onetech/webauthn
Composer 安装命令:
composer require onetech/webauthn
包简介
A simple PHP WebAuthn (FIDO2) server library
README 文档
README
WebAuthn
A simple PHP WebAuthn (FIDO2) server library
Goal of this project is to provide a small, lightweight, understandable library to protect logins with passkeys, security keys like Yubico or Solo, fingerprint on Android or Windows Hello.
Manual
See /_test for a simple usage of this library. Check webauthn.lubu.ch for a working example.
Supported attestation statement formats
- android-key ✅
- android-safetynet ✅
- apple ✅
- fido-u2f ✅
- none ✅
- packed ✅
- tpm ✅
Note
This library supports authenticators which are signed with a X.509 certificate or which are self attested. ECDAA is not supported.
Workflow
JAVASCRIPT | SERVER
------------------------------------------------------------
REGISTRATION
window.fetch -----------------> getCreateArgs
|
navigator.credentials.create <-------------'
|
'-------------------------> processCreate
|
alert ok or fail <----------------'
------------------------------------------------------------
VALIDATION
window.fetch ------------------> getGetArgs
|
navigator.credentials.get <----------------'
|
'-------------------------> processGet
|
alert ok or fail <----------------'
Attestation
Typically, when someone logs in, you only need to confirm that they are using the same device they used during registration. In this scenario, you do not require any form of attestation. However, if you need additional security, such as when your company mandates the use of a Solokey for login, you can verify its authenticity through direct attestation. Companies may also purchase authenticators that are signed with their own root certificate, enabling them to validate that an authenticator is affiliated with their organization.
no attestation
just verify that the device is the same device used on registration. You can use 'none' attestation with this library if you only check 'none' as format.
Tip
this is propably what you want to use if you want secure login for a public website.
indirect attestation
the browser may replace the AAGUID and attestation statement with a more privacy-friendly and/or more easily verifiable version of the same data (for example, by employing an anonymization CA). You can not validate against any root ca, if the browser uses a anonymization certificate. this library sets attestation to indirect, if you select multiple formats but don't provide any root ca.
Tip
hybrid soultion, clients may be discouraged by browser warnings but then you know what device they're using (statistics rulez!)
direct attestation
the browser proviedes data about the identificator device, the device can be identified uniquely. User could be tracked over multiple sites, because of that the browser may show a warning message about providing this data when register. this library sets attestation to direct, if you select multiple formats and provide root ca's.
Tip
this is probably what you want if you know what devices your clients are using and make sure that only this devices are used.
Passkeys / Client-side discoverable Credentials
A Client-side discoverable Credential Source is a public key credential source whose credential private key is stored in the authenticator, client or client device. Such client-side storage requires a resident credential capable authenticator. This is only supported by FIDO2 hardware, not by older U2F hardware.
Note
Passkeys is a technique that allows sharing credentials stored on the device with other devices. So from a technical standpoint of the server, there is no difference to client-side discoverable credentials. The difference is only that the phone or computer system is automatically syncing the credentials between the user’s devices via a cloud service. The cross-device sync of passkeys is managed transparently by the OS.
How does it work?
In a typical server-side key management process, a user initiates a request by entering their username and, in some cases, their password. The server validates the user's credentials and, upon successful authentication, retrieves a list of all public key identifiers associated with that user account. This list is then returned to the authenticator, which selects the first credential identifier it issued and responds with a signature that can be verified using the public key registered during the registration process.
In a client-side key process, the user does not need to provide a username or password. Instead, the authenticator searches its own memory to see if it has saved a key for the relying party (domain). If a key is found, the authentication process proceeds in the same way as it would if the server had sent a list of identifiers. There is no difference in the verification process.
How can I use it with this library?
on registration
When calling WebAuthn\WebAuthn->getCreateArgs, set $requireResidentKey to true,
to notify the authenticator that he should save the registration in its memory.
on login
When calling WebAuthn\WebAuthn->getGetArgs, don't provide any $credentialIds (the authenticator will look up the ids in its own memory and returns the user ID as userHandle).
Set the type of authenticator to hybrid (Passkey scanned via QR Code) and internal (Passkey stored on the device itself).
disadvantage
The RP ID (= domain) is saved on the authenticator. So If an authenticator is lost, its theoretically possible to find the services, which the authenticator is used and login there.
device support
Availability of built-in passkeys that automatically synchronize to all of a user’s devices: (see also passkeys.dev/device-support)
- Apple iOS 16+ / iPadOS 16+ / macOS Ventura+
- Android 9+
- Microsoft Windows 11 23H2+
Requirements
- PHP >= 8.0 with OpenSSL and Multibyte String
- Browser with WebAuthn support (Firefox 60+, Chrome 67+, Edge 18+, Safari 13+)
- PHP Sodium (or Sodium Compat ) for Ed25519 support
Infos about WebAuthn
FIDO2 Hardware
onetech/webauthn 适用场景与选型建议
onetech/webauthn 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 9 次下载、GitHub Stars 达 1, 最近一次更新时间为 2025 年 06 月 24 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「Authentication」 「webauthn」 「passkey」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 onetech/webauthn 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 onetech/webauthn 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 onetech/webauthn 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Filament Two Factor Authentication: Google 2FA + Passkey Authentication
Automatically logs-in users if they are already authenticated by a remote source. (e.g. environment variable REMOTE_USER)
GraphQL authentication for your headless Craft CMS applications.
Add webauthn functionality to Laravel
Support passkeys and Web Authentication
Laravel middleware to restrict a site or specific routes using HTTP basic authentication
统计信息
- 总下载量: 9
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 29
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-06-24