Question

Why does WebAuthn authentication persist authenticated users and anonymousUser in PublicKeyCredentialUserEntityRepository.java / MapPublicKeyCredentialUserEntityRepository.java?

Design intent is unclear. Also, because I use a single JPA entity for traditional and WebAuthn login, persisting anonymousUser causes problems in my application.

Official docs and debugging doesn't help me understand how to design for anonymousUser persistence, or workaround it.

Comparison to Yubico's Java WebAuthn Server demo

Unauthenticated / anonymous users are never persisted. Authentication works by looking up the credential first, and using the credential to lookup the user second.

Also, credential registration works for authenticated or unauthenticated users. During credential registration, if user doesn't exist then the user is created, as mentioned in the Registration section of the WebAuthn L1 (2019) and WebAuthn L2 (2021) specs.

Quote

Or the user may be in the process of creating a new account.

Minimum Reproducible Example

N.B. MyPublicKeyCredentialUserEntityRepository.java wraps MapPublicKeyCredentialUserEntityRepository.java for logging.

Steps:

1. Run WebauthnMain.java.
2. Go to https://localhost:8443/login.
3. Authenticate with username/password configured in application.properties (i.e. u/p).
4. Successful login should redirect to https://localhost:8443/home.html. If not, go there manually.
5. Click Register to go to https://localhost:8443/webauthn/register page.
6. Enter aaa and click register button.
7. Check the logs.

findByUsername failed, id: u

save, id: Bytes[nF5bm4qc-cztclmzyi-vbvz7ruzS7VOULT8aS9C0kWw], name: u, displayName: u
findByUsername succeeded, id: u, name: Bytes[nF5bm4qc-cztclmzyi-vbvz7ruzS7VOULT8aS9C0kWw], displayName: u

8. Use browser back button to return to https://localhost:8443/home.html.
9. Click Logout to go to https://localhost:8443/logout page.
10. Click Logout button and confirm you really want to logout.
11. Successful logout should redirect to https://localhost:8443/login. If not, go there manually.
12. Click WebAuthn authentication button.
13. Pick the WebAuthn credential you registered earlier.
14. Successful login should redirect to https://localhost:8443/home.html.
15. Check the logs.

findByUsername failed, id: anonymousUser
save, id: Bytes[fL8lr_HE0Yfe5DgPYAXOJfcj4OQdWRT8GhNwjHYvnQA], name: anonymousUser, displayName: anonymousUser

findById succeeded, id: Bytes[nF5bm4qc-cztclmzyi-vbvz7ruzS7VOULT8aS9C0kWw], name: u, displayName: u

Summary

From official docs and debugging the code, it is unclear what is design intent of storing anonymousUsers in PublicKeyCredentialUserEntityRepository.java / MapPublicKeyCredentialUserEntityRepository.java.

I am not sure if I am on the right track with my services, particularly my choice of reusing the same JPA entity for users.

I am also not sure if MyWebauthnUserService needs to detect and handle all of the anonymousUsers separately from all of the authenticated users.

• Maybe I am supposed to store authenticated users versus anonymousUsers in separate JPA entities?
• Maybe I am supposed to store anonymousUsers in Redis myself?

Lastly, it is unclear why the default MapPublicKeyCredentialUserEntityRepository.java puts authenticated users and anonymousUsers into the same two HashMaps.

public class MapPublicKeyCredentialUserEntityRepository implements PublicKeyCredentialUserEntityRepository {
    private final Map<String, PublicKeyCredentialUserEntity> usernameToUserEntity = new HashMap<>();
    private final Map<Bytes, PublicKeyCredentialUserEntity> idToUserEntity = new HashMap<>();

And, if there are two overlapping anonymousUser authentication attempts, it seems like the two HashMaps mentioned above will get out of sync. I think idToUserEntity would have 2 entries, but usernameToUserEntity would only have 1 entry, because anonymousUser #2 would clobber anonymousUser #1?