The server side plugin name is authentication_webauthn
The client side plugin name is authentication_webauthn_client
Account - user account (user-host combination)
authentication_string - Transformation of Credential ID stored in mysql.user table
relying party ID - Unique name assigned to server by authentication_webauthn plugin
FIDO authenticator - A hardware token device
Salt - 32 byte long random data
Registration mode - Refers to state of connection where only ALTER USER is allowed to do registration steps.
How authentication_webauthn works?
Plugin authentication_webauthn works in two phases.
Registration of hardware token device
Authentication process
Registration process: This is a 2 step process for a given user account.
Initiate registration step.
Finish registration step.
Initiate registration: –register-factor mysql client option initiates registration step.
Client executes ALTER USER user() nth FACTOR INITIATE REGISTRATION;
Server sends a challenge comprising of 1 byte capability bit, 32 bytes random salt, relying party ID Format of challenge is: | 1 byte capability | length encoded 32 bytes random salt | length encoded relying party ID | length encoded user id (user name@host name) |
Server also sends name of the client plugin - In this case authentication_webauthn_client.
Client receives challenge and client plugin name. It then passes challenge to authentication_webauthn_client plugin with option "registration_challenge" using mysql_plugin_options()
FIDO authenticator may prompt to enter device pin. By default pin can be provided via standard input. Alternatively, register a callback with option "authentication_webauthn_client_callback_get_password" using mysql_plugin_options() to provide pin. FIDO authenticator prompts to perform gesture action. This message can be accessed via callback. Register a callback with option "authentication_webauthn_client_messages_callback" using mysql_plugin_options()
Once gesture action (touching the token) is performed, FIDO authenticator generates a public/private key pair, a credential ID( X.509 certificate, signature) and authenticator data.
Client extracts credential ID(aka challenge response) from authentication_webauthn_client plugin with option "registration_response" using mysql_plugin_get_option() Response is encoded in base64. Format of challenge response is: | 1 bytes capability | length encoded authenticator data | length encoded signature | length encoded x509 certificate | length encoded Client data JSON |
Finish registration:
Client executes ALTER USER user() nth FACTOR FINISH REGISTRATION SET CHALLENGE_RESPONSE AS '?'; parameter is binded to challenge response received during initiate registration step.
authentication_webauthn plugin verifies the challenge response and responds with an OK_Packet or rejects with ERR_Packet
Authentication process: Once initial authentication methods defined for user account are successful, server initiates webauthn authentication process. This includes following steps:
Server sends a 32 byte random salt, relying party ID to client. Format is: | 1 byte capability | length encoded 32 byte random salt | length encoded relying party ID |
Client receives them and checks if FIDO device has CTAP2(aka fido2) capability.
If FIDO device is not capable of CTAP2, client requests server to send credential ID. Format is: | 0x01 |
Server sends credential ID (or empty string if unavailable) to client. Format is: | length encoded credential ID |
If device has CTAP2 capability and if user has configured preserve-privacy option, client prompts user to enter pin. client then retrieves all credentials for given relying party ID from FIDO authenticator.
Client prompts user to choose from the list of credentials.
Client sends random salt, relying party ID and optionally credential ID OR resident key identifier to FIDO authenticator.
FIDO authenticator prompts to perform gesture action.
For CTAP2 capable device, FIDO authenticator extracts one (in case of preserve-privacy option) or all private key based on relying party ID and signs the challenge.
For non-CTAP2 devices, FIDO authenticator extracts private key based on relying party ID and credential ID received from server and signs the challenge.
Client sends signed challenge to server. Format: | 0x02 | length encoded number of assertions | length encoded authenticator data | length encoded signature | ... | length encoded authenticator data | length encoded signature | client data json |
Server side webauthn authentication plugin verifies the signature with the public key and responds with an OK_Packet or with ERR_Packet
Packet Information
Packets related to registration
When client sends ALTER USER <username> <N> FACTOR INITIATE REGISTRATION and if user is using authentication_webauthn for given factor, server response will contain registration challege received from server plugin. Following is the format of such a challenge.
In response to registration challenge, client plugin calculates response and sends it to server as a part of ALTER USER <username> <N> FACTOR FINISH REGISTRATION