proxy: add userinfo and webauthn endpoints (#3755)

* proxy: add userinfo and webauthn endpoints * use TLD for RP id * use EffectiveTLDPlusOne * upgrade webauthn * fix test * Update internal/handlers/jwks.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-06-06 04:42:56 +02:00 · 2022-11-22 10:26:35 -07:00 · 2022-11-22 10:26:35 -07:00 · c1a522cd82
commit c1a522cd82
parent 81053ac8ef
33 changed files with 498 additions and 216 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -7,9 +7,9 @@ import (
 	"errors"
 	"fmt"

-	"github.com/pomerium/pomerium/authenticate/handlers/webauthn"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
+	"github.com/pomerium/pomerium/internal/handlers/webauthn"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -18,8 +18,8 @@ import (

 	"github.com/pomerium/csrf"
 	"github.com/pomerium/datasource/pkg/directory"
-	"github.com/pomerium/pomerium/authenticate/handlers"
-	"github.com/pomerium/pomerium/authenticate/handlers/webauthn"
+	"github.com/pomerium/pomerium/internal/handlers"
+	"github.com/pomerium/pomerium/internal/handlers/webauthn"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/identity/manager"
@ -33,6 +33,7 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/webauthnutil"
 )

 // Handler returns the authenticate service's handler chain.
@ -544,7 +545,7 @@ func (a *Authenticate) getUserInfoData(r *http.Request) (handlers.UserInfoData,
 			Id: pbSession.GetUserId(),
 		}
 	}
-	creationOptions, requestOptions, _ := a.webauthn.GetOptions(r.Context())
+	creationOptions, requestOptions, _ := a.webauthn.GetOptions(r)

 	data := handlers.UserInfoData{
 		CSRFToken:      csrf.Token(r),
@ -715,15 +716,15 @@ func (a *Authenticate) getUser(ctx context.Context, userID string) (*user.User,
 	return user.Get(ctx, client, userID)
 }

-func (a *Authenticate) getWebauthnState(ctx context.Context) (*webauthn.State, error) {
+func (a *Authenticate) getWebauthnState(r *http.Request) (*webauthn.State, error) {
 	state := a.state.Load()

-	s, _, err := a.getCurrentSession(ctx)
+	s, _, err := a.getCurrentSession(r.Context())
 	if err != nil {
 		return nil, err
 	}

-	ss, err := a.getSessionFromCtx(ctx)
+	ss, err := a.getSessionFromCtx(r.Context())
 	if err != nil {
 		return nil, err
 	}
@ -752,7 +753,7 @@ func (a *Authenticate) getWebauthnState(ctx context.Context) (*webauthn.State, e
 		Session:                 s,
 		SessionState:            ss,
 		SessionStore:            state.sessionStore,
-		RelyingParty:            state.webauthnRelyingParty,
+		RelyingParty:            webauthnutil.GetRelyingParty(r, state.dataBrokerClient),
 		BrandingOptions:         a.options.Load().BrandingOptions,
 	}, nil
 }
--- a/authenticate/handlers/device-enrolled.go
+++ b/authenticate/handlers/device-enrolled.go
@ -1,15 +0,0 @@
-package handlers
-
-import (
-	"net/http"
-
-	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/ui"
-)
-
-// DeviceEnrolled displays an HTML page informing the user that they've successfully enrolled a device.
-func DeviceEnrolled(data UserInfoData) http.Handler {
-	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		return ui.ServePage(w, r, "DeviceEnrolled", data.ToJSON())
-	})
-}
--- a/authenticate/handlers/handlers.go
+++ b/authenticate/handlers/handlers.go
@ -1,2 +0,0 @@
-// Package handlers contains various web handlers for the authenticate service.
-package handlers
--- a/authenticate/handlers/signout.go
+++ b/authenticate/handlers/signout.go
@ -1,27 +0,0 @@
-package handlers
-
-import (
-	"net/http"
-
-	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/ui"
-)
-
-// SignOutConfirmData is the data for the SignOutConfirm page.
-type SignOutConfirmData struct {
-	URL string
-}
-
-// ToJSON converts the data into a JSON map.
-func (data SignOutConfirmData) ToJSON() map[string]interface{} {
-	return map[string]interface{}{
-		"url": data.URL,
-	}
-}
-
-// SignOutConfirm returns a handler that renders the sign out confirm page.
-func SignOutConfirm(data SignOutConfirmData) http.Handler {
-	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		return ui.ServePage(w, r, "SignOutConfirm", data.ToJSON())
-	})
-}
--- a/authenticate/handlers/userinfo.go
+++ b/authenticate/handlers/userinfo.go
@ -1,65 +0,0 @@
-package handlers
-
-import (
-	"encoding/json"
-	"net/http"
-
-	"google.golang.org/protobuf/encoding/protojson"
-
-	"github.com/pomerium/datasource/pkg/directory"
-	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/pkg/grpc/session"
-	"github.com/pomerium/pomerium/pkg/grpc/user"
-	"github.com/pomerium/pomerium/ui"
-	"github.com/pomerium/webauthn"
-)
-
-// UserInfoData is the data for the UserInfo page.
-type UserInfoData struct {
-	CSRFToken      string
-	IsImpersonated bool
-	Session        *session.Session
-	User           *user.User
-
-	IsEnterprise    bool
-	DirectoryUser   *directory.User
-	DirectoryGroups []*directory.Group
-
-	WebAuthnCreationOptions *webauthn.PublicKeyCredentialCreationOptions
-	WebAuthnRequestOptions  *webauthn.PublicKeyCredentialRequestOptions
-	WebAuthnURL             string
-
-	BrandingOptions httputil.BrandingOptions
-}
-
-// ToJSON converts the data into a JSON map.
-func (data UserInfoData) ToJSON() map[string]any {
-	m := map[string]any{}
-	m["csrfToken"] = data.CSRFToken
-	m["isImpersonated"] = data.IsImpersonated
-	if bs, err := protojson.Marshal(data.Session); err == nil {
-		m["session"] = json.RawMessage(bs)
-	}
-	if bs, err := protojson.Marshal(data.User); err == nil {
-		m["user"] = json.RawMessage(bs)
-	}
-	m["isEnterprise"] = data.IsEnterprise
-	if data.DirectoryUser != nil {
-		m["directoryUser"] = data.DirectoryUser
-	}
-	if len(data.DirectoryGroups) > 0 {
-		m["directoryGroups"] = data.DirectoryGroups
-	}
-	m["webAuthnCreationOptions"] = data.WebAuthnCreationOptions
-	m["webAuthnRequestOptions"] = data.WebAuthnRequestOptions
-	m["webAuthnUrl"] = data.WebAuthnURL
-	httputil.AddBrandingOptionsToMap(m, data.BrandingOptions)
-	return m
-}
-
-// UserInfo returns a handler that renders the user info page.
-func UserInfo(data UserInfoData) http.Handler {
-	return httputil.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		return ui.ServePage(w, r, "UserInfo", data.ToJSON())
-	})
-}
--- a/authenticate/handlers/webauthn/webauthn.go
+++ b/authenticate/handlers/webauthn/webauthn.go
@ -1,550 +0,0 @@
-// Package webauthn contains handlers for the WebAuthn flow in authenticate.
-package webauthn
-
-import (
-	"bytes"
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"github.com/google/uuid"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/pomerium/pomerium/internal/encoding/jws"
-	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/middleware"
-	"github.com/pomerium/pomerium/internal/sessions"
-	"github.com/pomerium/pomerium/internal/urlutil"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/pkg/grpc/device"
-	"github.com/pomerium/pomerium/pkg/grpc/session"
-	"github.com/pomerium/pomerium/pkg/grpc/user"
-	"github.com/pomerium/pomerium/pkg/webauthnutil"
-	"github.com/pomerium/pomerium/ui"
-	"github.com/pomerium/webauthn"
-)
-
-const maxAuthenticateResponses = 5
-
-var (
-	errMissingDeviceCredentialID = httputil.NewError(http.StatusBadRequest, errors.New(
-		urlutil.QueryDeviceCredentialID+" is a required parameter"))
-	errMissingDeviceType = httputil.NewError(http.StatusBadRequest, errors.New(
-		urlutil.QueryDeviceType+" is a required parameter"))
-	errMissingRedirectURI = httputil.NewError(http.StatusBadRequest, errors.New(
-		urlutil.QueryRedirectURI+" is a required parameter"))
-	errInvalidDeviceCredential = httputil.NewError(http.StatusBadRequest, errors.New(
-		"invalid device credential"))
-)
-
-// State is the state needed by the Handler to handle requests.
-type State struct {
-	AuthenticateURL         *url.URL
-	InternalAuthenticateURL *url.URL
-	Client                  databroker.DataBrokerServiceClient
-	PomeriumDomains         []string
-	RelyingParty            *webauthn.RelyingParty
-	Session                 *session.Session
-	SessionState            *sessions.State
-	SessionStore            sessions.SessionStore
-	SharedKey               []byte
-	BrandingOptions         httputil.BrandingOptions
-}
-
-// A StateProvider provides state for the handler.
-type StateProvider = func(context.Context) (*State, error)
-
-// Handler is the WebAuthn device handler.
-type Handler struct {
-	getState StateProvider
-}
-
-// New creates a new Handler.
-func New(getState StateProvider) *Handler {
-	return &Handler{
-		getState: getState,
-	}
-}
-
-// GetOptions returns the creation and request options for WebAuthn.
-func (h *Handler) GetOptions(ctx context.Context) (
-	creationOptions *webauthn.PublicKeyCredentialCreationOptions,
-	requestOptions *webauthn.PublicKeyCredentialRequestOptions,
-	err error,
-) {
-	state, err := h.getState(ctx)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return h.getOptions(ctx, state, webauthnutil.DefaultDeviceType)
-}
-
-// ServeHTTP serves the HTTP handler.
-func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	httputil.HandlerFunc(h.handle).ServeHTTP(w, r)
-}
-
-func (h *Handler) getOptions(ctx context.Context, state *State, deviceTypeParam string) (
-	creationOptions *webauthn.PublicKeyCredentialCreationOptions,
-	requestOptions *webauthn.PublicKeyCredentialRequestOptions,
-	err error,
-) {
-	// get the user information
-	u, err := user.Get(ctx, state.Client, state.Session.GetUserId())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	// get the device credentials
-	knownDeviceCredentials, err := getKnownDeviceCredentials(ctx, state.Client, u.GetDeviceCredentialIds()...)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	// get the stored device type
-	deviceType := webauthnutil.GetDeviceType(ctx, state.Client, deviceTypeParam)
-
-	creationOptions = webauthnutil.GenerateCreationOptions(state.SharedKey, deviceType, u)
-	requestOptions = webauthnutil.GenerateRequestOptions(state.SharedKey, deviceType, knownDeviceCredentials)
-	return creationOptions, requestOptions, nil
-}
-
-func (h *Handler) handle(w http.ResponseWriter, r *http.Request) error {
-	s, err := h.getState(r.Context())
-	if err != nil {
-		return err
-	}
-
-	err = middleware.ValidateRequestURL(
-		urlutil.GetExternalRequest(s.InternalAuthenticateURL, s.AuthenticateURL, r),
-		s.SharedKey,
-	)
-	if err != nil {
-		return err
-	}
-
-	switch {
-	case r.Method == "GET":
-		return h.handleView(w, r, s)
-	case r.FormValue("action") == "authenticate":
-		return h.handleAuthenticate(w, r, s)
-	case r.FormValue("action") == "register":
-		return h.handleRegister(w, r, s)
-	case r.FormValue("action") == "unregister":
-		return h.handleUnregister(w, r, s)
-	}
-
-	return httputil.NewError(http.StatusNotFound, errors.New(http.StatusText(http.StatusNotFound)))
-}
-
-func (h *Handler) handleAuthenticate(w http.ResponseWriter, r *http.Request, state *State) error {
-	ctx := r.Context()
-
-	deviceTypeParam := r.FormValue(urlutil.QueryDeviceType)
-	if deviceTypeParam == "" {
-		return errMissingDeviceType
-	}
-
-	redirectURIParam := r.FormValue(urlutil.QueryRedirectURI)
-	if redirectURIParam == "" {
-		return errMissingRedirectURI
-	}
-
-	responseParam := r.FormValue("authenticate_response")
-	var credential webauthn.PublicKeyAssertionCredential
-	err := json.Unmarshal([]byte(responseParam), &credential)
-	if err != nil {
-		return httputil.NewError(http.StatusBadRequest, errors.New("invalid authenticate response"))
-	}
-	credentialJSON, err := json.Marshal(credential)
-	if err != nil {
-		return err
-	}
-	// Set the UserHandle which won't typically be filled in by the client
-	credential.Response.UserHandle = webauthnutil.GetUserEntityID(state.Session.GetUserId())
-
-	// get the user information
-	u, err := user.Get(ctx, state.Client, state.Session.GetUserId())
-	if err != nil {
-		return fmt.Errorf("error retrieving user record: %w", err)
-	}
-
-	// get the stored device type
-	deviceType := webauthnutil.GetDeviceType(ctx, state.Client, deviceTypeParam)
-
-	// get the device credentials
-	knownDeviceCredentials, err := getKnownDeviceCredentials(ctx, state.Client, u.GetDeviceCredentialIds()...)
-	if err != nil {
-		return fmt.Errorf("error retrieving webauthn known device credentials: %w", err)
-	}
-
-	requestOptions, err := webauthnutil.GetRequestOptionsForCredential(
-		state.SharedKey,
-		deviceType,
-		knownDeviceCredentials,
-		&credential,
-	)
-	if err != nil {
-		return httputil.NewError(http.StatusBadRequest, fmt.Errorf("invalid register options: %w", err))
-	}
-
-	serverCredential, err := state.RelyingParty.VerifyAuthenticationCeremony(
-		ctx,
-		requestOptions,
-		&credential,
-	)
-	if err != nil {
-		return httputil.NewError(http.StatusBadRequest, fmt.Errorf("error verifying registration: %w", err))
-	}
-
-	// store the authenticate response
-	for _, deviceCredential := range knownDeviceCredentials {
-		webauthnCredential := deviceCredential.GetWebauthn()
-		if webauthnCredential == nil {
-			continue
-		}
-
-		if !bytes.Equal(webauthnCredential.Id, serverCredential.ID) {
-			continue
-		}
-
-		// add the response to the list and cap it, removing the oldest responses
-		webauthnCredential.AuthenticateResponse = append(webauthnCredential.AuthenticateResponse, credentialJSON)
-		for len(webauthnCredential.AuthenticateResponse) > maxAuthenticateResponses {
-			webauthnCredential.AuthenticateResponse = webauthnCredential.AuthenticateResponse[1:]
-		}
-
-		// store the updated device credential
-		err = device.PutCredential(ctx, state.Client, deviceCredential)
-		if err != nil {
-			return err
-		}
-	}
-
-	// update the session
-	state.Session.DeviceCredentials = append(state.Session.DeviceCredentials, &session.Session_DeviceCredential{
-		TypeId: deviceType.GetId(),
-		Credential: &session.Session_DeviceCredential_Id{
-			Id: webauthnutil.GetDeviceCredentialID(serverCredential.ID),
-		},
-	})
-	return h.saveSessionAndRedirect(w, r, state, redirectURIParam)
-}
-
-func (h *Handler) handleRegister(w http.ResponseWriter, r *http.Request, state *State) error {
-	ctx := r.Context()
-
-	deviceTypeParam := r.FormValue(urlutil.QueryDeviceType)
-	if deviceTypeParam == "" {
-		return errMissingDeviceType
-	}
-
-	redirectURIParam := r.FormValue(urlutil.QueryRedirectURI)
-	if redirectURIParam == "" {
-		return errMissingRedirectURI
-	}
-
-	responseParam := r.FormValue("register_response")
-	var credential webauthn.PublicKeyCreationCredential
-	err := json.Unmarshal([]byte(responseParam), &credential)
-	if err != nil {
-		return httputil.NewError(http.StatusBadRequest, errors.New("invalid register response"))
-	}
-	credentialJSON, err := json.Marshal(credential)
-	if err != nil {
-		return err
-	}
-
-	// get the user information
-	u, err := user.Get(ctx, state.Client, state.Session.GetUserId())
-	if err != nil {
-		return fmt.Errorf("error retrieving user record: %w", err)
-	}
-
-	// get the stored device type
-	deviceType := webauthnutil.GetDeviceType(ctx, state.Client, deviceTypeParam)
-
-	creationOptions, err := webauthnutil.GetCreationOptionsForCredential(
-		state.SharedKey,
-		deviceType,
-		u,
-		&credential,
-	)
-	if err != nil {
-		return httputil.NewError(http.StatusBadRequest, fmt.Errorf("invalid register options: %w", err))
-	}
-	creationOptionsJSON, err := json.Marshal(creationOptions)
-	if err != nil {
-		return err
-	}
-
-	serverCredential, err := state.RelyingParty.VerifyRegistrationCeremony(
-		ctx,
-		creationOptions,
-		&credential,
-	)
-	if err != nil {
-		return httputil.NewError(http.StatusBadRequest, fmt.Errorf("error verifying registration: %w", err))
-	}
-
-	deviceCredentialID := webauthnutil.GetDeviceCredentialID(serverCredential.ID)
-
-	deviceEnrollment, err := getOrCreateDeviceEnrollment(ctx, r, state, deviceType.GetId(), deviceCredentialID, u)
-	if err != nil {
-		return err
-	}
-
-	// save the credential
-	deviceCredential := &device.Credential{
-		Id:           deviceCredentialID,
-		TypeId:       deviceType.GetId(),
-		EnrollmentId: deviceEnrollment.GetId(),
-		UserId:       u.GetId(),
-		Specifier: &device.Credential_Webauthn{
-			Webauthn: &device.Credential_WebAuthn{
-				Id:        serverCredential.ID,
-				PublicKey: serverCredential.PublicKey,
-
-				RegisterOptions:  creationOptionsJSON,
-				RegisterResponse: credentialJSON,
-			},
-		},
-	}
-	err = device.PutCredential(ctx, state.Client, deviceCredential)
-	if err != nil {
-		return err
-	}
-
-	// save the user
-	u.AddDeviceCredentialID(deviceCredential.GetId())
-	_, err = databroker.Put(ctx, state.Client, u)
-	if err != nil {
-		return err
-	}
-
-	// update the session
-	state.Session.DeviceCredentials = append(state.Session.DeviceCredentials, &session.Session_DeviceCredential{
-		TypeId: deviceType.GetId(),
-		Credential: &session.Session_DeviceCredential_Id{
-			Id: webauthnutil.GetDeviceCredentialID(serverCredential.ID),
-		},
-	})
-
-	return h.saveSessionAndRedirect(w, r, state, redirectURIParam)
-}
-
-func (h *Handler) handleUnregister(w http.ResponseWriter, r *http.Request, state *State) error {
-	ctx := r.Context()
-
-	// get the user information
-	u, err := user.Get(ctx, state.Client, state.Session.GetUserId())
-	if err != nil {
-		return err
-	}
-
-	deviceCredentialID := r.FormValue(urlutil.QueryDeviceCredentialID)
-	if deviceCredentialID == "" {
-		return errMissingDeviceCredentialID
-	}
-
-	// ensure we only allow removing a device credential the user owns
-	if !u.HasDeviceCredentialID(deviceCredentialID) {
-		return errInvalidDeviceCredential
-	}
-
-	// delete the credential
-	deviceCredential, err := device.DeleteCredential(ctx, state.Client, deviceCredentialID)
-	if err != nil {
-		return err
-	}
-
-	// delete the corresponding enrollment
-	_, err = device.DeleteEnrollment(ctx, state.Client, deviceCredential.GetEnrollmentId())
-	if err != nil {
-		return err
-	}
-
-	// remove the credential from the user
-	u.RemoveDeviceCredentialID(deviceCredentialID)
-	_, err = databroker.Put(ctx, state.Client, u)
-	if err != nil {
-		return err
-	}
-
-	// remove the credential from the session
-	state.Session.RemoveDeviceCredentialID(deviceCredentialID)
-	return h.saveSessionAndRedirect(w, r, state, urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{
-		Path: "/.pomerium",
-	}).String())
-}
-
-func (h *Handler) handleView(w http.ResponseWriter, r *http.Request, state *State) error {
-	ctx := r.Context()
-
-	deviceTypeParam := r.FormValue(urlutil.QueryDeviceType)
-	if deviceTypeParam == "" {
-		return errMissingDeviceType
-	}
-
-	creationOptions, requestOptions, err := h.getOptions(ctx, state, deviceTypeParam)
-	if err != nil {
-		return err
-	}
-
-	m := map[string]interface{}{
-		"creationOptions": creationOptions,
-		"requestOptions":  requestOptions,
-		"selfUrl":         r.URL.String(),
-	}
-	httputil.AddBrandingOptionsToMap(m, state.BrandingOptions)
-	return ui.ServePage(w, r, "WebAuthnRegistration", m)
-}
-
-func (h *Handler) saveSessionAndRedirect(w http.ResponseWriter, r *http.Request, state *State, rawRedirectURI string) error {
-	// save the session to the databroker
-	res, err := session.Put(r.Context(), state.Client, state.Session)
-	if err != nil {
-		return err
-	}
-
-	// add databroker versions to the session cookie and save
-	state.SessionState.DatabrokerServerVersion = res.GetServerVersion()
-	state.SessionState.DatabrokerRecordVersion = res.GetRecord().GetVersion()
-	err = state.SessionStore.SaveSession(w, r, state.SessionState)
-	if err != nil {
-		return err
-	}
-
-	// if the redirect URL is for a URL we don't control, just do a plain redirect
-	if !isURLForPomerium(state.PomeriumDomains, rawRedirectURI) {
-		httputil.Redirect(w, r, rawRedirectURI, http.StatusFound)
-		return nil
-	}
-
-	// sign+encrypt the session JWT
-	encoder, err := jws.NewHS256Signer(state.SharedKey)
-	if err != nil {
-		return err
-	}
-
-	signedJWT, err := encoder.Marshal(state.SessionState)
-	if err != nil {
-		return err
-	}
-
-	cipher, err := cryptutil.NewAEADCipher(state.SharedKey)
-	if err != nil {
-		return err
-	}
-
-	encryptedJWT := cryptutil.Encrypt(cipher, signedJWT, nil)
-	encodedJWT := base64.URLEncoding.EncodeToString(encryptedJWT)
-
-	// redirect to the proxy callback URL with the session
-	callbackURL, err := urlutil.GetCallbackURLForRedirectURI(r, encodedJWT, rawRedirectURI)
-	if err != nil {
-		return err
-	}
-
-	signedCallbackURL := urlutil.NewSignedURL(state.SharedKey, callbackURL)
-	httputil.Redirect(w, r, signedCallbackURL.String(), http.StatusFound)
-	return nil
-}
-
-func getKnownDeviceCredentials(
-	ctx context.Context,
-	client databroker.DataBrokerServiceClient,
-	deviceCredentialIDs ...string,
-) ([]*device.Credential, error) {
-	var knownDeviceCredentials []*device.Credential
-	for _, deviceCredentialID := range deviceCredentialIDs {
-		deviceCredential, err := device.GetCredential(ctx, client, deviceCredentialID)
-		if status.Code(err) == codes.NotFound {
-			// ignore missing devices
-			continue
-		} else if err != nil {
-			return nil, httputil.NewError(http.StatusInternalServerError,
-				fmt.Errorf("error retrieving device credential: %w", err))
-		}
-		knownDeviceCredentials = append(knownDeviceCredentials, deviceCredential)
-	}
-	return knownDeviceCredentials, nil
-}
-
-func getOrCreateDeviceEnrollment(
-	ctx context.Context,
-	r *http.Request,
-	state *State,
-	deviceTypeID string,
-	deviceCredentialID string,
-	u *user.User,
-) (*device.Enrollment, error) {
-	var deviceEnrollment *device.Enrollment
-
-	enrollmentTokenParam := r.FormValue(urlutil.QueryEnrollmentToken)
-	if enrollmentTokenParam == "" {
-		// create a new enrollment
-		deviceEnrollment = &device.Enrollment{
-			Id:     uuid.New().String(),
-			TypeId: deviceTypeID,
-			UserId: u.GetId(),
-		}
-	} else {
-		// use an existing enrollment
-		deviceEnrollmentID, err := webauthnutil.ParseAndVerifyEnrollmentToken(state.SharedKey, enrollmentTokenParam)
-		if err != nil {
-			return nil, httputil.NewError(http.StatusBadRequest, fmt.Errorf("invalid enrollment token: %w", err))
-		}
-
-		deviceEnrollment, err = device.GetEnrollment(ctx, state.Client, deviceEnrollmentID)
-		if err != nil {
-			return nil, err
-		}
-
-		if deviceEnrollment.GetTypeId() != deviceTypeID {
-			return nil, httputil.NewError(http.StatusForbidden, fmt.Errorf("invalid enrollment token: wrong device type"))
-		}
-
-		if deviceEnrollment.GetUserId() != u.GetId() {
-			return nil, httputil.NewError(http.StatusForbidden, fmt.Errorf("invalid enrollment token: wrong user id"))
-		}
-
-		if deviceEnrollment.GetEnrolledAt().IsValid() {
-			return nil, httputil.NewError(http.StatusForbidden, fmt.Errorf("invalid enrollment token: already used for existing credential"))
-		}
-	}
-
-	deviceEnrollment.CredentialId = deviceCredentialID
-	deviceEnrollment.EnrolledAt = timestamppb.Now()
-	deviceEnrollment.UserAgent = r.UserAgent()
-	deviceEnrollment.IpAddress = httputil.GetClientIPAddress(r)
-
-	err := device.PutEnrollment(ctx, state.Client, deviceEnrollment)
-	if err != nil {
-		return nil, err
-	}
-	return deviceEnrollment, nil
-}
-
-func isURLForPomerium(pomeriumDomains []string, rawURI string) bool {
-	uri, err := urlutil.ParseAndValidateURL(rawURI)
-	if err != nil {
-		return false
-	}
-
-	for _, domain := range pomeriumDomains {
-		if urlutil.StripPort(domain) == urlutil.StripPort(uri.Host) {
-			return true
-		}
-	}
-
-	return false
-}
--- a/authenticate/handlers_test.go
+++ b/authenticate/handlers_test.go
@ -21,12 +21,12 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/timestamppb"

-	"github.com/pomerium/pomerium/authenticate/handlers/webauthn"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/encoding/mock"
+	"github.com/pomerium/pomerium/internal/handlers/webauthn"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/identity"
 	"github.com/pomerium/pomerium/internal/identity/oidc"
--- a/authenticate/state.go
+++ b/authenticate/state.go
@ -18,8 +18,6 @@ import (
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
-	"github.com/pomerium/pomerium/pkg/webauthnutil"
-	"github.com/pomerium/webauthn"
 )

 var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
@ -46,8 +44,6 @@ type authenticateState struct {
 	jwk *jose.JSONWebKeySet

 	dataBrokerClient databroker.DataBrokerServiceClient
-
-	webauthnRelyingParty *webauthn.RelyingParty
 }

 func newAuthenticateState() *authenticateState {
@ -153,10 +149,5 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err

 	state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn)

-	state.webauthnRelyingParty = webauthn.NewRelyingParty(
-		authenticateURL.String(),
-		webauthnutil.NewCredentialStorage(state.dataBrokerClient),
-	)
-
 	return state, nil
 }