From 8375deedd7291d0a75d24e017c0741eabe985087 Mon Sep 17 00:00:00 2001 From: cpisunyer Date: Wed, 5 Jun 2024 15:36:59 -0700 Subject: [PATCH] feat: Enable webauthn plugin for security keys Change _urlsafe_b64recode to _unpadded_urlsafe_b64recode for clarity. --- google/oauth2/challenges.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/google/oauth2/challenges.py b/google/oauth2/challenges.py index 428d64810..8d4355168 100644 --- a/google/oauth2/challenges.py +++ b/google/oauth2/challenges.py @@ -207,7 +207,10 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler): allow_credentials = [] for challenge in challenges: - key_handle = self._urlsafe_b64recode(challenge["keyHandle"]) + kh = challenge.get("keyHandle") + if kh is None: + raise exceptions.InvalidValue("keyHandle is None") + key_handle = self._unpadded_urlsafe_b64recode(kh) allow_credentials.append(PublicKeyCredentialDescriptor(id=key_handle)) extension = AuthenticationExtensionsClientInputs(appid=application_id) @@ -219,7 +222,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler): get_request = GetRequest( origin=REAUTH_ORIGIN, rpid=relying_party_id, - challenge=self._urlsafe_b64recode(challenge), + challenge=self._unpadded_urlsafe_b64recode(challenge), timeout_ms=WEBAUTHN_TIMEOUT_MS, allow_credentials=allow_credentials, user_verification="required", @@ -242,7 +245,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler): } return {"securityKey": response} - def _urlsafe_b64recode(self, s): + def _unpadded_urlsafe_b64recode(self, s): """Converts standard b64 encoded string to url safe b64 encoded string with no padding.""" b = base64.urlsafe_b64decode(s)