Replace deprecated duo-labs/webauthn with go-webauthn/webauthn (#19476)

2024-10-19 16:53:57 +00:00 · 2022-12-19 19:07:30 +01:00 · 2022-12-19 19:07:30 +01:00 · 77e10d6ff0
parent fc42dbb8df
commit 77e10d6ff0
36 changed files with 99 additions and 511 deletions
--- a/api/proto/teleport/legacy/types/webauthn/webauthn.proto
+++ b/api/proto/teleport/legacy/types/webauthn/webauthn.proto
@ -20,7 +20,7 @@ syntax = "proto3";
 // capabilities of current browser implementations.
 //
 // REST-based Teleport APIs will make an effort to transmit or embed JSON
-// messages matching the github.com/duo-labs/webauthn reference implementation,
+// messages matching the github.com/go-webauthn/webauthn reference implementation,
 // to allow for easy browser integration. gRPC APIs are not meant for REST use
 // and thus make no such promises, although the correspondence should be
 // obvious.
@ -42,7 +42,7 @@ option (gogoproto.unmarshaler_all) = true;
 // -----------------------------------------------------------------------------

 // SessionData stored by the Relying Party during authentication ceremonies.
-// Mirrors https://pkg.go.dev/github.com/duo-labs/webauthn/webauthn#SessionData.
+// Mirrors https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#SessionData.
 message SessionData {
  // Raw challenge used for the ceremony.
  bytes challenge = 1 [(gogoproto.jsontag) = "challenge,omitempty"];
--- a/api/types/webauthn/webauthn.pb.go
+++ b/api/types/webauthn/webauthn.pb.go
@ -7,7 +7,7 @@
 // capabilities of current browser implementations.
 //
 // REST-based Teleport APIs will make an effort to transmit or embed JSON
-// messages matching the github.com/duo-labs/webauthn reference implementation,
+// messages matching the github.com/go-webauthn/webauthn reference implementation,
 // to allow for easy browser integration. gRPC APIs are not meant for REST use
 // and thus make no such promises, although the correspondence should be
 // obvious.
@ -40,7 +40,7 @@ var _ = math.Inf
 const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package

 // SessionData stored by the Relying Party during authentication ceremonies.
-// Mirrors https://pkg.go.dev/github.com/duo-labs/webauthn/webauthn#SessionData.
+// Mirrors https://pkg.go.dev/github.com/go-webauthn/webauthn/webauthn#SessionData.
 type SessionData struct {
 	// Raw challenge used for the ceremony.
 	Challenge []byte `protobuf:"bytes,1,opt,name=challenge,proto3" json:"challenge,omitempty"`
--- a/go.mod
+++ b/go.mod
@ -39,7 +39,6 @@ require (
 	github.com/creack/pty v1.1.18
 	github.com/datastax/go-cassandra-native-protocol v0.0.0-20220706104457-5e8aad05cf90
 	github.com/denisenkom/go-mssqldb v0.11.0 // replaced
-	github.com/duo-labs/webauthn v0.0.0-20220815211337-00c9fb5711f5
 	github.com/dustin/go-humanize v1.0.0
 	github.com/elastic/go-elasticsearch/v8 v8.5.0
 	github.com/flynn/hid v0.0.0-20190502022136-f1b9b6cc019a
@ -53,6 +52,7 @@ require (
 	github.com/go-mysql-org/go-mysql v1.5.0 // replaced
 	github.com/go-piv/piv-go v1.10.0
 	github.com/go-redis/redis/v9 v9.0.0-rc.1 // replaced
+	github.com/go-webauthn/webauthn v0.5.0
 	github.com/gobuffalo/flect v0.3.0
 	github.com/gocql/gocql v1.3.0
 	github.com/gofrs/flock v0.8.1
@ -213,28 +213,18 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.25 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 // indirect
 	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.0 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/cfssl v1.6.1 // indirect
-	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
-	github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1 // indirect
 	github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534 // indirect
-	github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
 	github.com/elastic/elastic-transport-go/v8 v8.1.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
-	github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
@ -242,7 +232,6 @@ require (
 	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/fullstorydev/grpcurl v1.8.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
@ -251,26 +240,23 @@ require (
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-webauthn/revoke v0.1.6 // indirect
 	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
 	github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe // indirect
 	github.com/golang-sql/sqlexp v0.0.0-20170517235910-f1bb20e5a188 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/mock v1.6.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.3 // indirect
-	github.com/google/certificate-transparency-go v1.1.2-0.20210511102531-373a877eec92 // indirect
 	github.com/google/flatbuffers v22.9.29+incompatible // indirect
 	github.com/google/gnostic v0.6.9 // indirect
+	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
 	github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect
-	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.0-rc.2.0.20220308023801-e4a6915ea237 // indirect
-	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
@ -287,7 +273,6 @@ require (
 	github.com/jcmturner/gofork v1.7.6 // indirect
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
-	github.com/jhump/protoreflect v1.8.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/josharian/native v1.0.0 // indirect
@ -317,7 +302,6 @@ require (
 	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nsf/termbox-go v1.1.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pierrec/lz4/v4 v4.1.17 // indirect
 	github.com/pingcap/errors v0.11.5-0.20201126102027-b0a155152ca3 // indirect
@ -331,17 +315,13 @@ require (
 	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/rs/zerolog v1.28.0 // indirect
 	github.com/russross/blackfriday v1.5.2 // indirect
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryszard/goskiplist v0.0.0-20150312221310-2dfbae5fcf46 // indirect
 	github.com/shabbyrobe/gocovmerge v0.0.0-20190829150210-3e036491d500 // indirect
 	github.com/siddontang/go v0.0.0-20180604090527-bdc77568d726 // indirect
 	github.com/siddontang/go-log v0.0.0-20180807004314-8d05993dda07 // indirect
-	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/spf13/cobra v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
-	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
-	github.com/urfave/cli v1.22.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.1.1 // indirect
@ -349,20 +329,10 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	github.com/xlab/treeprint v1.1.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
 	github.com/yuin/gopher-lua v0.0.0-20220504180219-658193537a64 // indirect
-	go.etcd.io/bbolt v1.3.6 // indirect
 	go.etcd.io/etcd/client/pkg/v3 v3.5.6 // indirect
-	go.etcd.io/etcd/client/v2 v2.305.5 // indirect
-	go.etcd.io/etcd/etcdctl/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/etcdutl/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/raft/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/server/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/tests/v3 v3.5.5 // indirect
-	go.etcd.io/etcd/v3 v3.5.5 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.11.2 // indirect
 	go.opentelemetry.io/otel/metric v0.34.0 // indirect
@ -374,10 +344,8 @@ require (
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22 // indirect
-	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	k8s.io/component-base v0.25.4 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
@ -401,12 +369,3 @@ replace (
 	github.com/sirupsen/logrus => github.com/gravitational/logrus v1.4.4-0.20210817004754-047e20245621
 	github.com/vulcand/predicate => github.com/gravitational/predicate v1.3.0
 )
-
-// Exclude etcd/v3 from the modules graph.
-// etcd is pulled as a tool dependency by [certificate-transparency-go][1], so
-// it's not a necessary import, but it causes problems with [opentelemetry
-// versions >=v1.5.0][2] due to deleted packages (metric/number and
-// metric/sdkapi).
-// [1]: https://github.com/google/certificate-transparency-go/blob/9df679d49f8d16130c6c42334430ffc54a9bd074/tools.go#L23
-// [2]: https://github.com/open-telemetry/opentelemetry-go/tree/v1.4.0/metric
-exclude go.etcd.io/etcd/v3 v3.5.0-alpha.0
--- a/go.sum
+++ b/go.sum
--- a/lib/auth/mocku2f/mocku2f.go
+++ b/lib/auth/mocku2f/mocku2f.go
@ -33,7 +33,7 @@ import (
 	"math/big"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"
 )

--- a/lib/auth/mocku2f/webauthn.go
+++ b/lib/auth/mocku2f/webauthn.go
@ -23,9 +23,9 @@ import (
 	"encoding/binary"
 	"encoding/json"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
 	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"

 	wanlib "github.com/gravitational/teleport/lib/auth/webauthn"
--- a/lib/auth/touchid/api.go
+++ b/lib/auth/touchid/api.go
@ -30,9 +30,9 @@ import (
 	"sync/atomic"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
 	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"

@ -515,7 +515,8 @@ func Login(origin, user string, assertion *wanlib.CredentialAssertion, picker Cr
 func pickCredential(
 	actx AuthContext,
 	infos []CredentialInfo, allowedCredentials []protocol.CredentialDescriptor,
-	picker CredentialPicker, promptOnce func(), userRequested bool) (*CredentialInfo, error) {
+	picker CredentialPicker, promptOnce func(), userRequested bool,
+) (*CredentialInfo, error) {
 	// Handle early exits.
 	switch l := len(infos); {
 	// MFA.
--- a/lib/auth/touchid/api_test.go
+++ b/lib/auth/touchid/api_test.go
@ -27,9 +27,9 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
-	"github.com/duo-labs/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
--- a/lib/auth/webauthn/attestation.go
+++ b/lib/auth/webauthn/attestation.go
@ -18,7 +18,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/slices"
--- a/lib/auth/webauthn/attestation_test.go
+++ b/lib/auth/webauthn/attestation_test.go
@ -26,8 +26,8 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"

@ -42,7 +42,7 @@ type attestationTest struct {
 }

 func TestVerifyAttestation(t *testing.T) {
-	var sig = []byte{1, 2, 3} // fake signature
+	sig := []byte{1, 2, 3} // fake signature

 	// secureKeyCA stands for a security key manufacturer CA.
 	// In practice, attestation certs are likely to derive directly from this one,
--- a/lib/auth/webauthn/config.go
+++ b/lib/auth/webauthn/config.go
@ -17,8 +17,8 @@ limitations under the License.
 package webauthn

 import (
-	"github.com/duo-labs/webauthn/protocol"
-	wan "github.com/duo-labs/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/protocol"
+	wan "github.com/go-webauthn/webauthn/webauthn"

 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/defaults"
--- a/lib/auth/webauthn/device.go
+++ b/lib/auth/webauthn/device.go
@ -20,9 +20,9 @@ import (
 	"crypto/ecdsa"
 	"crypto/x509"

-	"github.com/duo-labs/webauthn/protocol/webauthncose"
-	wan "github.com/duo-labs/webauthn/webauthn"
 	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
+	wan "github.com/go-webauthn/webauthn/webauthn"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"

--- a/lib/auth/webauthn/fuzz_test.go
+++ b/lib/auth/webauthn/fuzz_test.go
@ -20,13 +20,12 @@ import (
 	"bytes"
 	"testing"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/stretchr/testify/require"
 )

 func FuzzParseCredentialCreationResponseBody(f *testing.F) {
 	f.Fuzz(func(t *testing.T, body []byte) {
-
 		require.NotPanics(t, func() {
 			protocol.ParseCredentialCreationResponseBody(bytes.NewReader(body))
 		})
@ -35,7 +34,6 @@ func FuzzParseCredentialCreationResponseBody(f *testing.F) {

 func FuzzParseCredentialRequestResponseBody(f *testing.F) {
 	f.Fuzz(func(t *testing.T, body []byte) {
-
 		require.NotPanics(t, func() {
 			protocol.ParseCredentialRequestResponseBody(bytes.NewReader(body))
 		})
--- a/lib/auth/webauthn/login.go
+++ b/lib/auth/webauthn/login.go
@ -24,8 +24,8 @@ import (
 	"sort"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	wan "github.com/duo-labs/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/protocol"
+	wan "github.com/go-webauthn/webauthn/webauthn"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"

--- a/lib/auth/webauthn/login_test.go
+++ b/lib/auth/webauthn/login_test.go
@ -23,7 +23,7 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gogo/protobuf/proto"
 	"github.com/google/go-cmp/cmp"
 	"github.com/gravitational/trace"
--- a/lib/auth/webauthn/messages.go
+++ b/lib/auth/webauthn/messages.go
@ -15,7 +15,7 @@
 package webauthn

 import (
-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"
 )

--- a/lib/auth/webauthn/messages_test.go
+++ b/lib/auth/webauthn/messages_test.go
@ -19,8 +19,8 @@ import (
 	"encoding/json"
 	"testing"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@ -247,7 +247,7 @@ func TestRequireResidentKey(t *testing.T) {
 			name: "required and rrk=false",
 			in: protocol.AuthenticatorSelection{
 				ResidentKey:        protocol.ResidentKeyRequirementRequired,
-				RequireResidentKey: protocol.ResidentKeyUnrequired(),
+				RequireResidentKey: protocol.ResidentKeyNotRequired(),
 			},
 			wantErr: "invalid combination of ResidentKey",
 		},
--- a/lib/auth/webauthn/proto.go
+++ b/lib/auth/webauthn/proto.go
@ -17,8 +17,8 @@ package webauthn
 import (
 	"encoding/base64"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"

 	wantypes "github.com/gravitational/teleport/api/types/webauthn"
 )
--- a/lib/auth/webauthn/register.go
+++ b/lib/auth/webauthn/register.go
@ -22,8 +22,8 @@ import (
 	"sync"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	wan "github.com/duo-labs/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/protocol"
+	wan "github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"
--- a/lib/auth/webauthn/register_test.go
+++ b/lib/auth/webauthn/register_test.go
@ -21,7 +21,7 @@ import (
 	"sort"
 	"testing"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/google/go-cmp/cmp"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
--- a/lib/auth/webauthn/session.go
+++ b/lib/auth/webauthn/session.go
@ -19,8 +19,8 @@ package webauthn
 import (
 	"encoding/base64"

-	"github.com/duo-labs/webauthn/protocol"
-	wan "github.com/duo-labs/webauthn/webauthn"
+	"github.com/go-webauthn/webauthn/protocol"
+	wan "github.com/go-webauthn/webauthn/webauthn"
 	"github.com/gravitational/trace"

 	wantypes "github.com/gravitational/teleport/api/types/webauthn"
--- a/lib/auth/webauthn/user.go
+++ b/lib/auth/webauthn/user.go
@ -17,7 +17,7 @@ limitations under the License.
 package webauthn

 import (
-	wan "github.com/duo-labs/webauthn/webauthn"
+	wan "github.com/go-webauthn/webauthn/webauthn"

 	"github.com/gravitational/teleport/api/types"
 )
--- a/lib/auth/webauthncli/fido2.go
+++ b/lib/auth/webauthncli/fido2.go
@ -28,9 +28,9 @@ import (
 	"sync"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
 	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"
 	"github.com/keys-pub/go-libfido2"
 	log "github.com/sirupsen/logrus"
@ -78,10 +78,12 @@ type FIDODevice interface {
 }

 // fidoDeviceLocations and fidoNewDevice are used to allow testing.
-var fidoDeviceLocations = libfido2.DeviceLocations
-var fidoNewDevice = func(path string) (FIDODevice, error) {
-	return libfido2.NewDevice(path)
-}
+var (
+	fidoDeviceLocations = libfido2.DeviceLocations
+	fidoNewDevice       = func(path string) (FIDODevice, error) {
+		return libfido2.NewDevice(path)
+	}
+)

 // isLibfido2Enabled returns true if libfido2 is available in the current build.
 func isLibfido2Enabled() bool {
@ -275,7 +277,8 @@ func discoverRPID(dev FIDODevice, info *deviceInfo, pin, rpID, appID string, all
 }

 func pickAssertion(
-	assertions []*libfido2.Assertion, prompt LoginPrompt, user string, passwordless bool) (*libfido2.Assertion, error) {
+	assertions []*libfido2.Assertion, prompt LoginPrompt, user string, passwordless bool,
+) (*libfido2.Assertion, error) {
 	switch l := len(assertions); {
 	// Shouldn't happen, but let's be safe and handle it anyway.
 	case l == 0:
@ -540,9 +543,11 @@ type deviceWithInfo struct {
 	info *deviceInfo
 }

-type deviceFilterFunc func(dev FIDODevice, info *deviceInfo) error
-type deviceCallbackFunc func(dev FIDODevice, info *deviceInfo, pin string) error
-type pinAwareCallbackFunc func(dev FIDODevice, info *deviceInfo, pin string) (requiresPIN bool, err error)
+type (
+	deviceFilterFunc     func(dev FIDODevice, info *deviceInfo) error
+	deviceCallbackFunc   func(dev FIDODevice, info *deviceInfo, pin string) error
+	pinAwareCallbackFunc func(dev FIDODevice, info *deviceInfo, pin string) (requiresPIN bool, err error)
+)

 // runPrompt defines the prompt operations necessary for runOnFIDO2Devices.
 // (RegisterPrompt happens to match the minimal interface required.)
@ -552,7 +557,8 @@ func runOnFIDO2Devices(
 	ctx context.Context,
 	prompt runPrompt,
 	filter deviceFilterFunc,
-	deviceCallback deviceCallbackFunc) error {
+	deviceCallback deviceCallbackFunc,
+) error {
 	// About to select, prompt user.
 	if err := prompt.PromptTouch(); err != nil {
 		return trace.Wrap(err)
@ -887,7 +893,8 @@ func findDevices(knownPaths map[string]struct{}) ([]*deviceWithInfo, error) {

 func selectDevice(
 	ctx context.Context,
-	pin string, dev *deviceWithInfo, cb pinAwareCallbackFunc) (requiresPIN bool, err error) {
+	pin string, dev *deviceWithInfo, cb pinAwareCallbackFunc,
+) (requiresPIN bool, err error) {
 	// Spin a goroutine to run the callback so we can deal with context
 	// cancellation.
 	done := make(chan struct{})
--- a/lib/auth/webauthncli/fido2_common.go
+++ b/lib/auth/webauthncli/fido2_common.go
@ -19,8 +19,8 @@ import (
 	"io"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"

 	"github.com/gravitational/teleport/api/client/proto"
--- a/lib/auth/webauthncli/fido2_test.go
+++ b/lib/auth/webauthncli/fido2_test.go
@ -27,9 +27,9 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
 	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/google/go-cmp/cmp"
 	"github.com/keys-pub/go-libfido2"
 	"github.com/stretchr/testify/assert"
@ -42,8 +42,10 @@ import (
 	wancli "github.com/gravitational/teleport/lib/auth/webauthncli"
 )

-var makeCredentialAuthDataRaw, makeCredentialAuthDataCBOR, makeCredentialSig []byte
-var assertionAuthDataRaw, assertionAuthDataCBOR, assertionSig []byte
+var (
+	makeCredentialAuthDataRaw, makeCredentialAuthDataCBOR, makeCredentialSig []byte
+	assertionAuthDataRaw, assertionAuthDataCBOR, assertionSig                []byte
+)

 func init() {
 	// Initialize arrays with random data, but use realistic sizes.
@ -189,8 +191,8 @@ func TestFIDO2Login(t *testing.T) {
 	// User IDs and names for resident credentials / passwordless.
 	const llamaName = "llama"
 	const alpacaName = "alpaca"
-	var llamaID = make([]byte, 16)
-	var alpacaID = make([]byte, 16)
+	llamaID := make([]byte, 16)
+	alpacaID := make([]byte, 16)
 	for _, b := range [][]byte{llamaID, alpacaID} {
 		_, err := rand.Read(b)
 		require.NoError(t, err, "Read failed")
@ -1236,7 +1238,7 @@ func TestFIDO2_LoginRegister_interactionErrors(t *testing.T) {
 				},
 			},
 			AuthenticatorSelection: protocol.AuthenticatorSelection{
-				RequireResidentKey: protocol.ResidentKeyUnrequired(),
+				RequireResidentKey: protocol.ResidentKeyNotRequired(),
 				ResidentKey:        protocol.ResidentKeyRequirementDiscouraged,
 				UserVerification:   protocol.VerificationDiscouraged,
 			},
--- a/lib/auth/webauthncli/u2f_login.go
+++ b/lib/auth/webauthncli/u2f_login.go
@ -22,8 +22,8 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/duo-labs/webauthn/protocol"
 	"github.com/flynn/u2f/u2ftoken"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"

 	"github.com/gravitational/teleport/api/client/proto"
--- a/lib/auth/webauthncli/u2f_login_test.go
+++ b/lib/auth/webauthncli/u2f_login_test.go
@ -25,10 +25,10 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
 	"github.com/flynn/hid"
 	"github.com/flynn/u2f/u2fhid"
 	"github.com/flynn/u2f/u2ftoken"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"

--- a/lib/auth/webauthncli/u2f_register.go
+++ b/lib/auth/webauthncli/u2f_register.go
@ -27,10 +27,10 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
 	"github.com/flynn/u2f/u2ftoken"
 	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"

--- a/lib/auth/webauthncli/u2f_register_test.go
+++ b/lib/auth/webauthncli/u2f_register_test.go
@ -19,8 +19,8 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/stretchr/testify/require"

 	"github.com/gravitational/teleport/api/types"
--- a/lib/auth/webauthnwin/api.go
+++ b/lib/auth/webauthnwin/api.go
@ -25,8 +25,8 @@ import (
 	"io"
 	"os"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/gravitational/trace"

 	"github.com/gravitational/teleport/api/client/proto"
--- a/lib/auth/webauthnwin/api_test.go
+++ b/lib/auth/webauthnwin/api_test.go
@ -20,8 +20,8 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
-	"github.com/duo-labs/webauthn/protocol/webauthncose"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol/webauthncose"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

@ -76,7 +76,6 @@ func TestRegister(t *testing.T) {
 			origin:   origin,
 			createCC: func() *wanlib.CredentialCreation { return okCC },
 			assertFn: func(t *testing.T, ccr *webauthn.CredentialCreationResponse, req *makeCredentialRequest) {
-
 				assert.Equal(t, webauthnAttachmentAny, req.opts.dwAuthenticatorAttachment)

 				assert.Equal(t, webauthnUserVerificationDiscouraged, req.opts.dwUserVerificationRequirement)
@ -96,7 +95,6 @@ func TestRegister(t *testing.T) {
 				return &cc
 			},
 			assertFn: func(t *testing.T, ccr *webauthn.CredentialCreationResponse, req *makeCredentialRequest) {
-
 				assert.Equal(t, webauthnUserVerificationRequired, req.opts.dwUserVerificationRequirement)

 				assert.Equal(t, webauthnAttachmentCrossPlatform, req.opts.dwAuthenticatorAttachment)
@ -114,7 +112,6 @@ func TestRegister(t *testing.T) {
 				return &cc
 			},
 			assertFn: func(t *testing.T, ccr *webauthn.CredentialCreationResponse, req *makeCredentialRequest) {
-
 				assert.Equal(t, webauthnUserVerificationPreferred, req.opts.dwUserVerificationRequirement)

 				assert.Equal(t, webauthnAttachmentPlatform, req.opts.dwAuthenticatorAttachment)
@ -129,9 +126,7 @@ func TestRegister(t *testing.T) {
 				return &cc
 			},
 			assertFn: func(t *testing.T, ccr *webauthn.CredentialCreationResponse, req *makeCredentialRequest) {
-
 				assert.Equal(t, webauthnUserVerificationDiscouraged, req.opts.dwUserVerificationRequirement)
-
 			},
 		},
 		{
@ -160,7 +155,6 @@ func TestRegister(t *testing.T) {
 			if test.assertFn != nil {
 				test.assertFn(t, resp.GetWebauthn(), mock.makeCredentialReq)
 			}
-
 		})
 	}
 }
@ -193,7 +187,6 @@ func TestLogin(t *testing.T) {
 			origin:      origin,
 			assertionIn: func() *wanlib.CredentialAssertion { return okAssertion },
 			assertFn: func(t *testing.T, car *webauthn.CredentialAssertionResponse, req *getAssertionRequest) {
-
 				assert.Equal(t, uint32(6), req.opts.dwVersion)

 				assert.Equal(t, webauthnUserVerificationDiscouraged, req.opts.dwUserVerificationRequirement)
@ -211,13 +204,11 @@ func TestLogin(t *testing.T) {
 			},
 			opts: LoginOpts{AuthenticatorAttachment: AttachmentPlatform},
 			assertFn: func(t *testing.T, car *webauthn.CredentialAssertionResponse, req *getAssertionRequest) {
-
 				assert.Equal(t, uint32(6), req.opts.dwVersion)

 				assert.Equal(t, webauthnUserVerificationRequired, req.opts.dwUserVerificationRequirement)

 				assert.Equal(t, webauthnAttachmentPlatform, req.opts.dwAuthenticatorAttachment)
-
 			},
 		},
 		{
@ -230,13 +221,11 @@ func TestLogin(t *testing.T) {
 			},
 			opts: LoginOpts{AuthenticatorAttachment: AttachmentCrossPlatform},
 			assertFn: func(t *testing.T, car *webauthn.CredentialAssertionResponse, req *getAssertionRequest) {
-
 				assert.Equal(t, uint32(6), req.opts.dwVersion)

 				assert.Equal(t, webauthnUserVerificationPreferred, req.opts.dwUserVerificationRequirement)

 				assert.Equal(t, webauthnAttachmentCrossPlatform, req.opts.dwAuthenticatorAttachment)
-
 			},
 		},
 		{
@ -249,11 +238,9 @@ func TestLogin(t *testing.T) {
 			},
 			opts: LoginOpts{AuthenticatorAttachment: AttachmentCrossPlatform},
 			assertFn: func(t *testing.T, car *webauthn.CredentialAssertionResponse, req *getAssertionRequest) {
-
 				assert.Equal(t, uint32(6), req.opts.dwVersion)

 				assert.Equal(t, webauthnUserVerificationDiscouraged, req.opts.dwUserVerificationRequirement)
-
 			},
 		},
 	}
--- a/lib/auth/webauthnwin/conv.go
+++ b/lib/auth/webauthnwin/conv.go
@ -20,7 +20,7 @@ import (
 	"syscall"
 	"unicode/utf16"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"
 )

@ -172,7 +172,6 @@ func clientDataToCType(challenge, origin, cdType string) (*webauthnClientData, [
 		pbClientDataJSON: &jsonCD[0],
 		pwszHashAlgID:    algID,
 	}, jsonCD, nil
-
 }

 func credentialsExToCType(in []protocol.CredentialDescriptor) (*webauthnCredentialList, error) {
--- a/lib/auth/webauthnwin/webauthn_windows.go
+++ b/lib/auth/webauthnwin/webauthn_windows.go
@ -21,7 +21,7 @@ import (
 	"syscall"
 	"unsafe"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
--- a/lib/client/weblogin.go
+++ b/lib/client/weblogin.go
@ -30,7 +30,7 @@ import (
 	"runtime"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/gravitational/roundtrip"
 	"github.com/gravitational/trace"
 	"github.com/sirupsen/logrus"
--- a/lib/services/local/users_test.go
+++ b/lib/services/local/users_test.go
@ -22,7 +22,7 @@ import (
 	"testing"
 	"time"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/uuid"
 	"github.com/gravitational/trace"
--- a/lib/srv/desktop/tdp/proto_test.go
+++ b/lib/srv/desktop/tdp/proto_test.go
@ -28,7 +28,7 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/duo-labs/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/gravitational/trace"