Does anyone know if Phoenix/Cowboy implements token binding? My guess would be no since it’s not well supported in browsers, but I could not find any information that would support or disprove this.
I’m pretty sure it is not implemented: there’s just no interface to configure it with the OpenSSL library binding to Erlang (the OpenSSL version implementing Token Binding). (@voltone can probably confirm this.)
Also, since Chrome has removed support for it, my opinion is that it won’t see widespread adoption, ever. See:
- The intent to remove from Chrome team: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/OkdLUyYmY1E
- A blog post on this issue: https://identiverse.com/2018/10/31/chrome-puts-token-binding-in-a-bind/
Maybe you can tell us more: what are you trying to achieve with Token Binding?
Haha you’re probably the only other person on this forum who could guess why I’m looking into token binding. I’m refactoring/forking your wax library so that it is 100% compliant with the webauthn spec (fully tested). However, it looks like most people have just punted on the TokenBinding aspect which is understandable given its lack of adoption.
I’ll likely implement it properly as the spec dictates but leave it up the the end user whether they want to skip the TokenBinding validation step.
Right, the TLS extensions required are not supported by the ssl application.
It’s also possible to use it behind a reverse-proxy supporting Token Binding: https://tools.ietf.org/id/draft-ietf-tokbind-ttrp-05.html
Great! What do you mean by fully tested? I can’t have the FIDO2 official test suite working on Linux for 6 months already. I plan some maintenance work on Wax in the coming weeks.