AuthenticatorSelectionCriteria.class, AuthenticatorSelectionCriteriaMixIn.class);
// objectMapper.addMixIn(AttestationConveyancePreference.class, AttestationConveyancePreferenceMixIn.class);
// objectMapper.addMixIn(AuthenticatorAttachment.class, AuthenticatorAttachmentMixIn.class);
// objectMapper.addMixIn(ResidentKeyRequirement.class, ResidentKeyRequirementMixIn.class);
// objectMapper.addMixIn(UserVerificationRequirement.class, UserVerificationRequirementMixIn.class);
objectMapper.addMixIn(PublicKeyCredentialRequestOptions.class, PublicKeyCredentialRequestOptionsMixIn.class);
objectMapper.addMixIn(ImmutableAuthenticationExtensionsClientInputs.class, AuthenticationExtensionsClientInputsMixIn.class);
objectMapper.addMixIn(AuthenticationExtensionsClientInputs.class, AuthenticationExtensionsClientInputsMixIn.class);
objectMapper.addMixIn(AuthenticationExtensionsClientInput.class, AuthenticationExtensionsClientInputMixIn.class);
objectMapper.addMixIn(PublicKeyCredentialDescriptor.class, PublicKeyCredentialDescriptorMixIn.class);
// objectMapper.addMixIn(AuthenticatorTransport.class, AuthenticatorTransportMixIn.class);
objectMapper.addMixIn(CredProtectAuthenticationExtensionsClientInput.class, CredProtectAuthenticationExtensionsClientInputMixIn.class);
objectMapper.addMixIn(CredProtect.class, CredProtectMixIn.class);
}
if (overrideDefaultTypingFromDefaultJacksonSecurityModules) {
objectMapper.activateDefaultTyping(
LaissezFaireSubTypeValidator.instance,
ObjectMapper.DefaultTyping.NON_FINAL,
JsonTypeInfo.As.PROPERTY
);
}
if (ignoreTrailingTokensDuringJacksonDeserialize) {
// Relax deserialization to handle this cryptic Collections$UnmodifiableRandomAccessList nested serialization:
// "authorities" : [ "java.util.Collections$UnmodifiableRandomAccessList", [ {
// "@class" : "org.springframework.security.core.authority.SimpleGrantedAuthority",
// "authority" : "ROLE_ADM"
// } ] ],
objectMapper.configure(DeserializationFeature.FAIL_ON_TRAILING_TOKENS, false);
}
return objectMapper;
}
}
Comment From: justincranford
TL;DR Here are the interesting bits for my @Configuration instances, which I constructed by injecting different ObjectMapper instances created with the above helper method.
The below config allowed me to initialize Redis to use GenericJackson2JsonRedisSerializer (JSON) instead of the non-working, default JdkSerializationRedisSerializer.
My @Configuration below is not perfect. I could use feedback on how to clean it up, because my RedisHttpSessionConfiguration redisHttpSessionConfiguration bean to set config.setSessionIdGenerator(new MySessionIdGenerator()); is not getting applied. I noted it as the last issue in the README of my demo GitHub repo.
// Inject different ObjectMapper instances to be used by RedisSerializer<Object>, for setHashValueSerializer and setValueSerializer
@RequiredArgsConstructor
public static abstract class MyAbstractRedisClientConfig {
private final ObjectMapper objectMapper;
@Bean
public RedisSerializer<Object> springSessionDefaultRedisSerializer() {
return GenericJackson2JsonRedisSerializer.builder().objectMapper(this.objectMapper).build();
}
@Bean
public LettuceConnectionFactory redisConnectionFactory() {
return new LettuceConnectionFactory(REDIS_SERVER_ADDRESS, REDIS_SERVER_PORT);
}
@Bean
public RedisTemplate<String, Object> sessionRedisTemplate(
final RedisSerializer<Object> springSessionDefaultRedisSerializer,
final LettuceConnectionFactory redisConnectionFactory
) {
final StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
final RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
redisTemplate.setConnectionFactory(redisConnectionFactory);
redisTemplate.setHashKeySerializer(stringRedisSerializer);
redisTemplate.setKeySerializer(stringRedisSerializer);
redisTemplate.setHashValueSerializer(springSessionDefaultRedisSerializer);
redisTemplate.setValueSerializer(springSessionDefaultRedisSerializer);
redisTemplate.setDefaultSerializer(springSessionDefaultRedisSerializer);
log.info("redisTemplate: {}", redisTemplate);
return redisTemplate;
}
@Bean
public RedisSessionRepository redisSessionRepository(final RedisTemplate<String, Object> sessionRedisTemplate) {
return new RedisSessionRepository(sessionRedisTemplate);
}
@Bean
public RedisHttpSessionConfiguration redisHttpSessionConfiguration(
final RedisSerializer<Object> springSessionDefaultRedisSerializer,
final RedisConnectionFactory redisConnectionFactory,
@SpringSessionRedisConnectionFactory final ObjectProvider<RedisConnectionFactory> springSessionRedisConnectionFactory
) {
final RedisHttpSessionConfiguration config = new RedisHttpSessionConfiguration();
config.setSessionIdGenerator(new MySessionIdGenerator());
config.setMaxInactiveInterval(Duration.ofSeconds(7));
config.setRedisNamespace("test");
config.setDefaultRedisSerializer(springSessionDefaultRedisSerializer);
final ObjectProvider<RedisConnectionFactory> objectProvider = new ObjectProvider<>() {
@Override
public RedisConnectionFactory getObject() throws BeansException {
return redisConnectionFactory;
}
};
config.setRedisConnectionFactory(objectProvider, objectProvider);
return config;
}
}
Comment From: rwinch
@justincranford Thanks for the ticket. This support all makes sense. I've added for sub-issues that I think will take care of what you are looking for. If you'd like to contribute a PR please mention it on the sub issue.
Comment From: rodrigorodrigues
Hi @justincranford ,
I've tried to implement passkey with redis but the passkeys registered are gone once the session timeout is applied, have you faced similar issue?
Comment From: justincranford
Hi @rodrigorodrigues,
Sorry, I didn't have that issue. Just a guess, but only challenges go in Redis. Don't put passkeys in Redis.
Double check if you are using different storage for 1+2 vs 3+4. 1. Registration challenges => temp storage via HTTP Session (e.g. memory, Redis); filter calls HTTP Session here 2. Authentication challenges => temp storage via HTTP Session (e.g. memory, Redis); filter calls HTTP Session here 3. Registered users => perm storage via service bean (e.g. PostgreSQL); default is HashMaps here 4. Registered credentials => perm storage via service bean (e.g. PostgreSQL); default is HashMaps here
My demo repo https://github.com/justincranford/spring-security-webauthn-redis was a minimum viable example for Redis ser/des issues. Repos 1+2 are changed to Redis, but repos 3+4 are not changed.
If this is your issue, add @Service beans to override the default beans for repos 3+4. Example:
@Service
public class MyRepositoryFacade implements UserCredentialRepository {
@Autowired
private MyJpaRepository myJpaRepository;
You need JPA entities (and repos) for the registered passkeys and users. Map between your JPA entities and the Spring Security WebAuthn classes in your two service beans. Examples: - MyJpaCredential <=> org.springframework.security.web.webauthn.api.CredentialRecord - MyJpaUser <=> org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity
Comment From: rodrigorodrigues
Hi @justincranford ,
Thanks very much for your explanation, I did what you said and added DB support instead of redis, created an article for that and mentioned your comment https://www.linkedin.com/pulse/passwordless-authentication-spring-security-passkeys-rodrigues-y1oye/?trackingId=wNImL90rQua2FrzXxRsiqQ%3D%3D
Comment From: mchoraine
Is there any update on the issue ? I still got the issue on spring boot 3.5.5. I got around the problem using @justincranford workaround but it's a lot of config to maintain. Thanks for your help