Skip to main content

WebAuthn internals (goauth/webauthn)

The passkey provider delegates cryptography to github.com/izetmolla/goauth/webauthnstandard library only.

Package structure

FileResponsibility
encoding.goBase64url, CredentialJSON types
cbor.goMinimal CBOR decoder (maps, byte strings)
cose.goCOSE EC2 P-256 key parse, ES256 verify
authdata.goAuthenticator data layout
rp.goRP, options builders, VerifyRegistration, VerifyLogin

Registration verification

  1. Parse clientDataJSON — type must be webauthn.create
  2. Challenge must match server-issued challenge (from verification token)
  3. Origin must equal RP.Origin
  4. Decode attestationObject (CBOR) → authData bytes
  5. Parse attested credential data → credential ID + COSE public key
  6. Verify RP ID hash = SHA256(rp.id)
  7. Store credential (attestation format not validated beyond none)

Login verification

  1. clientDataJSON.type = webauthn.get
  2. Challenge + origin checks
  3. Load stored COSE key
  4. Verify signature over authenticatorData || SHA256(clientDataJSON)
  5. Reject if signCount did not increase (when both counters non-zero)

RP configuration

rp := &webauthn.RP{
    ID:     "app.example.com",
    Name:   "My App",
    Origin: "https://app.example.com",
}
opts := rp.LoginOptionsForCredentials(challenge, allowCredentialIDs)
cred, err := rp.VerifyLogin(credentialJSON, challengeBytes, storedCredential)

Extending

To support additional algorithms (e.g. EdDSA) or packed attestation, extend cose.go and VerifyRegistration — keep changes inside webauthn/ to preserve the stdlib-only core guarantee.

Testing

go test ./webauthn/...

Add golden-vector tests with real browser-captured assertions for regression safety.