Does Ory kratos support webauthn/fido2 without usi...
# ory-selfhostingc
curved-ram-6189
01/10/2025, 8:37 PMDoes Ory kratos support webauthn/fido2 without using a browser? E.g. Android or iOS biometric login via API only, not via javascript?
s
sticky-island-65815
01/10/2025, 10:25 PMI found that it sadly doesn‘t support it at the moment. I bumped this discussion a while ago, I think it’s mistakenly marked as „done“: https://github.com/ory/kratos/discussions/3038#discussioncomment-8274489
c
curved-ram-6189
01/13/2025, 8:49 PMThat was from January 2024. In kratos 1.3.1 they added support for android origins, which seemed like "support"?
https://github.com/ory/kratos/releases
s
sticky-island-65815
01/13/2025, 8:52 PMI don‘t think that‘s enough. The API flows still have to add support for passkeys and return the challenge. The passkey code in Kratos has a couple of guards around requiring browser flows: https://github.com/ory/kratos/blob/master/selfservice/strategy/passkey/passkey_registration.go#L107
c
curved-ram-6189
01/13/2025, 9:26 PMhrmm
curved-ram-6189
01/13/2025, 9:28 PMThat is pretty damning. I was looking through this diff which gave me hope:
https://github.com/ory/kratos/commit/b11d76e349c5679f6165a1ced1f228bc73d5d27a#diff-03e84266225859735c1af5ed6e99[…]8c8caf40871fb9af83b00aa992ed0cR268
Maybe they just mean the origin can be an android app, but the browser still has to be in the flow?
curved-ram-6189
01/22/2025, 2:13 PMSo looking through the APIs and code last night it looks like the flow guards are nearly the only thing preventing this? We can add the required well-known json files easy enough but then we should be able to call the registration apis without a flow at all (api-only), which I'm not sure is possible? There don't seem to be webauthn registration apis listed in the openapi docs and I can't seem to find them. @magnificent-energy-493 can you shed some light on the state of this feature? Seems like something we could customize ourselves if it's not a big lift
m
magnificent-energy-493
01/22/2025, 2:42 PM
Hello @curved-ram-6189 @sticky-island-65815
it looks like the flow guards are nearly the only thing preventing this?that is correct. You are also right that you can currently work around this and customize it - using the browser flows, parse what is returned and then accepting the challenge. We will however remove the guards / fix the bug very soon. apologies that it took so long to address this, but we are on it now 🙂 🙏
c
curved-ram-6189
01/22/2025, 2:49 PMNo this is amazing!
curved-ram-6189
05/12/2025, 6:48 PM@magnificent-energy-493 Is there any movement on this? I'm not sure where it falls on the Ory roadmap
8 Views