webauthn-kotlin-multiplatform

Standards-first WebAuthn and passkey building blocks: typed protocol models, strict validation, backend ceremony services, client orchestration, and modular transport, storage, crypto and attestation adapters.

#serializer
#maven
#ktor-server
#ktor-client
#kotlin-serialization
#dependency-management
#cryptography
#client
#authentication
#api

Suggest an edit

Android JVMJVMKotlin/Native

GitHub stars0

Authorsszijpeter

Open issues3

LicenseApache License 2.0

Creation dateabout 1 month ago

Last activity1 day ago

Latest release0.1.0 (7 days ago)

GitHub repository

WebAuthn Kotlin Multiplatform

Standards-first Kotlin Multiplatform building blocks for WebAuthn and passkey integrations.

This project helps teams implement passwordless login without rebuilding the hardest parts from scratch. It gives you typed protocol models, strict validation, backend ceremony services, platform passkey clients, and optional transport/adaptation modules that stay close to the WebAuthn specification.

Why This Project Exists

WebAuthn is security-sensitive and protocol-heavy.
Passkey products often need to share logic across backend, Android, and iOS.
Kotlin teams usually want typed APIs, predictable validation, and flexible integration points instead of one monolithic SDK.

This repo focuses on those needs:

Standards first: behavior is driven by WebAuthn L3 and related RFCs.
Kotlin-first: KMP modules share the right logic instead of pushing everything into platform wrappers.
Flexible integration: use only the modules you need, from pure model/validation all the way to Ktor routes and client transport helpers.
Heavy lifting included: challenge/origin validation, authenticator-data parsing, signature verification boundaries, attestation policy hooks, and platform bridge logic are already here.

What You Can Build With It

A JVM/Ktor WebAuthn backend using typed ceremony services.
Android and iOS passkey clients with shared Kotlin orchestration.
A client/server setup that shares model and validation semantics instead of duplicating protocol assumptions.
A modular stack where server, client, transport, storage, and attestation trust can be adopted separately.

WebAuthn in One Minute

A typical WebAuthn flow has two ceremony pairs:

Registration
Authentication

Each pair has a server start step and a client finish step.

The server creates challenge-bearing options.
The platform authenticator creates or uses a credential.
The client returns a typed response.
The server validates origin, challenge, authenticator data, signatures, counters, and policy before accepting the result.

This repo maps cleanly onto that split:

webauthn-model, webauthn-serialization-kotlinx, webauthn-core, webauthn-crypto-api: shared protocol and validation building blocks.
webauthn-server-*: JVM backend services, crypto, Ktor routing, and storage adapters.
webauthn-client-*: shared client orchestration plus Android/iOS platform bridges.
webauthn-network-ktor-client: default client transport for /webauthn/* style backend contracts.
platform:bom: aligned dependency coordinates for the published public surface.

Install

The coordinated release train uses one version for the full published surface plus a BOM.

repositories {
    google()
    mavenCentral()
}

dependencies {
    implementation(platform("io.github.szijpeter:webauthn-bom:<version>"))

    implementation("io.github.szijpeter:webauthn-server-core-jvm")
    implementation("io.github.szijpeter:webauthn-server-jvm-crypto")
    implementation("io.github.szijpeter:webauthn-client-core")
    implementation("io.github.szijpeter:webauthn-client-android")
}

Published to Maven Central (first public release: 0.1.0). Maintainers can still validate publication locally with:

./gradlew publishToMavenLocal --stacktrace

Quick Start Paths

Server-first

Use:

webauthn-model
webauthn-core
webauthn-crypto-api
webauthn-server-jvm-crypto
webauthn-server-core-jvm
webauthn-server-ktor if you want route adapters
webauthn-server-store-exposed if you want an Exposed-backed store implementation

Client-first

Use:

webauthn-client-core
webauthn-client-json-core if you exchange raw JSON with a host/backend
webauthn-client-android
webauthn-client-ios
webauthn-client-compose for Compose helpers
webauthn-client-prf-crypto for PRF-based key derivation and encryption helpers
webauthn-network-ktor-client for the default backend contract

End-to-end reference app

Start with:

Public Modules

Module	Who it is for
`platform:bom`	Consumers who want aligned versions across published artifacts
`webauthn-model`	Teams that want typed WebAuthn models and value wrappers
`webauthn-serialization-kotlinx`	Teams mapping JSON/CBOR DTOs to typed models
`webauthn-core`	Teams validating ceremonies and authenticator data
`webauthn-crypto-api`	Teams plugging crypto/attestation implementations into validation and server flows
`webauthn-server-jvm-crypto`	JVM backends that want Signum-first hashing, signature, and attestation verification
`webauthn-server-core-jvm`	JVM backends that need registration/authentication ceremony services
`webauthn-server-ktor`	Ktor backends that want ready-made WebAuthn routes
`webauthn-server-store-exposed`	JVM backends storing WebAuthn state through Exposed
`webauthn-client-core`	Shared passkey orchestration and controller-driven flows
`webauthn-client-json-core`	Apps or SDKs that need raw JSON interoperability on top of typed clients
`webauthn-client-compose`	Compose apps that want remembered client/controller helpers
`webauthn-client-android`	Android apps using Credential Manager
`webauthn-client-ios`	iOS apps using AuthenticationServices
`webauthn-client-prf-crypto`	Client apps deriving crypto sessions from WebAuthn PRF extension outputs
`webauthn-network-ktor-client`	Clients talking to a `/webauthn/*` backend contract over Ktor
`webauthn-attestation-mds`	Backends that want optional FIDO Metadata Service trust anchors

Status and Current Limits

This repository is publicly released and still pre-1.0.

Current state:

Core/server validation paths are production-leaning.
Publish/release infrastructure is now wired for Maven Central and compatibility baselines.
Client flows are usable on Android and iOS with shared orchestration.
iOS external security-key support is still being hardened before it can be documented as fully ready.
kotlinx-serialization remains pinned to 1.9.0 while the current Signum compatibility issue is unresolved.

Security and Release Hygiene

Vulnerability reporting: see SECURITY.md.
Public-launch checklist: docs/PUBLIC_LAUNCH_CHECKLIST.md.
Maven Central maintainer guide: docs/MAVEN_CENTRAL.md.
Dependency automation is handled with Renovate.

Maintainer Workflow

tools/agent/setup-hooks.sh
tools/agent/quality-gate.sh --mode fast --scope changed --block false
tools/agent/quality-gate.sh --mode strict --scope changed --block false
./gradlew apiCheck --stacktrace
./gradlew publishToMavenLocal --stacktrace

Related Docs

License: Apache-2.0. See LICENSE.

Android JVMJVMKotlin/Native

GitHub stars0

Authorsszijpeter

Open issues3

LicenseApache License 2.0

Creation dateabout 1 month ago

Last activity1 day ago

Latest release0.1.0 (7 days ago)

GitHub repository

WebAuthn Kotlin Multiplatform

Standards-first Kotlin Multiplatform building blocks for WebAuthn and passkey integrations.

Why This Project Exists

WebAuthn is security-sensitive and protocol-heavy.
Passkey products often need to share logic across backend, Android, and iOS.
Kotlin teams usually want typed APIs, predictable validation, and flexible integration points instead of one monolithic SDK.

This repo focuses on those needs:

Standards first: behavior is driven by WebAuthn L3 and related RFCs.
Kotlin-first: KMP modules share the right logic instead of pushing everything into platform wrappers.
Flexible integration: use only the modules you need, from pure model/validation all the way to Ktor routes and client transport helpers.
Heavy lifting included: challenge/origin validation, authenticator-data parsing, signature verification boundaries, attestation policy hooks, and platform bridge logic are already here.

What You Can Build With It

A JVM/Ktor WebAuthn backend using typed ceremony services.
Android and iOS passkey clients with shared Kotlin orchestration.
A client/server setup that shares model and validation semantics instead of duplicating protocol assumptions.
A modular stack where server, client, transport, storage, and attestation trust can be adopted separately.

WebAuthn in One Minute

A typical WebAuthn flow has two ceremony pairs:

Registration
Authentication

Each pair has a server start step and a client finish step.

The server creates challenge-bearing options.
The platform authenticator creates or uses a credential.
The client returns a typed response.
The server validates origin, challenge, authenticator data, signatures, counters, and policy before accepting the result.

This repo maps cleanly onto that split:

webauthn-model, webauthn-serialization-kotlinx, webauthn-core, webauthn-crypto-api: shared protocol and validation building blocks.
webauthn-server-*: JVM backend services, crypto, Ktor routing, and storage adapters.
webauthn-client-*: shared client orchestration plus Android/iOS platform bridges.
webauthn-network-ktor-client: default client transport for /webauthn/* style backend contracts.
platform:bom: aligned dependency coordinates for the published public surface.

Install

The coordinated release train uses one version for the full published surface plus a BOM.

repositories {
    google()
    mavenCentral()
}

dependencies {
    implementation(platform("io.github.szijpeter:webauthn-bom:<version>"))

    implementation("io.github.szijpeter:webauthn-server-core-jvm")
    implementation("io.github.szijpeter:webauthn-server-jvm-crypto")
    implementation("io.github.szijpeter:webauthn-client-core")
    implementation("io.github.szijpeter:webauthn-client-android")
}

Published to Maven Central (first public release: 0.1.0). Maintainers can still validate publication locally with:

./gradlew publishToMavenLocal --stacktrace

Quick Start Paths

Server-first

Use:

webauthn-model
webauthn-core
webauthn-crypto-api
webauthn-server-jvm-crypto
webauthn-server-core-jvm
webauthn-server-ktor if you want route adapters
webauthn-server-store-exposed if you want an Exposed-backed store implementation

Client-first

Use:

webauthn-client-core
webauthn-client-json-core if you exchange raw JSON with a host/backend
webauthn-client-android
webauthn-client-ios
webauthn-client-compose for Compose helpers
webauthn-client-prf-crypto for PRF-based key derivation and encryption helpers
webauthn-network-ktor-client for the default backend contract

End-to-end reference app

Start with:

Public Modules

Module	Who it is for
`platform:bom`	Consumers who want aligned versions across published artifacts
`webauthn-model`	Teams that want typed WebAuthn models and value wrappers
`webauthn-serialization-kotlinx`	Teams mapping JSON/CBOR DTOs to typed models
`webauthn-core`	Teams validating ceremonies and authenticator data
`webauthn-crypto-api`	Teams plugging crypto/attestation implementations into validation and server flows
`webauthn-server-jvm-crypto`	JVM backends that want Signum-first hashing, signature, and attestation verification
`webauthn-server-core-jvm`	JVM backends that need registration/authentication ceremony services
`webauthn-server-ktor`	Ktor backends that want ready-made WebAuthn routes
`webauthn-server-store-exposed`	JVM backends storing WebAuthn state through Exposed
`webauthn-client-core`	Shared passkey orchestration and controller-driven flows
`webauthn-client-json-core`	Apps or SDKs that need raw JSON interoperability on top of typed clients
`webauthn-client-compose`	Compose apps that want remembered client/controller helpers
`webauthn-client-android`	Android apps using Credential Manager
`webauthn-client-ios`	iOS apps using AuthenticationServices
`webauthn-client-prf-crypto`	Client apps deriving crypto sessions from WebAuthn PRF extension outputs
`webauthn-network-ktor-client`	Clients talking to a `/webauthn/*` backend contract over Ktor
`webauthn-attestation-mds`	Backends that want optional FIDO Metadata Service trust anchors

Status and Current Limits

This repository is publicly released and still pre-1.0.

Current state:

Core/server validation paths are production-leaning.
Publish/release infrastructure is now wired for Maven Central and compatibility baselines.
Client flows are usable on Android and iOS with shared orchestration.
iOS external security-key support is still being hardened before it can be documented as fully ready.
kotlinx-serialization remains pinned to 1.9.0 while the current Signum compatibility issue is unresolved.

Security and Release Hygiene

Vulnerability reporting: see SECURITY.md.
Public-launch checklist: docs/PUBLIC_LAUNCH_CHECKLIST.md.
Maven Central maintainer guide: docs/MAVEN_CENTRAL.md.
Dependency automation is handled with Renovate.

Maintainer Workflow

tools/agent/setup-hooks.sh
tools/agent/quality-gate.sh --mode fast --scope changed --block false
tools/agent/quality-gate.sh --mode strict --scope changed --block false
./gradlew apiCheck --stacktrace
./gradlew publishToMavenLocal --stacktrace

Related Docs

License: Apache-2.0. See LICENSE.