Add support for the "Login with passkey" option #45

New Issue

AtHeartEngineer · 2025-07-08T08:38:17-04:00

AtHeartEngineer commented

2025-07-08 08:38:17 -04:00

Originally created by @zUnixorn on 6/4/2025

Hello,

This PR implements the endpoints needed for passkey login into the Bitwarden webclient.

I marked this as a draft for now, since I'd like to first get some feedback on this PR before I start pursuing this further or if this is even a wanted feature for Vaultwarden.

Working Features

Login with passkey without using it for encryption
Login with passkey while using it for encryption
Adding a new passkey
Listing all registered passkeys
Deleting a passkey

Testing this Branch

To test this branch, the fronted needs to be build with this line appended, to allow for passkey registration.

Open TODOs

Cleanup the code
- there is a bunch of duplicate code between _login_password() and _login_webauthn()
- the webauthn stuff could be moved into its own file / module
- Resolve the TODOs
Figure out how to handle the intermidate webauthn state:
- Saved in the database (I think that's what's already done in the 2FA webauthn), but this probably would only work for registration, not login
- Passed around as an encrypted string in the token field (I think this is what bitwarden does with this C# Api)
Decide what to do about the unimplemented endpoints that are implemented by upstream (they don't seem to be used currently by the webclient)
Figure out why the frontend doesn't work in firefox for passkeys

*Originally created by @zUnixorn on 6/4/2025* Hello, This PR implements the endpoints needed for passkey login into the Bitwarden webclient. I marked this as a draft for now, since I'd like to first get some feedback on this PR before I start pursuing this further or if this is even a wanted feature for Vaultwarden. ## Working Features * Login with passkey without using it for encryption * Login with passkey while using it for encryption * Adding a new passkey * Listing all registered passkeys * Deleting a passkey ## Testing this Branch To test this branch, the fronted needs to be build with [this](https://github.com/vaultwarden/vw_web_builds/commit/08498dd2059d10f1eed7dd6082619686f4118bd7) line appended, to allow for passkey registration. ## Open TODOs - [ ] Cleanup the code - [ ] there is a bunch of duplicate code between _login_password() and _login_webauthn() - [ ] the webauthn stuff could be moved into its own file / module - [ ] Resolve the TODOs - [ ] Figure out how to handle the intermidate webauthn state: - [ ] Saved in the database (I think that's what's already done in the 2FA webauthn), but this probably would only work for registration, not login - [ ] Passed around as an encrypted string in the `token` field (I think this is what bitwarden does with [this C# Api](https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-9.0)) - [ ] Decide what to do about the unimplemented [endpoints](https://github.com/bitwarden/server/blob/v2025.5.3/src/Api/Auth/Controllers/WebAuthnController.cs) that are implemented by upstream (they don't seem to be used currently by the webclient) - [ ] Figure out why the frontend doesn't work in firefox for passkeys

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#45