WebAuthn¶
WebAuthn is a W3C standard for supporting registration and authorization using U2F Token. This document will focus on setting up WebAuthn with Djoser. If you wish to learn more about WebAuthn, head to the WebAuthn guide.
Configuration¶
First make sure to install webauthn<1.0
. You can use webauthn as “extras” when installing djoser, e.g. pip install djoser[webauthn]
or poetry add djoser -E webauthn
.
Then add djoser.webauthn
to INSTALLED_APPS
:
INSTALLED_APPS = (
'django.contrib.auth',
(...),
'rest_framework',
'djoser',
'djoser.webauthn',
(...),
)
Add djoser.webauthn.urls
url patterns to urls.py
:
urlpatterns = [
(...),
url(r'^auth/webauthn/', include('djoser.webauthn.urls')),
]
Endpoints¶
Signup Request¶
Use this endpoint to get publicKey
data for navigator.credentials.create
. Note that display_name
is required by WebAuthn specification, but you can ignore it in your application. Unlike username
, display_name
does not have to be unique.
URL: /signup_request/
Method |
Request |
Response |
---|---|---|
|
|
|
Signup¶
Pass the result of navigator.credentials.create
alongside user data to this endpoint in order to verify navigator.credentials.create
result and create the user if verification passes.
URL: /signup/<ukey>
Method |
Request |
Response |
---|---|---|
|
|
|
Login Request¶
Use this endpoint to get publicKey
data for navigator.credentials.create
.
URL: /login_request/
Method |
Request |
Response |
---|---|---|
|
|
|
Login¶
Pass the result of navigator.credentials.create
alongside {{ settings.LOGIN_FIELD }}
to this endpoint in order to verify navigator.credentials.create
and log in the user (create the token) if verification passes.
Method |
Request |
Response |
---|---|---|
|
|
|
Example app¶
You can run Test project to see a working example.
Running example app¶
$ git clone git@github.com:sunscrapers/djoser.git $ pip install -r requirements.txt $ cd djoser/testproject $ python manage.py migrate $ python manage.py runserver
Navigate to http://localhost:8000/webauthn-example/
and you should see a minimalistic example of using Djoser with WebAuthn. Feel free to take a look at testapp/static/js/webauthn.js
file in order to better understand the whole flow.
Note
127.0.0.1
is not a valid effective domain and the example will not work if you navigate to http://127.0.0.1:8000
instead of http://localhost:8000
. Also keep in mind that unless the host resolves to localhost
, most browsers will not allow you to use navigator.credentials
if the connection is not secured with TLS.