openstack-experimental · gtema · Sep 12, 2025 · Sep 11, 2025
diff --git a/src/api/v4/auth/passkey/finish.rs b/src/api/v4/auth/passkey/finish.rs
@@ -13,10 +13,13 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use axum::{Json, extract::State, http::StatusCode, response::IntoResponse};
-use serde_json::Value;
+use base64::{Engine as _, engine::general_purpose::URL_SAFE};
 use tracing::debug;
-use webauthn_rs::prelude::*;
 
+use crate::api::v4::auth::passkey::types::{
+    AuthenticationExtensionsClientOutputs, AuthenticatorAssertionResponseRaw, HmacGetSecretOutput,
+    PasskeyAuthenticationFinishRequest,
+};
 use crate::api::{
     error::{KeystoneApiError, WebauthnError},
     v4::auth::token::types::{Token as ApiToken, TokenResponse as ApiTokenResponse},
@@ -34,6 +37,7 @@ use crate::token::TokenApi;
     post,
     path = "/finish",
     operation_id = "/auth/passkey/finish:post",
+    request_body = PasskeyAuthenticationFinishRequest,
     responses(
         (status = OK, description = "Authentication Token object", body = ApiTokenResponse,
         headers(
@@ -50,13 +54,9 @@ use crate::token::TokenApi;
 )]
 pub(super) async fn finish(
     State(state): State<ServiceState>,
-    Json(req): Json<Value>,
+    Json(req): Json<PasskeyAuthenticationFinishRequest>,
 ) -> Result<impl IntoResponse, KeystoneApiError> {
-    let user_id = req
-        .get("user_id")
-        .and_then(|uid| uid.as_str())
-        .ok_or_else(|| KeystoneApiError::Unauthorized)?
-        .to_string();
+    let user_id = req.user_id.clone();
     // TODO: Wrap all errors into the Unauthorized, but log the error
     if let Some(s) = state
         .provider
@@ -66,8 +66,10 @@ pub(super) async fn finish(
     {
         // We explicitly try to deserealize the request data directly into the underlying
         // webauthn_rs type.
-        let v: PublicKeyCredential = serde_json::from_value(req)?;
-        match state.webauthn.finish_passkey_authentication(&v, &s) {
+        match state
+            .webauthn
+            .finish_passkey_authentication(&req.try_into()?, &s)
+        {
             Ok(_auth_result) => {
                 // Here should the DB update happen (last_used, ...)
             }
@@ -118,3 +120,60 @@ pub(super) async fn finish(
     )
         .into_response())
 }
+
+impl TryFrom<HmacGetSecretOutput> for webauthn_rs_proto::extensions::HmacGetSecretOutput {
+    type Error = KeystoneApiError;
+    fn try_from(val: HmacGetSecretOutput) -> Result<Self, Self::Error> {
+        Ok(Self {
+            output1: URL_SAFE.decode(val.output1)?.into(),
+            output2: val
+                .output2
+                .map(|s2| URL_SAFE.decode(s2))
+                .transpose()?
+                .map(Into::into),
+        })
+    }
+}
+
+impl TryFrom<AuthenticationExtensionsClientOutputs>
+    for webauthn_rs_proto::extensions::AuthenticationExtensionsClientOutputs
+{
+    type Error = KeystoneApiError;
+    fn try_from(val: AuthenticationExtensionsClientOutputs) -> Result<Self, Self::Error> {
+        Ok(Self {
+            appid: val.appid,
+            hmac_get_secret: val.hmac_get_secret.map(TryInto::try_into).transpose()?,
+        })
+    }
+}
+
+impl TryFrom<AuthenticatorAssertionResponseRaw>
+    for webauthn_rs_proto::auth::AuthenticatorAssertionResponseRaw
+{
+    type Error = KeystoneApiError;
+    fn try_from(val: AuthenticatorAssertionResponseRaw) -> Result<Self, Self::Error> {
+        Ok(Self {
+            authenticator_data: URL_SAFE.decode(val.authenticator_data)?.into(),
+            client_data_json: URL_SAFE.decode(val.client_data_json)?.into(),
+            signature: URL_SAFE.decode(val.signature)?.into(),
+            user_handle: val
+                .user_handle
+                .map(|uh| URL_SAFE.decode(uh))
+                .transpose()?
+                .map(Into::into),
+        })
+    }
+}
+
+impl TryFrom<PasskeyAuthenticationFinishRequest> for webauthn_rs::prelude::PublicKeyCredential {
+    type Error = KeystoneApiError;
+    fn try_from(req: PasskeyAuthenticationFinishRequest) -> Result<Self, Self::Error> {
+        Ok(webauthn_rs::prelude::PublicKeyCredential {
+            id: req.id,
+            extensions: req.extensions.try_into()?,
+            raw_id: URL_SAFE.decode(req.raw_id)?.into(),
+            response: req.response.try_into()?,
+            type_: req.type_,
+        })
+    }
+}
diff --git a/src/api/v4/auth/passkey/start.rs b/src/api/v4/auth/passkey/start.rs
@@ -13,6 +13,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use axum::{Json, extract::State, response::IntoResponse};
+use base64::{Engine as _, engine::general_purpose::URL_SAFE};
 use tracing::debug;
 use webauthn_rs::prelude::*;
 
@@ -78,3 +79,122 @@ pub(super) async fn start(
 
     Ok(res)
 }
+
+impl From<webauthn_rs_proto::extensions::HmacGetSecretInput> for HmacGetSecretInput {
+    fn from(val: webauthn_rs_proto::extensions::HmacGetSecretInput) -> Self {
+        Self {
+            output1: URL_SAFE.encode(val.output1),
+            output2: val.output2.map(|s2| URL_SAFE.encode(s2)),
+        }
+    }
+}
+
+impl From<webauthn_rs_proto::extensions::RequestAuthenticationExtensions>
+    for RequestAuthenticationExtensions
+{
+    fn from(val: webauthn_rs_proto::extensions::RequestAuthenticationExtensions) -> Self {
+        Self {
+            appid: val.appid,
+            hmac_get_secret: val.hmac_get_secret.map(Into::into),
+            uvm: val.uvm,
+        }
+    }
+}
+
+impl From<webauthn_rs_proto::options::AuthenticatorTransport> for AuthenticatorTransport {
+    fn from(val: webauthn_rs_proto::options::AuthenticatorTransport) -> Self {
+        match val {
+            webauthn_rs_proto::options::AuthenticatorTransport::Ble => AuthenticatorTransport::Ble,
+            webauthn_rs_proto::options::AuthenticatorTransport::Hybrid => {
+                AuthenticatorTransport::Hybrid
+            }
+            webauthn_rs_proto::options::AuthenticatorTransport::Internal => {
+                AuthenticatorTransport::Internal
+            }
+            webauthn_rs_proto::options::AuthenticatorTransport::Nfc => AuthenticatorTransport::Nfc,
+            webauthn_rs_proto::options::AuthenticatorTransport::Test => {
+                AuthenticatorTransport::Test
+            }
+            webauthn_rs_proto::options::AuthenticatorTransport::Unknown => {
+                AuthenticatorTransport::Unknown
+            }
+            webauthn_rs_proto::options::AuthenticatorTransport::Usb => AuthenticatorTransport::Usb,
+        }
+    }
+}
+impl From<webauthn_rs_proto::options::UserVerificationPolicy> for UserVerificationPolicy {
+    fn from(val: webauthn_rs_proto::options::UserVerificationPolicy) -> Self {
+        match val {
+            webauthn_rs_proto::options::UserVerificationPolicy::Required => {
+                UserVerificationPolicy::Required
+            }
+            webauthn_rs_proto::options::UserVerificationPolicy::Preferred => {
+                UserVerificationPolicy::Preferred
+            }
+            webauthn_rs_proto::options::UserVerificationPolicy::Discouraged_DO_NOT_USE => {
+                UserVerificationPolicy::DiscouragedDoNotUse
+            }
+        }
+    }
+}
+
+impl From<webauthn_rs_proto::options::PublicKeyCredentialHints> for PublicKeyCredentialHint {
+    fn from(val: webauthn_rs_proto::options::PublicKeyCredentialHints) -> Self {
+        match val {
+            webauthn_rs_proto::options::PublicKeyCredentialHints::ClientDevice => {
+                PublicKeyCredentialHint::ClientDevice
+            }
+            webauthn_rs_proto::options::PublicKeyCredentialHints::Hybrid => {
+                PublicKeyCredentialHint::Hybrid
+            }
+            webauthn_rs_proto::options::PublicKeyCredentialHints::SecurityKey => {
+                PublicKeyCredentialHint::SecurityKey
+            }
+        }
+    }
+}
+
+impl From<webauthn_rs_proto::options::AllowCredentials> for AllowCredentials {
+    fn from(val: webauthn_rs_proto::options::AllowCredentials) -> Self {
+        Self {
+            id: URL_SAFE.encode(val.id),
+            transports: val
+                .transports
+                .map(|tr| tr.into_iter().map(Into::into).collect::<Vec<_>>()),
+            type_: val.type_,
+        }
+    }
+}
+
+impl From<webauthn_rs_proto::auth::PublicKeyCredentialRequestOptions>
+    for PublicKeyCredentialRequestOptions
+{
+    fn from(val: webauthn_rs_proto::auth::PublicKeyCredentialRequestOptions) -> Self {
+        Self {
+            allow_credentials: val
+                .allow_credentials
+                .into_iter()
+                .map(Into::into)
+                .collect::<Vec<_>>(),
+            challenge: URL_SAFE.encode(val.challenge),
+            extensions: val.extensions.map(Into::into),
+            hints: val
+                .hints
+                .map(|hints| hints.into_iter().map(Into::into).collect::<Vec<_>>()),
+            rp_id: val.rp_id,
+            timeout: val.timeout,
+            user_verification: val.user_verification.into(),
+        }
+    }
+}
+
+impl From<webauthn_rs::prelude::RequestChallengeResponse> for PasskeyAuthenticationStartResponse {
+    fn from(val: webauthn_rs::prelude::RequestChallengeResponse) -> Self {
+        Self {
+            public_key: val.public_key.into(),
+            mediation: val.mediation.map(|med| match med {
+                webauthn_rs_proto::auth::Mediation::Conditional => Mediation::Conditional,
+            }),
+        }
+    }
+}