jsso2 is a passwordless single-sign-on system written in Go and Typescript.

Development

You can run everything locally. Run npm run all, and a server will begin listening on port 4000. (Ignore the output from the various components that start themselves; those ports get proxied to by the server running on port 4000.) Any Typescript/Svelte changes are reflected immediately as you edit the files. Go changes require a restart for the time being. You will also need an envoy binary. I get mine by docker cp-ing the binary out of one of their releases.

Cleaning up Windows Hello keys

Windows remembers every enrollment you've ever done, which can result in confusion when you're trying to log in. You can see a list of your Windows Hello keys by running certutil -csp NGC -key. You should see keys that contain FIDO_AUTHENTICATOR in their names, and these are keys created by Windows Hello. The part after FIDO_AUTHENTICATOR is the Relying Party ID hash and the User ID separated by an underscore. Keys from the dev server will have a Relying Party ID of "localhost", and the sha256sum of "localhost" is 49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763; this should allow you to recognize the keys that you've enrolled while testing. You can then delete them with certutil -csp NGC -delkey <full key> from an Administrator console.