This is a 🐳 customization of the quiq/webauthn_proxy Docker image.

GitHub repo of the upstream WebAuthn Proxy project: Quiq/webauthn_proxy

📦 This image is also on Docker Hub as dmotte/webauthn-proxy and runs on several architectures (e.g. amd64, arm64, ...). To see the full list of supported platforms, please refer to the .github/workflows/main.yml file. If you need an architecture which is currently unsupported, feel free to open an issue.

In this repo we also provide an example of how to protect services with WebAuthn using this image and Traefik, and expose the resulting stack through an SSH reverse port forwarding tunnel using dmotte/docker-portmap-client. See the docker-compose.yml file.

Note that this is meant to be run behind an HTTPS → HTTP reverse proxy.

In addition, the docker-compose.yml file also defines an example SFTPGo container named webauthn-admin, which you can use to edit the WebAuthn user credentials file (users.yml) via SFTP.

First of all, you need to set up everything for the portmap-client docker-compose service. Basically you need to create the missing files into the volumes/portmap-client directory (see instructions in the official repo) and adjust the command field of the portmap-client service in the docker-compose.yml file with the right values.

Then you need to replace example.com with the right target domain name inside volumes/webauthn-proxy-config/config.yml.

Create the volumes/webauthn-proxy-config/cooks.yml file starting from volumes/webauthn-proxy-config/cooks.sample.yml. It's important to generate and set a cookie session secret there, to avoid the following error after WebAuthn Proxy restart:

Error getting session from session store during user auth handler: securecookie: the value is not valid

You can use the following command to generate a cookie session secret:

docker run --rm --log-driver=none docker.io/quiq/webauthn_proxy:0.1 -generate-secret

Create the volumes/webauthn-proxy-config/users.yml file starting from volumes/webauthn-proxy-config/users.sample.yml. You can leave the user_credentials dictionary empty ({}) for now, and you'll populate it later, once someone registers in your WebAuthn Proxy instance.

Note: the WebAuthn Proxy service will restart automatically whenever the users.yml file is changed.

Finally, you may want to further customize the configuration files, so make sure to take one last look and check that everything is OK. When you are ready:

docker-compose up -d

Then you can visit the public URL of your exposed service and check that everything is working fine.

If you want to contribute to this project, you can use the following one-liner to rebuild the image and bring up the Docker-Compose stack every time you make a change to the code:

docker-compose down && docker-compose up --build