feat: add WebAuthn virtual authenticator tools#823
feat: add WebAuthn virtual authenticator tools#823ed-lepedus-thenvoi wants to merge 9 commits intoChromeDevTools:mainfrom
Conversation
- Create src/tools/webauthn.ts with enableWebAuthn tool - Export from src/tools/tools.ts - Add basic test in tests/tools/webauthn.test.ts The tool currently does nothing - just returns success message. Next step: implement actual WebAuthn.enable CDP call. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The webauthn_enable tool now actually calls the CDP WebAuthn.enable command, enabling the virtual authenticator environment. Test verifies this by successfully adding a virtual authenticator after calling the tool. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements the ability to add virtual authenticators with configurable: - protocol (u2f, ctap2) - transport (usb, nfc, ble, internal) - hasResidentKey (passkey support) - hasUserVerification - isUserVerified Returns the authenticatorId for use in subsequent operations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix ESLint import/order for type imports in tools.ts - Apply Prettier formatting to webauthn files Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added tools: - webauthn_remove_authenticator: Remove a virtual authenticator - webauthn_get_credentials: List credentials on an authenticator - webauthn_add_credential: Add a pre-seeded credential - webauthn_clear_credentials: Clear all credentials - webauthn_set_user_verified: Toggle user verification state All tools follow the established pattern using CDP WebAuthn domain. Tests verify each tool works correctly (except add_credential which requires complex key generation - verified schema only). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Run npm run docs to regenerate tool reference - Update WEBAUTHN_IMPLEMENTATION.md with final status Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add getCDPSession() helper to centralize CDP session access - Add handleWebAuthnError() for user-friendly error messages - Wrap all CDP calls in try/catch blocks - Add specific error handling for addCredential (userHandle, privateKey) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OrKoN
left a comment
OrKoN
left a comment
There was a problem hiding this comment.
Thanks for the PR! We prefer not to include too much low level CDP code directly into the MCP server. Please use the existing WebAuthN model in the chrome-devtools-frontend dependency (third_party/devtools-frontend/src/front_end/core/sdk/WebAuthnModel.ts) (similar to how source map models are integrated). Alternatively, if the DevTools models do not satisfy the use case for some reason, we should consider adding higher level API into Puppeteer so that it is beneficial beyond the MCP server alone.
It would be great to also file an issue first to allow us to prioritize the feature and understand the use case to perhaps define an API that requires fewer tools.
| - [`webauthn_add_authenticator`](#webauthn_add_authenticator) | ||
| - [`webauthn_add_credential`](#webauthn_add_credential) | ||
| - [`webauthn_clear_credentials`](#webauthn_clear_credentials) | ||
| - [`webauthn_enable`](#webauthn_enable) | ||
| - [`webauthn_get_credentials`](#webauthn_get_credentials) | ||
| - [`webauthn_remove_authenticator`](#webauthn_remove_authenticator) | ||
| - [`webauthn_set_user_verified`](#webauthn_set_user_verified) |
There was a problem hiding this comment.
It looks like we could use a single tool configure_webauthn to configure all of the WebAuthN virtual authenticator state (getting rid of dedicated commands). If WebAuthN is enabled, its status should be returned for all calls (in McpResponse) eliminating a need for get. If any CDP events can be emitted via the user actions on the page, the McpContext should accumulate them automatically and include them in the McpResponse automatically.
| - **[Emulation](#emulation)** (9 tools) | ||
| - [`emulate`](#emulate) | ||
| - [`resize_page`](#resize_page) | ||
| - [`webauthn_add_authenticator`](#webauthn_add_authenticator) |
There was a problem hiding this comment.
we probably want a dedicated category for WebAuthN with a separate CLI flag to control it.
|
Closing the PR as stale. Please file a feature request so that we can prioritize providing WebAuthn tools. |
|
Hey, sorry for the radio silence on this, been heads-down on a myriad things. The upshot is that I've gone all-in on webauthn-only auth for all my projects going forward. I built my own lightweight IdP (wildcard.id), and even when I'm not using it, I prefer to have webauthn because it completely bypasses the need for me to collect any PII, so I don't have to worry about GDPR compliance etc. The whole thing works beautifully, except for it completely killing end-to-end validation workflows where I have claude drive Chrome through the devtools MCP and pretend to be a user. I'm not precious about how it's achieved, and I'm willing to put in the legwork to make this happen, but I really need webauthn not to be an invisible wall that stops automation in its place. What do I need to do to get this functionality over the line? |
|
@ed-lepedus-thenvoi let's start by filling a feature request in this repo? Then we can discuss the tool set and whether it needs to be behind a flag (I would save we only need a single tool called configure_webauthn and it can be off by default, requiring a CLI flag). Then instead of re-implementing the CDP client we should re-use the client available in the DevTools frontend (or alternatively we can add a Puppeteer API for this). Let's continue discussion on a feature request. |
2 participants
Adds 7 new tools exposing the Chrome DevTools Protocol WebAuthn domain for virtual authenticator testing:
webauthn_enablewebauthn_add_authenticatorwebauthn_remove_authenticatorwebauthn_get_credentialswebauthn_add_credentialwebauthn_clear_credentialswebauthn_set_user_verifiedUse Case
Enables automated testing of WebAuthn/passkey flows without physical security keys or platform authenticators (Touch ID, Windows Hello). Useful for:
Implementation
_client()API to access CDP session (same pattern as performance tools)defineTool()and Zod schemasTesting
Verified E2E on webauthn.io - successfully completed passkey registration and authentication flows using virtual authenticator.
🤖 Generated with Claude Code