WebAuthn API FIDO2 client

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for origliante from gravatar.com origliante

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

python-fido2-client

Tests Publish PyPI

WebAuthn API FIDO2 client implementation in Python.

A Python library for authenticating against WebAuthn/FIDO2 servers. Handles FIDO2 device discovery, assertion retrieval over CTAP HID, and server communication.

Tested against the python-fido2 server example.

Requirements

  • Python 3.10+
  • A FIDO2-compatible USB authenticator (e.g. YubiKey)
  • A WebAuthn server implementing the begin/complete authentication flow using CBOR encoding

Installation

pip install fido2client

Quick start

import fido2client

with fido2client.Fido2HttpClient() as client:
    authenticated = client.authenticate_to(
        'https://your-server.com',
        '/api/authenticate/begin',
        '/api/authenticate/complete',
    )
    if authenticated:
        print('Authenticated!')

Usage

Basic authentication

from fido2client import Fido2HttpClient

client = Fido2HttpClient()
result = client.authenticate_to(
    'https://example.com',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
)

With custom headers or extra data

client = Fido2HttpClient()
result = client.authenticate_to(
    'https://example.com',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
    extra_headers={'Authorization': 'Bearer <token>'},
    extra_data={'session_id': 'abc123'},
)

Reusing an existing HTTP session

import requests
from fido2client import Fido2HttpClient

session = requests.Session()
session.cookies.set('csrf_token', '...')

client = Fido2HttpClient()
result = client.authenticate_to(
    'https://example.com',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
    session=session,
)

Context manager (recommended)

The context manager ensures the HTTP session is closed when done:

from fido2client import Fido2HttpClient

with Fido2HttpClient() as client:
    result = client.authenticate_to(
        'https://example.com',
        '/api/authenticate/begin',
        '/api/authenticate/complete',
    )

Custom callbacks

By default, authenticate_to uses print for user prompts and getpass.getpass for PIN entry. Override these for GUI apps or headless automation:

from fido2client import Fido2HttpClient

with Fido2HttpClient() as client:
    result = client.authenticate_to(
        'https://example.com',
        '/api/authenticate/begin',
        '/api/authenticate/complete',
        prompt_callback=lambda msg: my_ui.show(msg),
        pin_callback=lambda: my_ui.ask_pin(),
    )

Error handling

from fido2client import Fido2HttpClient
from fido2client.exceptions import (
    FidoAuthenticationError,
    FidoDeviceNotFoundError,
    FidoServerError,
)
import requests

try:
    with Fido2HttpClient() as client:
        result = client.authenticate_to(
            'https://example.com',
            '/api/authenticate/begin',
            '/api/authenticate/complete',
        )
except FidoDeviceNotFoundError:
    print('No FIDO2 device found. Connect your authenticator and try again.')
except FidoAuthenticationError as e:
    print(f'Authentication ceremony failed: {e}')
except FidoServerError as e:
    print(f'Server communication failed: {e}')
except requests.exceptions.RequestException as e:
    print(f'Network error: {e}')

Configuration options

client = Fido2HttpClient(
    ssl_verify=True,  # Verify TLS certificates (default: True, always use in production)
    timeout=30,       # HTTP request timeout in seconds (default: 30)
    verbose=False,    # Shortcut to enable DEBUG logging (default: False)
)

Security note: ssl_verify=False disables TLS certificate verification entirely. Never use this in production — it makes the connection vulnerable to man-in-the-middle attacks. It is only appropriate for local development environments using self-signed certificates.

Enabling debug logging

Rather than using the verbose flag, you can configure the standard Python logging module:

import logging
logging.basicConfig(level=logging.DEBUG)
logging.getLogger('fido2client').setLevel(logging.DEBUG)

Local development example

For local testing against a server using a self-signed certificate:

import fido2client

# WARNING: ssl_verify=False is for local development only.
# Never use in production.
c = fido2client.Fido2HttpClient(ssl_verify=False, verbose=True)

c.authenticate_to(
    'https://localhost:5000',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
)

Development

pip install -e ".[dev]"
pytest

Exception hierarchy

Exception Raised when
Fido2ClientError Base class for all fido2client errors
FidoDeviceNotFoundError No FIDO2 device is connected
FidoServerError Server returns an unreadable or unexpected response
FidoAuthenticationError The authentication ceremony cannot proceed

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for origliante from gravatar.com origliante

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

This version

0.11.1

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.1

0.9.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fido2client-0.11.1.tar.gz (10.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fido2client-0.11.1-py3-none-any.whl (7.8 kB view details)

Uploaded Python 3

File details

Details for the file fido2client-0.11.1.tar.gz.

File metadata

  • Download URL: fido2client-0.11.1.tar.gz
  • Upload date:
  • Size: 10.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for fido2client-0.11.1.tar.gz
Algorithm Hash digest
SHA256 b821fd0f5e915013c2f7fc788fb7ada31af97881fc2dba6f5712e78f0e4f1c45
MD5 9cb30ee658b3408a3e463020f5c6d7bc
BLAKE2b-256 d640e247889a299d62a60bf94f3ced372a63ff0d954dd05a92d0c01d337bf08e

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido2client-0.11.1.tar.gz:

Publisher: python-publish.yml on orglnte/python-fido2-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fido2client-0.11.1-py3-none-any.whl.

File metadata

  • Download URL: fido2client-0.11.1-py3-none-any.whl
  • Upload date:
  • Size: 7.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for fido2client-0.11.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6123076d60eb2119889fc6c5d2635c75d19aefb51b9e2e5646354bb1922d3b28
MD5 158e9275ff1e976ffb3a4d687a0d6cd3
BLAKE2b-256 4d265b7c51f54ca9d483229ada9df24de34025e5a2c32fa7e7566c0cd5eb6525

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido2client-0.11.1-py3-none-any.whl:

Publisher: python-publish.yml on orglnte/python-fido2-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page