WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer

[justincranford]

Describe the bug
WebAuthn persistence only works using in-memory SessionRepository?

1. PublicKeyCredentialCreationOptions
2. PublicKeyCredentialRequestOptions

Persistence doesn't seem to work out-of-the-box (OOTB) if using WebAuthn + Redis.

1. Redis defaultSerializer seems to be JdkSerializationRedisSerializer.
2. WebAuthn data classes in https://github.com/spring-projects/spring-security/tree/fd267dfb71bfc8e1ab5bcc8270c12fbaad46fddf/web/src/main/java/org/springframework/security/web/webauthn/api don't seem to implement the Serializable interface required for JdkSerializationRedisSerializer to work.

To Reproduce
I created a GitHub repo https://github.com/justincranford/spring-security-webauthn-redis to:

1. Reproduce and demonstrate the initial RedisSessionRepository JdkSerializationRedisSerializer issue
2. Reproduce and demonstrate all of the issues I encountered switching Redis to GenericJackson2JsonRedisSerializer, and the incremental workarounds I had to apply to make the WebAuthn service data classes serialize/deserialize OK
3. Demonstrate what I tried to get a custom RedisHttpSessionConfiguration redisHttpSessionConfiguration bean to work, so I can override the default UUIDSessionGenerator. I could not figure out a workaround.

Expected behavior

1. WebAuthn service data classes should work with JdkSerializationRedisSerializer out-of-the-box.
2. WebAuthn service data classes should work with GenericJackson2JsonRedisSerializer out-of-the-box too, or with minimal boilerplate.
3. Document example how to configure WebAuthn + Redis to use JdkSerializationRedisSerializer.
4. Document example how to configure WebAuthn + Redis to use GenericJackson2JsonRedisSerializer.
5. Document example how to configure Redis to override RedisHttpSessionConfiguration.java#. I found a one-line mention in EnableRedisHttpSession.java. However, I think EnableRedisHttpSession and overriding care mutually exclusive, so it would be nice to see an example of overriding RedisHttpSessionConfiguration outside of EnableRedisHttpSession (i.e. in docs).

Sample
See GitHub repo README for a numbered list of the issues for Redis+WebAuthn JdkSerializationRedisSerializer, Redis+WebAuthn GenericJackson2JsonRedisSerializer, and RedisHttpSessionConfiguration override issue.
https://github.com/justincranford/spring-security-webauthn-redis

Timeline

1. I posted my original question on Stack Exchange on Dec 15, 2024.

• https://stackoverflow.com/questions/79281677/how-to-use-spring-security-6-4-0-passkeys-with-redishttpsessionrepository/79299083

2. I partially answered the question myself in a follow up on Dec 21, 2024.

• https://stackoverflow.com/a/79299083/747004

3. I posted links to my GitHub repo and this Spring Security Issue WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328 on Dec 23, 2024.

4. I added two TL;DR comments, and appended this timeline, to the original description of this Spring Security Issue WebAuthn + Redis doesn't work; Redis defaults to JdkSerializationRedisSerializer, WebAuthn classes lack Serializable interface, WebAuthn mixins missing for GenericJackson2JsonRedisSerializer #16328 on Dec 26, 2024.

[justincranford]

TL;DR Here are the interesting bits for creating an ObjectMapper that allowed me to serialize/deserialize WebAuthn PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptionsin in Redis using GenericJackson2JsonRedisSerializer (JSON) instead of the non-working, Redis default JdkSerializationRedisSerializer...

@NoArgsConstructor(access=AccessLevel.PRIVATE)
@Slf4j
public final class ObjectMapperFactory {
	private static final ClassLoader CLASS_LOADER = ObjectMapperFactory.class.getClassLoader();

	public static ObjectMapper objectMapper(
		final boolean addDefaultSecurityJacksonModules,
		final boolean addMissingWebauthnJacksonModule,
		final boolean addMissingWebauthnJacksonMixins,
		final boolean overrideDefaultTypingFromDefaultJacksonSecurityModules,
		final boolean ignoreTrailingTokensDuringJacksonDeserialize
	) {
		final ObjectMapper objectMapper = new ObjectMapper()
			.registerModule(new JavaTimeModule())
			.registerModule(new Jdk8Module())
			.setSerializationInclusion(JsonInclude.Include.NON_EMPTY)
			.enable(JsonParser.Feature.INCLUDE_SOURCE_IN_LOCATION)
			.configure(SerializationFeature.INDENT_OUTPUT, true)
			.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false)
			.configure(SerializationFeature.WRITE_DURATIONS_AS_TIMESTAMPS, false)
			.configure(SerializationFeature.ORDER_MAP_ENTRIES_BY_KEYS, true)
			.configure(DeserializationFeature.FAIL_ON_NULL_FOR_PRIMITIVES, true)
			.configure(DeserializationFeature.FAIL_ON_NUMBERS_FOR_ENUMS, true)
			.configure(DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY, true)
			.configure(DeserializationFeature.FAIL_ON_IGNORED_PROPERTIES, true)
			.configure(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES, false)
			.configure(DeserializationFeature.FAIL_ON_TRAILING_TOKENS, true)
			.configure(DeserializationFeature.FAIL_ON_UNEXPECTED_VIEW_PROPERTIES, true)
			.configure(DeserializationFeature.ACCEPT_FLOAT_AS_INT, false)
			;

		if (addDefaultSecurityJacksonModules) {
			objectMapper.registerModules(SecurityJackson2Modules.getModules(CLASS_LOADER));
		}

		if (addMissingWebauthnJacksonModule) {
			objectMapper.registerModule(new WebauthnJackson2Module());
		}

		if (addMissingWebauthnJacksonMixins) {
//			objectMapper.addMixIn(Bytes.class, WebauthnBytesMixIn.class);

			objectMapper.addMixIn(PublicKeyCredentialCreationOptions.class, PublicKeyCredentialCreationOptionsMixIn.class);
			objectMapper.addMixIn(ImmutablePublicKeyCredentialUserEntity.class, PublicKeyCredentialUserEntityMixIn.class);
			objectMapper.addMixIn(PublicKeyCredentialUserEntity.class, PublicKeyCredentialUserEntityMixIn.class);
			objectMapper.addMixIn(PublicKeyCredentialRpEntity.class, PublicKeyCredentialRpEntityMixIn.class);
			objectMapper.addMixIn(PublicKeyCredentialParameters.class, PublicKeyCredentialParametersMixIn.class);
//			objectMapper.addMixIn(PublicKeyCredentialType.class, PublicKeyCredentialTypeMixIn.class);
//			objectMapper.addMixIn(COSEAlgorithmIdentifier.class, COSEAlgorithmIdentifierMixIn.class);
			objectMapper.addMixIn(AuthenticatorSelectionCriteria.class, AuthenticatorSelectionCriteriaMixIn.class);
//			objectMapper.addMixIn(AttestationConveyancePreference.class, AttestationConveyancePreferenceMixIn.class);
//			objectMapper.addMixIn(AuthenticatorAttachment.class, AuthenticatorAttachmentMixIn.class);
//			objectMapper.addMixIn(ResidentKeyRequirement.class, ResidentKeyRequirementMixIn.class);
//			objectMapper.addMixIn(UserVerificationRequirement.class, UserVerificationRequirementMixIn.class);

			objectMapper.addMixIn(PublicKeyCredentialRequestOptions.class, PublicKeyCredentialRequestOptionsMixIn.class);
			objectMapper.addMixIn(ImmutableAuthenticationExtensionsClientInputs.class, AuthenticationExtensionsClientInputsMixIn.class);
			objectMapper.addMixIn(AuthenticationExtensionsClientInputs.class, AuthenticationExtensionsClientInputsMixIn.class);
			objectMapper.addMixIn(AuthenticationExtensionsClientInput.class, AuthenticationExtensionsClientInputMixIn.class);
			objectMapper.addMixIn(PublicKeyCredentialDescriptor.class, PublicKeyCredentialDescriptorMixIn.class);
//			objectMapper.addMixIn(AuthenticatorTransport.class, AuthenticatorTransportMixIn.class);
			objectMapper.addMixIn(CredProtectAuthenticationExtensionsClientInput.class, CredProtectAuthenticationExtensionsClientInputMixIn.class);
			objectMapper.addMixIn(CredProtect.class, CredProtectMixIn.class);
		}

		if (overrideDefaultTypingFromDefaultJacksonSecurityModules) {
			objectMapper.activateDefaultTyping(
				LaissezFaireSubTypeValidator.instance,
				ObjectMapper.DefaultTyping.NON_FINAL,
				JsonTypeInfo.As.PROPERTY
			);
		}

		if (ignoreTrailingTokensDuringJacksonDeserialize) {
			// Relax deserialization to handle this cryptic Collections$UnmodifiableRandomAccessList nested serialization:
			//    "authorities" : [ "java.util.Collections$UnmodifiableRandomAccessList", [ {
			//      "@class" : "org.springframework.security.core.authority.SimpleGrantedAuthority",
			//      "authority" : "ROLE_ADM"
			//    } ] ],
			objectMapper.configure(DeserializationFeature.FAIL_ON_TRAILING_TOKENS, false);
		}

		return objectMapper;
	}
}

[justincranford]

TL;DR Here are the interesting bits for my @Configuration instances, which I constructed by injecting different ObjectMapper instances created with the above helper method.

The below config allowed me to initialize Redis to use GenericJackson2JsonRedisSerializer (JSON) instead of the non-working, default JdkSerializationRedisSerializer.

My @Configuration below is not perfect. I could use feedback on how to clean it up, because my RedisHttpSessionConfiguration redisHttpSessionConfiguration bean to set config.setSessionIdGenerator(new MySessionIdGenerator()); is not getting applied. I noted it as the last issue in the README of my demo GitHub repo.

	// Inject different ObjectMapper instances to be used by RedisSerializer<Object>, for setHashValueSerializer and setValueSerializer
	@RequiredArgsConstructor
	public static abstract class MyAbstractRedisClientConfig {
		private final ObjectMapper objectMapper;

		@Bean
		public RedisSerializer<Object> springSessionDefaultRedisSerializer() {
			return GenericJackson2JsonRedisSerializer.builder().objectMapper(this.objectMapper).build();
		}

		@Bean
		public LettuceConnectionFactory redisConnectionFactory() {
			return new LettuceConnectionFactory(REDIS_SERVER_ADDRESS, REDIS_SERVER_PORT);
		}

		@Bean
		public RedisTemplate<String, Object> sessionRedisTemplate(
			final RedisSerializer<Object> springSessionDefaultRedisSerializer,
			final LettuceConnectionFactory redisConnectionFactory
		) {
			final StringRedisSerializer stringRedisSerializer = new StringRedisSerializer();
			final RedisTemplate<String, Object> redisTemplate = new RedisTemplate<>();
			redisTemplate.setConnectionFactory(redisConnectionFactory);
			redisTemplate.setHashKeySerializer(stringRedisSerializer);
			redisTemplate.setKeySerializer(stringRedisSerializer);
			redisTemplate.setHashValueSerializer(springSessionDefaultRedisSerializer);
			redisTemplate.setValueSerializer(springSessionDefaultRedisSerializer);
			redisTemplate.setDefaultSerializer(springSessionDefaultRedisSerializer);
			log.info("redisTemplate: {}", redisTemplate);
			return redisTemplate;
		}

		@Bean
		public RedisSessionRepository redisSessionRepository(final RedisTemplate<String, Object> sessionRedisTemplate) {
			return new RedisSessionRepository(sessionRedisTemplate);
		}

		@Bean
		public RedisHttpSessionConfiguration redisHttpSessionConfiguration(
			final RedisSerializer<Object> springSessionDefaultRedisSerializer,
			final RedisConnectionFactory redisConnectionFactory,
			@SpringSessionRedisConnectionFactory final ObjectProvider<RedisConnectionFactory> springSessionRedisConnectionFactory
		) {
			final RedisHttpSessionConfiguration config = new RedisHttpSessionConfiguration();
			config.setSessionIdGenerator(new MySessionIdGenerator());
			config.setMaxInactiveInterval(Duration.ofSeconds(7));
			config.setRedisNamespace("test");
			config.setDefaultRedisSerializer(springSessionDefaultRedisSerializer);
			final ObjectProvider<RedisConnectionFactory> objectProvider = new ObjectProvider<>() {
				@Override
				public RedisConnectionFactory getObject() throws BeansException {
					return redisConnectionFactory;
				}
			};
			config.setRedisConnectionFactory(objectProvider, objectProvider);
			return config;
		}
	}

[rwinch]

@justincranford Thanks for the ticket. This support all makes sense. I've added for sub-issues that I think will take care of what you are looking for. If you'd like to contribute a PR please mention it on the sub issue.

[rodrigorodrigues]

Hi @justincranford ,

I've tried to implement passkey with redis but the passkeys registered are gone once the session timeout is applied, have you faced similar issue?

[justincranford]

Hi @rodrigorodrigues,

Sorry, I didn't have that issue. Just a guess, but only challenges go in Redis. Don't put passkeys in Redis.

Double check if you are using different storage for 1+2 vs 3+4.

1. Registration challenges => temp storage via HTTP Session (e.g. memory, Redis); filter calls HTTP Session here
2. Authentication challenges => temp storage via HTTP Session (e.g. memory, Redis); filter calls HTTP Session here
3. Registered users => perm storage via service bean (e.g. PostgreSQL); default is HashMaps here
4. Registered credentials => perm storage via service bean (e.g. PostgreSQL); default is HashMaps here

My demo repo https://github.com/justincranford/spring-security-webauthn-redis was a minimum viable example for Redis ser/des issues. Repos 1+2 are changed to Redis, but repos 3+4 are not changed.

If this is your issue, add @Service beans to override the default beans for repos 3+4. Example:

@Service
public class MyRepositoryFacade implements UserCredentialRepository {
    @Autowired
    private MyJpaRepository myJpaRepository;

You need JPA entities (and repos) for the registered passkeys and users. Map between your JPA entities and the Spring Security WebAuthn classes in your two service beans. Examples:

• MyJpaCredential <=> org.springframework.security.web.webauthn.api.CredentialRecord
• MyJpaUser <=> org.springframework.security.web.webauthn.api.PublicKeyCredentialUserEntity

[rodrigorodrigues]

Hi @justincranford ,

Thanks very much for your explanation, I did what you said and added DB support instead of redis, created an article for that and mentioned your comment https://www.linkedin.com/pulse/passwordless-authentication-spring-security-passkeys-rodrigues-y1oye/?trackingId=wNImL90rQua2FrzXxRsiqQ%3D%3D