on the client side, it seems like it should be simple. in the time i allowed myself, i was not able to figure out how to integrate it server-side in my python app. you're not implementing your own crypto, but you are having to interact with and understnad crypto.

there doesn't seem to be a standard python implementation, and there's no feedback at all about what went wrong if your challenges/responses are not accepted by the client-side APIs. the error if your server-side implementation sends anything unexpected is essentially "no, that's wrong".

This doesn't look all that hard: https://github.com/mkalioby/django-passkeys but I guess it depends on how low-level your backend is.

I would personally separate auth and the application. Configuring something like Keycloak or Authelia or one of the many other alternatives to do all the difficult work for you and just logging in through SSO/SAML seems much easier than having to keep track of your own authentication rules/security hashes/salting/etc. without making a mistake.

if the solution is introducing a whole new third-party authentication provider to my existing app, i'd say that definitely counts as hard.

i spent a few minutes looking into it again, and remembered what i really found frustrating - it's all a weird mix of JSON, and byte arrays. some functions want json, and some functions want json encoded as a byte array. and some of the items in the json structure are supposed to be byte arrays?

it seems like they've gone out of their way to make it purposefully difficult to communicate between the client and the server. there's client examples to follow, and server examples to follow, but getting something between the two of them is a mystery. json doesn't have a byte array type, so making an api that depends on byte arrays in json seems needlessly obtuse. it's a standard that doesn't work without client-server communication, and it hasn't bothered to define a client-server communication method or use a datatype that can be natively communicated to the server?

Unfortunately, that's probably way too technical for most developers nowadays, who are almost proud of not being able to read a manual.

That's just the browser client part of the equation, this says nothing about the server side. The `challenge` part of the API, as well as storing and maintaining the necessary public keys and doing the actual validation of credentials, are left for the reader to implement in the backend.

The browser API makes it easy to program a client against passkeys, but that doesn't necessarily hold up for doing the server implementation. For that, you need to either find a library that matches your requirements, or read through guides like these: https://developers.google.com/identity/passkeys/developer-gu... that skim over a lot of details.

Yeah right, its easy to write a PAM module too, but configuring an authentication registration and flow is not actually a similar skill set.