Merge pull request #134 from silinternational/develop

Convert from U2F to WebAuthn - Release as 8.0.0

docker-compose/broker/local.env.dist

@@ -2,7 +2,9 @@ MFA_TOTP_apiBaseUrl=
 MFA_TOTP_apiKey=
 MFA_TOTP_apiSecret=
 
-MFA_U2F_apiBaseUrl=
-MFA_U2F_apiKey=
-MFA_U2F_apiSecret=
-MFA_U2F_appId=
+MFA_WEBAUTHN_apiBaseUrl=
+MFA_WEBAUTHN_apiKey=
+MFA_WEBAUTHN_apiSecret=
+MFA_WEBAUTHN_appId=
+MFA_WEBAUTHN_rpDisplayName=IdP in a Box
+MFA_WEBAUTHN_rpId=

docker-compose/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3"
 services:
 
   db-broker:
-    image: silintl/mariadb:latest
+    image: mariadb:latest
     ports:
       - "3306"
     environment:
@@ -113,7 +113,7 @@ services:
       PMA_PASSWORD: ssp
 
   db-pw:
-    image: silintl/mariadb:latest
+    image: mariadb:latest
     ports:
       - "3306"
     environment:
@@ -270,7 +270,7 @@ services:
     command: /data/run-cron.sh
 
   db-email:
-    image: silintl/mariadb:latest
+    image: mariadb:latest
     ports:
       - "3306"
     environment:

docker-compose/pw-api/local.env.dist

@@ -1,3 +1,4 @@
-AUTH_SAML_idpCertificate=
-AUTH_SAML_spCertificate=
-AUTH_SAML_spPrivateKey=
+AUTH_SAML_idpCertificate=MIIDzzCCAregAwIBAgIJAPlZYTAQSIbHMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEPMA0GA1UEBwwGV2F4aGF3MQwwCgYDVQQKDANTSUwxDTALBgNVBAsMBEdUSVMxDjAMBgNVBAMMBVN0ZXZlMSQwIgYJKoZIhvcNAQkBFhVzdGV2ZV9iYWd3ZWxsQHNpbC5vcmcwHhcNMTYxMDE3MTIzMTQ1WhcNMjYxMDE3MTIzMTQ1WjB+MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTkMxDzANBgNVBAcMBldheGhhdzEMMAoGA1UECgwDU0lMMQ0wCwYDVQQLDARHVElTMQ4wDAYDVQQDDAVTdGV2ZTEkMCIGCSqGSIb3DQEJARYVc3RldmVfYmFnd2VsbEBzaWwub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArssOaeKbdOQFpN6bBolwSJ/6QFBXA73Sotg60anx9v6aYdUTmi+b7SVtvOmHDgsD5X8pN/6Z11QCZfTYg2nW3ZevGZsj8W/R6C8lRLHzWUr7e7DXKfj8GKZptHlUs68kn0ndNVt9r/+irJe9KBdZ+4kAihykomNdeZg06bvkklxVcvpkOfLTQzEqJAmISPPIeOXes6hXORdqLuRNTuIKarcZ9rstLnpgAs2TE4XDOrSuUg3XFnM05eDpFQpUb0RXWcD16mLCPWw+CPrGoCfoftD5ZGfll+W2wZ7d0kQ4TbCpNyxQH35q65RPVyVNPgSNSsFFkmdcqP9DsFqjJ8YC6wIDAQABo1AwTjAdBgNVHQ4EFgQUD6oyJKOPPhvLQpDCC3027QcuQwUwHwYDVR0jBBgwFoAUD6oyJKOPPhvLQpDCC3027QcuQwUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAA6tCLHJQGfXGdFerQ3J0wUu8YDSLb0WJqPtGdIuyeiywR5ooJf8G/jjYMPgZArepLQSSi6t8/cjEdkYWejGnjMG323drQ9M1sKMUhOJF4po9R3t7IyvGAL3fSqjXA8JXH5MuGuGtChWxaqhduA0dBJhFAtAXQ61IuIQF7vSFxhTwCvJnaWdWD49sG5OqjCfgIQdY/mw70e45rLnR/bpfoigL67sTJxy+Kx2ogbvMR6lITByOEQFMt7BYpMtXrwvKUM7k9NOo1jREmJacC8PTx//jRhCWwzUj1RsfIri24BuITrawwqMsYl8DZiiwMpjUf9m4NPaf4E7+QRpzo+MCcg==
+AUTH_SAML_spCertificate=MIIEazCCAtOgAwIBAgIUStK9gxOE29r78EQ2O0z7YQFNlJkwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEyMDIxNTA2NDJaFw0zMTEyMDIxNTA2NDJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDLqcvV4azUkyPR1Lfk7swNCjCkOnqdWxSMtd1lxQ2Dm8WZtQj45aW8iqfz33KlYHDNGfRnCaTwCY8WYhZB/vjMskWoP4iuSbaIEa3Z/1nVkrlHAMBkqr4OM9Y6mr2B2Z79XIPWtYZ3mCETlMn2+T2kshA4Qmt7jX4zqm2A4hhv8Uf4dzoB7OWW/yNiYBq8A80rmJL1g4JnpT2GiO2+IdEnTEp0yZzkMb1hs6bS1+5WDKrlsNsvUP9mfhn2wj55pV8QY42zeGy5v/TkRkjhP0aDF7wqAfp9dVIW5yPbLIi5n5bFlADO7pLWs5d+QG3LS98NEZPRb9pWsCp6bC0og9XH2vUhbmQmRrTIjJKDxg2dynTz2wBIe9Wc6Gj8FGtrVQfy78q21w9EJhsQ2QRrMRNoc9W3YBPBD76+umZdxB6QPTUKqOvnXiOMM7Yrr7VGOrjofVzF+5aUytT9xnsnm/yeQZkt+NuYf+0yZI6BBffNfVozjmeunrVjtBltDnsPZvkCAwEAAaNTMFEwHQYDVR0OBBYEFCQjdy8KhV6k685jlqpN6vR/qCYXMB8GA1UdIwQYMBaAFCQjdy8KhV6k685jlqpN6vR/qCYXMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAEKZ0Qh/r3f44dYsnsaCcvhvlxvW6CcDhl5uWJp7NBJ0ayk9IEi+C5KbewNjV/1RTMaF43UmNTux6i6OjyKpX1rnDxrYLxZKVFoMPHV+i+8ZbLBkMZzBUnaLgIS5mPbDSyYP0/bv2t4MhNOgT2wMLaZcX0WumbrXf1KZlccKENk4rhGRezEEU9qhNIlXsnr08zfqhYEM+h5+wcjCc6KWXtVV7AiZCF+YicOi8wbvWnVYCFbDnpX7wzghhy7b14CiOLdAdPKR2+SETgh01o6b/Z8RBqdtKqrfRwxeg3Dn1bZaPVlPQzVDZX6DOJQoahQEnMECtP1HgfsRqeMTy7JhmxFN/BCGkPlwNPo0VfUzk/Il7D46i/3g0egSJd6r3KlNiqusKQ+3scownxvKIjcFeGl7ndD5AUuPQEVW6wQ5ev8j7R75RAsImdmJ8na0oXlThDAEi2C4Zu1PmouDiL+udhMVBOhFun7nNpTS/a/vhdN02ht6NxG0gLSWcDXvhYR0TQ==
+AUTH_SAML_spPrivateKey=MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQDLqcvV4azUkyPR1Lfk7swNCjCkOnqdWxSMtd1lxQ2Dm8WZtQj45aW8iqfz33KlYHDNGfRnCaTwCY8WYhZB/vjMskWoP4iuSbaIEa3Z/1nVkrlHAMBkqr4OM9Y6mr2B2Z79XIPWtYZ3mCETlMn2+T2kshA4Qmt7jX4zqm2A4hhv8Uf4dzoB7OWW/yNiYBq8A80rmJL1g4JnpT2GiO2+IdEnTEp0yZzkMb1hs6bS1+5WDKrlsNsvUP9mfhn2wj55pV8QY42zeGy5v/TkRkjhP0aDF7wqAfp9dVIW5yPbLIi5n5bFlADO7pLWs5d+QG3LS98NEZPRb9pWsCp6bC0og9XH2vUhbmQmRrTIjJKDxg2dynTz2wBIe9Wc6Gj8FGtrVQfy78q21w9EJhsQ2QRrMRNoc9W3YBPBD76+umZdxB6QPTUKqOvnXiOMM7Yrr7VGOrjofVzF+5aUytT9xnsnm/yeQZkt+NuYf+0yZI6BBffNfVozjmeunrVjtBltDnsPZvkCAwEAAQKCAYA/bFQu+gVxeZTpDl5qK7ddxDOboR54DFoc67HTtIbd2k+x6z+tCw8O5Psipg401BCsvo1u3QEBQ2jM5qTZzoY6cLXijE6LQCdYvnCud6fJK9UI+IHxl35yO9BWFcQ4QMYTTpE79vG2IqkCSQ6QG9QHivAkJQMFye1oN4W8YiyMB86K4M4utVBWMoQZaaZJsMFe9zekv1yH3FyJnfCziiJxI3/4WKTEJ307hM/JzzbIk09REj9fv9CZYWHCh4EfLtEaO9gEW/fRorAJjUf+K6Pp9l85Buqvo+xy9h1bCVAGpIaaQS+9sb0MZwTKxIBQYfUgTVXDlFCEmKKd+Glc1VWAq9DE7EArlkUyN8/p5X2jcc7oyY5KgioJF4DJZwG+HTZoou02FEnKfQqIEp0rJ6On67nbKvYAsDcNgAw/zzjxyAoYSidTxeoKA/JwM7AKJtneTT8cKhIuO50ZQLUWDSS4PPrAIjcwfFsECm1rq6PT5a4rr9425g3RQNghD8ncMhECgcEA+BZerAQd1DZooJVwMKRVhRfjiR18pXja/pleuqI6S0WjufGIXypL2xq3Cfn2f9uGBCMql5mhAjxYDSvWY1dJUWS+a0LRnsNxJhnvY2mhLfMej8s69MLwoUeMRgRHMtlSlG3s1gQInXG9ePIKywyb6RgfLNpdkK1oyR6DsqEiwAqEcXJZ0sSVWg6xJ6cQZk1abZ9QAFsZ9e0C6nEWDYtCjd5gxID701Ec3bzSiltr7DJL8HybZGIgwuRZDxGDQd51AoHBANIotEA9JvnGsF/FjIUowciSty67hzTpyW6LtK5CvriNPJP/XhjFiOwRR30z2bZbKwJz/FyxtWlCmUItN+9sndkTHVoZzA5Jd27bOSAEbKA3PZKHhcF/Q0tPdNow3Zlre7I0rQ8UFAARAvPk89vDmIeura/NyM7UqQ0QYUJXq1v7mbPXAbF9n5tsGQu73/gWXGVUKq7bs0TLVwNX0vkl+nUdlD3OCAA+SUHo4RqDxKuTWwLPCvXNljrZiwiONcFd9QKBwHQ2pmqWExMR2bk/x6pBkP4jzqawdW9eSdfyKHns/Lm+CZBVILjTq20b+pplyZ7jSsgtYQpbIR1W/zhMTMWEYggK1ViRmHhyvVJH2+gJ10MbHDnnzdpSZz5lscQqxN+BBjoZtFQc15xJZ6R8Xan4YiCy+Aee0y2uzeNItBC9gvXK93fdRU6CYCQrtbkJfZkuqymm82b3RhX5zN/d0aLOlYK3pUTn1w+Kc6c7iLTfVpLyjLg+5twDS62AImf4oC/+8QKBwEblvnFRb/2hfszAWzhs2Hruq+eTEfjSycaGUOzczXR7CS2wX7EhqqBg7+oX/OFc/jR0pnUq6lVZR1Sg5pbZ4KJjpWpI+6LyO91lDW90rqSaHiZ5m7D8WtpkMrqM86UXMoKa7KsCjgC7vHBFE9NWt/VGA4gkdxL3gRRMK1NzOfbs+RxHc2XKSHbpT8W6msMZ4A+7Bi85JNAXfQI+tYihvE2YLfNvtxlF6fbXNmF4hHeRXYmkCUGFGqI9036OYyoZpQKBwBDOBGaCfXo0QU82LzSZJJvcQuKLU7O0s4yNjSpzeVcLBjI/D0Fs4rDNEPmZIkaNscFFUYsxtbG7xNQPYcskVgQNiURijRA7TZfpq1Y3jrdqoHAwVXGbGD4Y5zdrQPAT3FFzEOzYWeICSZVpOAq0k/gJnrLIuX/BtkYoBaayC2euEQhWAtK1kNiV6nub8T1y3ZVOhUBSiC4EWFRuXKoiYRXPni2+4dGbCOZTImdmlX9lHnZ0GcIebggZm9+lIJihrA==
+WEBAUTHN_RP_ORIGIN=http://pw-ui.local

docker-compose/ssp/metadata/saml20-sp-remote.php

@@ -10,6 +10,6 @@
  */
 $metadata['pw-api.local:51050'] = [
     'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-	  'AssertionConsumerService' => 'http://pw-api.local:51050/auth/login',
-    'certData' => 'MIIDtTCCAp2gAwIBAgIJAK2cyEwuxdADMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTcwNDI4MTMyNjA2WhcNMjcwNDI4MTMyNjA2WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVzLISMbdMHa7yPQgcdmH5khNTGv9zchvL15dEmsAgFIHZQULm72lclpsThdpb95r6lbnEqfhidTVnqpFQv755gzxn4r+ScFCTMPdsdK+Flh5Ej10VOYfBepBhrhU7mZhF4UFFHvx4karENyCQeEjw2JCNmDO/hDX5vluYip09TfEQSbCO6zYoEx6Z+PoDauYBYhQka3H8DDhSg/vjTuHoos4bkW/gRbgVAAOGgtx6gp4djb4WlldMKEjXcKihLGQXYPw5Ur2dHLOxuSAkxSnFrx+Eb/26/dU0RZC/a2ipujCQhjT9uiw1x7orSjDK1SFHq9Xlie0e0W8sVrgZtwYQIDAQABo4GnMIGkMB0GA1UdDgQWBBRxdpPqYNHv58zusXJyeb9L1Iv3pjB1BgNVHSMEbjBsgBRxdpPqYNHv58zusXJyeb9L1Iv3pqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAK2cyEwuxdADMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAEUr+4aDqozvb3P+53vjYR1OIyJdE4EhZjLpT2xwIqhQVaED7nfxaY0E3znE53YoNUlDz8/+3zwU6aQxeZtD84Tbunv9X8hWgt9k97ib04pmHZe9Cp0B61Yv0aUmKGlFEPEzG84jfjnILhS0fxePIjKpot6bt3EJ1XnfLvrNGBeWgQao3qGaXVwK/9gJOFUGLRG2X34AI2nTNAbr2Sexvn8yVarY41VC08nGoqrFnoKf3zi1GH6Pp8XSVCt4bU7u/I9XBsUpagVFxkw2wJZW9kBkfQLqtOwgRv2n4F4Ftxo9wLZJ5bPMcJf+R6PsJJQRslsW7NSFjoXIPnVXEF6nxQk=',
+    'AssertionConsumerService' => 'http://pw-api.local:51050/auth/login',
+    'certData' => 'MIIEazCCAtOgAwIBAgIUStK9gxOE29r78EQ2O0z7YQFNlJkwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEyMDIxNTA2NDJaFw0zMTEyMDIxNTA2NDJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDLqcvV4azUkyPR1Lfk7swNCjCkOnqdWxSMtd1lxQ2Dm8WZtQj45aW8iqfz33KlYHDNGfRnCaTwCY8WYhZB/vjMskWoP4iuSbaIEa3Z/1nVkrlHAMBkqr4OM9Y6mr2B2Z79XIPWtYZ3mCETlMn2+T2kshA4Qmt7jX4zqm2A4hhv8Uf4dzoB7OWW/yNiYBq8A80rmJL1g4JnpT2GiO2+IdEnTEp0yZzkMb1hs6bS1+5WDKrlsNsvUP9mfhn2wj55pV8QY42zeGy5v/TkRkjhP0aDF7wqAfp9dVIW5yPbLIi5n5bFlADO7pLWs5d+QG3LS98NEZPRb9pWsCp6bC0og9XH2vUhbmQmRrTIjJKDxg2dynTz2wBIe9Wc6Gj8FGtrVQfy78q21w9EJhsQ2QRrMRNoc9W3YBPBD76+umZdxB6QPTUKqOvnXiOMM7Yrr7VGOrjofVzF+5aUytT9xnsnm/yeQZkt+NuYf+0yZI6BBffNfVozjmeunrVjtBltDnsPZvkCAwEAAaNTMFEwHQYDVR0OBBYEFCQjdy8KhV6k685jlqpN6vR/qCYXMB8GA1UdIwQYMBaAFCQjdy8KhV6k685jlqpN6vR/qCYXMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAEKZ0Qh/r3f44dYsnsaCcvhvlxvW6CcDhl5uWJp7NBJ0ayk9IEi+C5KbewNjV/1RTMaF43UmNTux6i6OjyKpX1rnDxrYLxZKVFoMPHV+i+8ZbLBkMZzBUnaLgIS5mPbDSyYP0/bv2t4MhNOgT2wMLaZcX0WumbrXf1KZlccKENk4rhGRezEEU9qhNIlXsnr08zfqhYEM+h5+wcjCc6KWXtVV7AiZCF+YicOi8wbvWnVYCFbDnpX7wzghhy7b14CiOLdAdPKR2+SETgh01o6b/Z8RBqdtKqrfRwxeg3Dn1bZaPVlPQzVDZX6DOJQoahQEnMECtP1HgfsRqeMTy7JhmxFN/BCGkPlwNPo0VfUzk/Il7D46i/3g0egSJd6r3KlNiqusKQ+3scownxvKIjcFeGl7ndD5AUuPQEVW6wQ5ev8j7R75RAsImdmJ8na0oXlThDAEi2C4Zu1PmouDiL+udhMVBOhFun7nNpTS/a/vhdN02ht6NxG0gLSWcDXvhYR0TQ==',
 ];

terraform/040-id-broker/README.md

@@ -29,10 +29,13 @@ This module is used to create an ECS service running id-broker.
  - `mfa_totp_apibaseurl` - Base URL to TOTP api
  - `mfa_totp_apikey` - API key for TOTP api
  - `mfa_totp_apisecret` - API secret for TOTP api
- - `mfa_u2f_apibaseurl` - Base URL for U2F api
- - `mfa_u2f_apikey` - API key for U2F api
- - `mfa_u2f_apisecret` - API secret for U2F api
- - `mfa_u2f_appid` - AppID for U2F api
+ - `mfa_webauthn_apibaseurl` - Base URL for WebAuthn api
+ - `mfa_webauthn_apikey` - API key for WebAuthn api
+ - `mfa_webauthn_apisecret` - API secret for WebAuthn api
+ - `mfa_webauthn_appid` - AppID for WebAuthn api
+ - `mfa_webauthn_rpdisplayname` - Relying Party Display Name
+ - `mfa_webauthn_rpid` - Relying Party ID 
+ - `rp_origins` - CSV list of allowed Relying Party Origins
  - `mysql_host` - Address for RDS instance
  - `mysql_pass` - MySQL password for id-broker
  - `mysql_user` - MySQL username for id-broker
@@ -136,7 +139,7 @@ module "broker" {
   source                           = "github.com/silinternational/idp-in-a-box//terraform/040-id-broker"
   app_env                          = var.app_env
   app_name                         = var.app_name
-  aws_region                       = var.aws_region`
+  aws_region                       = var.aws_region
   cloudflare_domain                = var.cloudflare_domain
   cloudwatch_log_group_name        = var.cloudwatch_log_group_name
   contingent_user_duration         = var.contingent_user_duration
@@ -187,10 +190,13 @@ module "broker" {
   mfa_totp_apibaseurl              = var.mfa_totp_apibaseurl
   mfa_totp_apikey                  = var.mfa_totp_apikey
   mfa_totp_apisecret               = var.mfa_totp_apisecret
-  mfa_u2f_apibaseurl               = var.mfa_u2f_apibaseurl
-  mfa_u2f_apikey                   = var.mfa_u2f_apikey
-  mfa_u2f_apisecret                = var.mfa_u2f_apisecret
-  mfa_u2f_appid                    = var.mfa_u2f_appid
+  mfa_webauthn_apibaseurl          = var.mfa_webauthn_apibaseurl
+  mfa_webauthn_apikey              = var.mfa_webauthn_apikey
+  mfa_webauthn_apisecret           = var.mfa_webauthn_apisecret
+  mfa_webauthn_appid               = var.mfa_webauthn_appid
+  mfa_webauthn_rpdisplayname       = var.mfa_webauthn_rpdisplayname
+  mfa_webauthn_rpid                = var.mfa_webauthn_rpid
+  rp_origins                       = var.rp_origins
   minimum_backup_codes_before_nag  = var.minimum_backup_codes_before_nag
   mysql_host                       = data.terraform_remote_state.database.rds_address
   mysql_pass                       = data.terraform_remote_state.database.db_idbroker_pass

terraform/040-id-broker/main.tf

@@ -120,10 +120,13 @@ data "template_file" "task_def" {
     mfa_totp_apibaseurl              = var.mfa_totp_apibaseurl
     mfa_totp_apikey                  = var.mfa_totp_apikey
     mfa_totp_apisecret               = var.mfa_totp_apisecret
-    mfa_u2f_apibaseurl               = var.mfa_u2f_apibaseurl
-    mfa_u2f_apikey                   = var.mfa_u2f_apikey
-    mfa_u2f_apisecret                = var.mfa_u2f_apisecret
-    mfa_u2f_appid                    = var.mfa_u2f_appid
+    mfa_webauthn_apibaseurl          = var.mfa_webauthn_apibaseurl
+    mfa_webauthn_apikey              = var.mfa_webauthn_apikey
+    mfa_webauthn_apisecret           = var.mfa_webauthn_apisecret
+    mfa_webauthn_appid               = var.mfa_webauthn_appid
+    mfa_webauthn_rpdisplayname       = var.mfa_webauthn_rpdisplayname
+    mfa_webauthn_rpid                = var.mfa_webauthn_rpid
+    rp_origins                       = var.rp_origins
     minimum_backup_codes_before_nag  = var.minimum_backup_codes_before_nag
     mysql_host                       = var.mysql_host
     mysql_pass                       = var.mysql_pass
@@ -242,10 +245,13 @@ data "template_file" "task_def_cron" {
     mfa_totp_apibaseurl              = var.mfa_totp_apibaseurl
     mfa_totp_apikey                  = var.mfa_totp_apikey
     mfa_totp_apisecret               = var.mfa_totp_apisecret
-    mfa_u2f_apibaseurl               = var.mfa_u2f_apibaseurl
-    mfa_u2f_apikey                   = var.mfa_u2f_apikey
-    mfa_u2f_apisecret                = var.mfa_u2f_apisecret
-    mfa_u2f_appid                    = var.mfa_u2f_appid
+    mfa_webauthn_apibaseurl          = var.mfa_webauthn_apibaseurl
+    mfa_webauthn_apikey              = var.mfa_webauthn_apikey
+    mfa_webauthn_apisecret           = var.mfa_webauthn_apisecret
+    mfa_webauthn_appid               = var.mfa_webauthn_appid
+    mfa_webauthn_rpdisplayname       = var.mfa_webauthn_rpdisplayname
+    mfa_webauthn_rpid                = var.mfa_webauthn_rpid
+    rp_origins                       = var.rp_origins
     minimum_backup_codes_before_nag  = var.minimum_backup_codes_before_nag
     mysql_host                       = var.mysql_host
     mysql_pass                       = var.mysql_pass

terraform/040-id-broker/task-definition.json

@@ -179,20 +179,32 @@
         "value": "${mfa_totp_apisecret}"
       },
       {
-        "name": "MFA_U2F_apiBaseUrl",
-        "value": "${mfa_u2f_apibaseurl}"
+        "name": "MFA_WEBAUTHN_apiBaseUrl",
+        "value": "${mfa_webauthn_apibaseurl}"
       },
       {
-        "name": "MFA_U2F_apiKey",
-        "value": "${mfa_u2f_apikey}"
+        "name": "MFA_WEBAUTHN_apiKey",
+        "value": "${mfa_webauthn_apikey}"
       },
       {
-        "name": "MFA_U2F_apiSecret",
-        "value": "${mfa_u2f_apisecret}"
+        "name": "MFA_WEBAUTHN_apiSecret",
+        "value": "${mfa_webauthn_apisecret}"
       },
       {
-        "name": "MFA_U2F_appId",
-        "value": "${mfa_u2f_appid}"
+        "name": "MFA_WEBAUTHN_appId",
+        "value": "${mfa_webauthn_appid}"
+      },
+      {
+        "name": "MFA_WEBAUTHN_rpDisplayName",
+        "value": "${mfa_webauthn_rpdisplayname}"
+      },
+      {
+        "name": "MFA_WEBAUTHN_rpId",
+        "value": "${mfa_webauthn_rpid}"
+      },
+      {
+        "name": "RP_ORIGINS",
+        "value": "${rp_origins}"
       },
       {
         "name": "MINIMUM_BACKUP_CODES_BEFORE_NAG",

terraform/040-id-broker/vars.tf

@@ -267,19 +267,31 @@ variable "mfa_totp_apisecret" {
   type = string
 }
 
-variable "mfa_u2f_apibaseurl" {
+variable "mfa_webauthn_apibaseurl" {
   type = string
 }
 
-variable "mfa_u2f_apikey" {
+variable "mfa_webauthn_apikey" {
   type = string
 }
 
-variable "mfa_u2f_apisecret" {
+variable "mfa_webauthn_apisecret" {
   type = string
 }
 
-variable "mfa_u2f_appid" {
+variable "mfa_webauthn_appid" {
+  type = string
+}
+
+variable "mfa_webauthn_rpdisplayname" {
+  type = string
+}
+
+variable "mfa_webauthn_rpid" {
+  type = string
+}
+
+variable "rp_origins" {
   type = string
 }