WebAuthn API FIDO2 client

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for origliante from gravatar.com origliante

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: origliante
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

python-fido2-client

Tests Publish PyPI

WebAuthn API FIDO2 client implementation in Python.

A Python library for authenticating against WebAuthn/FIDO2 servers. Handles FIDO2 device discovery, assertion retrieval over CTAP HID, and server communication.

Tested against the python-fido2 server example.

Requirements

  • Python 3.9+
  • A FIDO2-compatible USB authenticator (e.g. YubiKey)
  • A WebAuthn server implementing the begin/complete authentication flow using CBOR encoding

Installation

pip install fido2client

Quick start

import fido2client

with fido2client.Fido2HttpClient() as client:
    authenticated = client.authenticate_to(
        'https://your-server.com',
        '/api/authenticate/begin',
        '/api/authenticate/complete',
    )
    if authenticated:
        print('Authenticated!')

Usage

Basic authentication

from fido2client import Fido2HttpClient

client = Fido2HttpClient()
result = client.authenticate_to(
    'https://example.com',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
)

With custom headers or extra data

client = Fido2HttpClient()
result = client.authenticate_to(
    'https://example.com',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
    extra_headers={'Authorization': 'Bearer <token>'},
    extra_data={'session_id': 'abc123'},
)

Reusing an existing HTTP session

import requests
from fido2client import Fido2HttpClient

session = requests.Session()
session.cookies.set('csrf_token', '...')

client = Fido2HttpClient()
result = client.authenticate_to(
    'https://example.com',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
    session=session,
)

Context manager (recommended)

The context manager ensures the HTTP session is closed when done:

from fido2client import Fido2HttpClient

with Fido2HttpClient() as client:
    result = client.authenticate_to(
        'https://example.com',
        '/api/authenticate/begin',
        '/api/authenticate/complete',
    )

Error handling

from fido2client import Fido2HttpClient
from fido2client.exceptions import FidoDeviceNotFoundError, FidoServerError
import requests

try:
    with Fido2HttpClient() as client:
        result = client.authenticate_to(
            'https://example.com',
            '/api/authenticate/begin',
            '/api/authenticate/complete',
        )
except FidoDeviceNotFoundError:
    print('No FIDO2 device found. Connect your authenticator and try again.')
except FidoServerError as e:
    print(f'Server communication failed: {e}')
except requests.exceptions.RequestException as e:
    print(f'Network error: {e}')

Configuration options

client = Fido2HttpClient(
    ssl_verify=True,  # Verify TLS certificates (default: True, always use in production)
    timeout=30,       # HTTP request timeout in seconds (default: 30)
    verbose=False,    # Shortcut to enable DEBUG logging (default: False)
)

Security note: ssl_verify=False disables TLS certificate verification entirely. Never use this in production — it makes the connection vulnerable to man-in-the-middle attacks. It is only appropriate for local development environments using self-signed certificates.

Enabling debug logging

Rather than using the verbose flag, you can configure the standard Python logging module:

import logging
logging.basicConfig(level=logging.DEBUG)
logging.getLogger('fido2client').setLevel(logging.DEBUG)

Local development example

For local testing against a server using a self-signed certificate:

import fido2client

# WARNING: ssl_verify=False is for local development only.
# Never use in production.
c = fido2client.Fido2HttpClient(ssl_verify=False, verbose=True)

c.authenticate_to(
    'https://localhost:5000',
    '/api/authenticate/begin',
    '/api/authenticate/complete',
)

Development

pip install -e ".[dev]"
pytest

Exception hierarchy

Exception Raised when
Fido2ClientError Base class for all fido2client errors
FidoDeviceNotFoundError No FIDO2 device is connected
FidoServerError Server returns an unreadable or unexpected response
FidoAuthenticationError The authentication ceremony cannot proceed

License

MIT

TODO

  • define details of the state machine for interactive and programmatical use cases
  • support for credential registration

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for origliante from gravatar.com origliante

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License
  • Author: origliante
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.11.1

This version

0.11.0

0.10.5

0.10.4

0.10.3

0.10.2

0.10.1

0.10.0

0.9.1

0.9.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fido2client-0.11.0.tar.gz (8.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fido2client-0.11.0-py3-none-any.whl (7.4 kB view details)

Uploaded Python 3

File details

Details for the file fido2client-0.11.0.tar.gz.

File metadata

  • Download URL: fido2client-0.11.0.tar.gz
  • Upload date:
  • Size: 8.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido2client-0.11.0.tar.gz
Algorithm Hash digest
SHA256 c4b870b9ec79410d987f2a9c9defccf53379a1191064ae09a8688de1c257a123
MD5 f12141866f180bc8f7c9be4074d8f3b4
BLAKE2b-256 2006db08dc3e414d369b6845dd68a25e0cae778c6a98d5d0b5dccdcb406292c2

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido2client-0.11.0.tar.gz:

Publisher: python-publish.yml on orglnte/python-fido2-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file fido2client-0.11.0-py3-none-any.whl.

File metadata

  • Download URL: fido2client-0.11.0-py3-none-any.whl
  • Upload date:
  • Size: 7.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for fido2client-0.11.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2449911499de9c005b31b86df0f21ebdee4318bca87d5b0615a6b76341a8c353
MD5 1e6eb3284bd68b1c3c5e761bf4c9ae9e
BLAKE2b-256 2ec08f8975aec960094bc6a537c445c55349e96c74e6d7ec4babed58ade0f013

See more details on using hashes here.

Provenance

The following attestation bundles were made for fido2client-0.11.0-py3-none-any.whl:

Publisher: python-publish.yml on orglnte/python-fido2-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page