Does anyone know if Phoenix/Cowboy implements token binding? My guess would be no since it’s not well supported in browsers, but I could not find any information that would support or disprove this.
I’m pretty sure it is not implemented: there’s just no interface to configure it with the OpenSSL library binding to Erlang (the OpenSSL version implementing Token Binding). (@voltone can probably confirm this.)
Also, since Chrome has removed support for it, my opinion is that it won’t see widespread adoption, ever. See:
- The intent to remove from Chrome team: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/OkdLUyYmY1E
- A blog post on this issue: https://identiverse.com/2018/10/31/chrome-puts-token-binding-in-a-bind/
Maybe you can tell us more: what are you trying to achieve with Token Binding?
3 Likes
Haha you’re probably the only other person on this forum who could guess why I’m looking into token binding. I’m refactoring/forking your wax library so that it is 100% compliant with the webauthn spec (fully tested). However, it looks like most people have just punted on the TokenBinding aspect which is understandable given its lack of adoption.
I’ll likely implement it properly as the spec dictates but leave it up the the end user whether they want to skip the TokenBinding validation step.
1 Like
Right, the TLS extensions required are not supported by the ssl application.
1 Like
It’s also possible to use it behind a reverse-proxy supporting Token Binding: https://tools.ietf.org/id/draft-ietf-tokbind-ttrp-05.html
Great! What do you mean by fully tested? I can’t have the FIDO2 official test suite working on Linux for 6 months already. I plan some maintenance work on Wax in the coming weeks.
How did the fork/refactoring go.
I found this thread before a merged PR or anything that would say how it has gone.
Released as the :webauthn package. https://github.com/scalpel-software/webauthn
I need to write docs, and include a JS package before fully releasing a 1.0, but everything has been running in prod w/o a hitch. Need to take some time and fully finish this so that other people can use it without having to be a subject matter expert.
Never heard if it.
