spring spring-boot spring-security webauthn passkey

How to use Spring Security WebAuthn to implement Passkey?

I need to implement the registration of and authentication with passkeys in my App. I looked at WebAuthn4J and saw in their docs that they recommend to use Spring Security to make it easier. The setup in the Spring Security Docs about Passkey seams straight forward. Add the Spring Security dependencies, add the webauthn(...) part to the SecurityFilterChain and it should work. But that doesn't seam to work for me. I am somewhat familiar with the concepts in the WebAuthn context and I am confused about how to use the Spring Security Version of it.

The Spring Security docs say that after adding the webAuthn part to the filterChain, it would be enough to start the app and send a post request to /webauthn/register/options endpoint to get the challenge. If i try that, the server just returns 400 with and empty body.

My main question is: Do I miss something that needs to be added?

My Setup looks as follows:

build.gradle (Excerpt)

dependencies {
  implementation 'org.springframework.boot:spring-boot-starter-web'
  implementation "org.springframework.boot:spring-boot-starter-security"
  implementation "org.springframework.security:spring-security-config"
  implementation "org.springframework.security:spring-security-web"
  implementation "com.webauthn4j:webauthn4j-core:0.28.3.RELEASE"
}

WebSecurityConfig.java

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class WebSecurityConfig {
    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests((authorize) -> authorize.anyRequest().permitAll())
                .webAuthn((webAuthn) -> webAuthn
                        .rpName("SAVIN")
                        .rpId("http://localhost")
                        .allowedOrigins("http://localhost")
                );

        return http.build();
    }
}

Solution

Minimal required dependencies

    implementation("org.springframework.boot:spring-boot-starter-security")
    implementation("org.springframework.boot:spring-boot-starter-web")
    implementation("com.webauthn4j:webauthn4j-core:0.28.4.RELEASE")

SecurityConfig

@Configuration
public class SecurityConfig {

    @Bean
    SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .formLogin(withDefaults())
                // http://localhost:8080/webauthn/register
                .webAuthn((webAuthn) -> webAuthn
                        .rpName("Spring Security Relying Party")
                        .rpId("localhost")
                        .allowedOrigins("http://localhost:8080")
                );
        return http.build();
    }

    @Bean
    UserDetailsService userDetailsService() {
        UserDetails userDetails = User.withDefaultPasswordEncoder()
                .username("user")
                .password("password")
                .roles("USER")
                .build();

        return new InMemoryUserDetailsManager(userDetails);
    }
}

Start the app
In Chrome, navigate to http://localhost:8080/login
In Chrome developer, select More tools | WebAuthn

Still on http://localhost:8080/login, sign in with username/password: user/password
Navigate to http://localhost:8080/webauthn/register
Add a passkey label, e.g. "Testing WebAuthn" and select "Register"
In the QR-code modal, select "Save another way" and then select "This device"

Verification

Navigate to http://localhost:8080/logout and confirm logout
Navigate to http://localhost:8080/login and select "Sign in with a passkey". Select the saved passkey, and you're logged in.