Go to file
2022-11-23 09:36:35 +01:00
src separate session var names between frontend and backend 2022-11-23 09:36:35 +01:00
.gitignore add first integration test 2022-11-08 01:12:11 +01:00
composer.json make installable in OXID 6.3 (CE 6.8) 2022-11-12 23:17:54 +01:00
LICENSE.md add translations and documentations 2022-10-25 09:20:35 +02:00
README.en.md change license notes 2022-11-04 23:02:30 +01:00
README.md change license notes 2022-11-04 23:02:30 +01:00

deutsche Version english version

D³ WebAuthn / FIDO2 Login for OXID eShop

With this module, the login in the OXID shop can be carried out with a hardware token instead of a password.

This secures the login in the frontend and (if allowed for the user) also in the backend.

Security keys are devices that contain cryptographic keys. These can be used for two-factor authentication. The security key must support the standard "WebAuthn".

The key management is done in the admin area and in the user's "My Account".

Table of content

Installation

This package requires an Composer installed OXID eShop as defined in composer.json.

Open a command line interface and navigate to the shop root directory (parent of source and vendor). Execute the following command. Adapt the paths to your environment.

php composer require d3/oxwebauthn:^1.0

If a reference to an unsuitable package symfony/process is shown, this must be changed. To do this, please add the switch -W to the above command (... require -W ...).

Activate the module in the admin area of the shop in "Extensions -> Modules".

Usage

The shop account is opened (as usual) with user name and password. Afterwards, FIDO2 keys can be added as an additional authentication option. From this moment on, logging into the shop (frontend and backend) can be done either with FIDO2 or with password. Both work independently of each other.

Logging in with password does not differ from the shop standard and remains as a fallback option.

To use the registered FIDO2 keys, simply leave the password field blank when logging in. As soon as at least one character is entered in the password field, a login with password is assumed. If the password field is left blank, the system checks for the existence of a key registration and, if successful, requests the corresponding device. If there is no registration, a login with password is also assumed.

The keys can be easily managed in the My Account area of the frontend and also in the customer account in the backend. The administration includes the registration of new keys (multiple keys per account are possible and recommended). A free text name can be assigned to each key. Furthermore, all registered keys are displayed with their names. Registered keys can also be deleted there.

Any FIDO2-certified hardware can be used for registration. This can be USB tokens (e.g. Solokey or YubiKey), NFC or Bluetooth transmitters, smartphones (Android from version 7, iOS from version 14) or smartcards.

Since a password is no longer required with a FIDO2-based login, the password can also be more complex than passwords suitable for everyday use.

Changelog

See CHANGELOG for further informations.

Contributing

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue. Don't forget to give the project a star! Thanks again!

  • Fork the Project
  • Create your Feature Branch (git checkout -b feature/AmazingFeature)
  • Commit your Changes (git commit -m 'Add some AmazingFeature')
  • Push to the Branch (git push origin feature/AmazingFeature)
  • Open a Pull Request

Licence

(status: 2022-10-25)

Distributed under the GPLv3 license.

Copyright (c) D3 Data Development (Inh. Thomas Dartsch)

This software is distributed under the GNU GENERAL PUBLIC LICENSE version 3.

For full copyright and licensing information, please see the LICENSE file distributed with this source code.

Further licences and terms of use

ArrayBuffer to Base64 converting JavaScript [MIT]

(https://gist.github.com/jonleighton/958841 - status: 2022-11-04)

MIT LICENSE
Copyright 2011 Jon Leighton
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.