Simple Endpoints Documentation Anyone?
226 views
Skip to first unread message
richard redpath
Oct 13, 2023, 7:22:10 AM10/13/23
to FIDO Dev (fido-dev)
I just want to use the FIDO REST API to do two Tasks
Register a User
Authenticate a user
using a public key we have. Please do not push the Webauthn this is a program
not a webapp.
Its looks like the FIDO2 server provides two functions (Tasks we want) using four endpoints.
FIDO Register a user (public key for domain)
1. Register Begin
2. Register Complete
FIDO Authenticate a user given a challenge to sign and return status (success, fail)
1. Authenticate Begin
2. Authenticate Complete
We found an IBM documentation for FIDO2 Server Endpoint URLs.
https://www.ibm.com/docs/en/sva/10.0.0?topic=support-fido2-server-endpoints
Register User (Begin and Complete)
https://server.com/mga/sps/fido2/<relying_party>/attestation/options
https://server.com/mga/sps/fido2/<relying_party>/attestation/result
Authenticate User (Begin and Complete)
https://server.com/mga/sps/fido2/<relying_party>/assertion/options
https://server.com/mga/sps/fido2/<relying_party>/assertion/result
Q1: Is this FIDO2 REST API a standard URL as shown above by IBM? I have downloaded a sample Python FIDO server and they seem to have this for the endpoints? Pretty far from the IBM stated endpoints verbiage
Register User (Begin and Complete)
/api/register/begin
/api/register/complete
Augthenticate User (Begin and Complete)
/api/authenticate/begin
/api/authenticate/complete
Certainly, I see code how to format data for calling these endpoints (cbor etcetera) though the MIME type is not stated either (application/json? or application/cbor?)
Q2: There has got to be standard documentation for the endpoints?
This scenario of the two Tasks should be a no brainer. We want to work with any FIDO2
Service available and standard REST API is the norm for servers.
Register a User
Authenticate a user
using a public key we have. Please do not push the Webauthn this is a program
not a webapp.
Its looks like the FIDO2 server provides two functions (Tasks we want) using four endpoints.
FIDO Register a user (public key for domain)
1. Register Begin
2. Register Complete
FIDO Authenticate a user given a challenge to sign and return status (success, fail)
1. Authenticate Begin
2. Authenticate Complete
We found an IBM documentation for FIDO2 Server Endpoint URLs.
https://www.ibm.com/docs/en/sva/10.0.0?topic=support-fido2-server-endpoints
Register User (Begin and Complete)
https://server.com/mga/sps/fido2/<relying_party>/attestation/options
https://server.com/mga/sps/fido2/<relying_party>/attestation/result
Authenticate User (Begin and Complete)
https://server.com/mga/sps/fido2/<relying_party>/assertion/options
https://server.com/mga/sps/fido2/<relying_party>/assertion/result
Q1: Is this FIDO2 REST API a standard URL as shown above by IBM? I have downloaded a sample Python FIDO server and they seem to have this for the endpoints? Pretty far from the IBM stated endpoints verbiage
Register User (Begin and Complete)
/api/register/begin
/api/register/complete
Augthenticate User (Begin and Complete)
/api/authenticate/begin
/api/authenticate/complete
Certainly, I see code how to format data for calling these endpoints (cbor etcetera) though the MIME type is not stated either (application/json? or application/cbor?)
Q2: There has got to be standard documentation for the endpoints?
This scenario of the two Tasks should be a no brainer. We want to work with any FIDO2
Service available and standard REST API is the norm for servers.
Tim Cappalli
Oct 13, 2023, 12:57:15 PM10/13/23
to richard redpath, FIDO Dev (fido-dev)
There is no "FIDO2 REST API". How you relay the request params and responses from the frontend to the backend (and vice versa) will depend on the library you're using on the backend.
If you're looking for a library to support passkeys, I'd recommend SimpleWebAuthn.
Tim
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of richard redpath <consult...@gmail.com>
Sent: Friday, October 13, 2023 07:22
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Simple Endpoints Documentation Anyone?
Sent: Friday, October 13, 2023 07:22
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Simple Endpoints Documentation Anyone?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b57d4792-17d3-444b-891e-14c5fcb72153n%40fidoalliance.org.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b57d4792-17d3-444b-891e-14c5fcb72153n%40fidoalliance.org.
Arshad Noor
Oct 13, 2023, 2:19:47 PM10/13/23
to richard redpath, FIDO Dev (fido-dev)
Many years ago, the U2F Working Group shot down our proposal for
creating a standard XML and REST webservice API for FIDO. As a result,
there is only a JavaScript API (WebAuthn - U2F was folded into this
standard) for RP applications supported in the browser, and the CTAP
specification for communication between the browser and Authenticators.
Every FIDO library and server has, thus, created its own interface for
RP application developers. (This is not difficult to understand if you
know the primary drivers of U2F and WebAuthn).
If you are looking for webservices within a FIDO server that supports
enterprise needs, besides the API you referenced, you may also want to
check out our open-source FIDO Certified implementation at
https://sourceforge.net/projects/strongkeyfido/ - its API, however, is
guaranteed to be different from everybody else's.
Given the lack of foresight within the U2F group, you - and other RP
application developers - have to make a strategic choice on what you
choose to integrate/support for the long-term.
Good luck!
Arshad Noor
StrongKey
On 10/13/23 09:57, 'Tim Cappalli' via FIDO Dev (fido-dev) wrote:
> There is no "FIDO2 REST API". How you relay the request params and
> responses from the frontend to the backend (and vice versa) will depend
> on the library you're using on the backend.
>
> If you're looking for a library to support passkeys, I'd recommend
> SimpleWebAuthn.
>
> Tim
> ------------------------------------------------------------------------
> *From:* fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf
> of richard redpath <consult...@gmail.com>
> *Sent:* Friday, October 13, 2023 07:22
> *To:* FIDO Dev (fido-dev) <fido...@fidoalliance.org>
> *Subject:* [FIDO-DEV] Simple Endpoints Documentation Anyone?
> *I just want to use the FIDO REST API to do two Tasks*
creating a standard XML and REST webservice API for FIDO. As a result,
there is only a JavaScript API (WebAuthn - U2F was folded into this
standard) for RP applications supported in the browser, and the CTAP
specification for communication between the browser and Authenticators.
Every FIDO library and server has, thus, created its own interface for
RP application developers. (This is not difficult to understand if you
know the primary drivers of U2F and WebAuthn).
If you are looking for webservices within a FIDO server that supports
enterprise needs, besides the API you referenced, you may also want to
check out our open-source FIDO Certified implementation at
https://sourceforge.net/projects/strongkeyfido/ - its API, however, is
guaranteed to be different from everybody else's.
Given the lack of foresight within the U2F group, you - and other RP
application developers - have to make a strategic choice on what you
choose to integrate/support for the long-term.
Good luck!
Arshad Noor
StrongKey
On 10/13/23 09:57, 'Tim Cappalli' via FIDO Dev (fido-dev) wrote:
> There is no "FIDO2 REST API". How you relay the request params and
> responses from the frontend to the backend (and vice versa) will depend
> on the library you're using on the backend.
>
> If you're looking for a library to support passkeys, I'd recommend
> SimpleWebAuthn.
>
> Tim
> *From:* fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf
> of richard redpath <consult...@gmail.com>
> *Sent:* Friday, October 13, 2023 07:22
> *To:* FIDO Dev (fido-dev) <fido...@fidoalliance.org>
> *Subject:* [FIDO-DEV] Simple Endpoints Documentation Anyone?
> *I just want to use the FIDO REST API to do two Tasks*
> Register a User
> Authenticate a user
>
> using a public key we have. Please do not push the Webauthn this is a
> program
> not a webapp.
>
> Its looks like the FIDO2 server provides two functions (Tasks we want)
> using four endpoints.
>
> FIDO Register a user (public key for domain)
> 1.Register Begin
> 2.Register Complete
> Authenticate a user
>
> using a public key we have. Please do not push the Webauthn this is a
> program
> not a webapp.
>
> Its looks like the FIDO2 server provides two functions (Tasks we want)
> using four endpoints.
>
> FIDO Register a user (public key for domain)
> 1.Register Begin
>
> FIDO Authenticate a user given a challenge to sign and return status
> (success, fail)
> 1.Authenticate Begin
> 2.Authenticate Complete
> FIDO Authenticate a user given a challenge to sign and return status
> (success, fail)
> 1.Authenticate Begin
>
>
> We found an IBM documentation for FIDO2 Server Endpoint URLs.
>
> https://www.ibm.com/docs/en/sva/10.0.0?topic=support-fido2-server-endpoints
>
>
> *Register User (Begin and Complete)*
>
> We found an IBM documentation for FIDO2 Server Endpoint URLs.
>
> https://www.ibm.com/docs/en/sva/10.0.0?topic=support-fido2-server-endpoints
>
>
> https://server.com/mga/sps/fido2/<relying_party>/attestation/options
> https://server.com/mga/sps/fido2/<relying_party>/attestation/result
>
> *Authenticate User (Begin and Complete)*
> https://server.com/mga/sps/fido2/<relying_party>/attestation/result
>
> https://server.com/mga/sps/fido2/<relying_party>/assertion/options
> https://server.com/mga/sps/fido2/<relying_party>/assertion/result
>
>
> *Q1: Is this FIDO2 REST API a standard URL as shown above by IBM? * I
> https://server.com/mga/sps/fido2/<relying_party>/assertion/result
>
>
> have downloaded a sample Python FIDO server and they seem to have this
> for the endpoints? Pretty far from the IBM stated endpoints verbiage
>
> Register User (Begin and Complete)
> /api/register/begin
> /api/register/complete
>
> Augthenticate User (Begin and Complete)
> /api/authenticate/begin
> /api/authenticate/complete
>
> Certainly, I see code how to format data for calling these endpoints
> (cbor etcetera) though the MIME type is not stated either
> (application/json? or application/cbor?)
>
> *Q2: There has got to be standard documentation for the endpoints?*
> for the endpoints? Pretty far from the IBM stated endpoints verbiage
>
> Register User (Begin and Complete)
> /api/register/begin
> /api/register/complete
>
> Augthenticate User (Begin and Complete)
> /api/authenticate/begin
> /api/authenticate/complete
>
> Certainly, I see code how to format data for calling these endpoints
> (cbor etcetera) though the MIME type is not stated either
> (application/json? or application/cbor?)
>
>
> This scenario of the two Tasks should be a no brainer. We want to work
> with any FIDO2
> Service available and standard REST API is the norm for servers.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> This scenario of the two Tasks should be a no brainer. We want to work
> with any FIDO2
> Service available and standard REST API is the norm for servers.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b57d4792-17d3-444b-891e-14c5fcb72153n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b57d4792-17d3-444b-891e-14c5fcb72153n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CH0PR00MB1415D5D56A085055D5DC3BC695D2A%40CH0PR00MB1415.namprd00.prod.outlook.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CH0PR00MB1415D5D56A085055D5DC3BC695D2A%40CH0PR00MB1415.namprd00.prod.outlook.com?utm_medium=email&utm_source=footer>.
richard redpath
Oct 14, 2023, 8:20:05 AM10/14/23
to FIDO Dev (fido-dev), Arshad Noor, richard redpath
Wow such a quick response.
It seems (*and stated) that the FIDO Alliance has Standardization of network authentication
called “Challenge response method” for available FIDO servers providing different REST names.
For example the Yubion seems to provide for the REST call
https://yubionfido2.azurewebsites.net/attestation/start
and IBM provides
https://server.com/mga/sps/fido2/<relying_party>/attestation/options
and a sample Python server provides
https://local:5000/api/register/begin
Okay far enough at least the communication protocol is (well seems) consistent thus found right?
Q1: So my only question is where is this Document for the communication construction? There are so many documents
It seems (*and stated) that the FIDO Alliance has Standardization of network authentication
called “Challenge response method” for available FIDO servers providing different REST names.
For example the Yubion seems to provide for the REST call
https://yubionfido2.azurewebsites.net/attestation/start
and IBM provides
https://server.com/mga/sps/fido2/<relying_party>/attestation/options
and a sample Python server provides
https://local:5000/api/register/begin
Okay far enough at least the communication protocol is (well seems) consistent thus found right?
Q1: So my only question is where is this Document for the communication construction? There are so many documents
and many copy preambles from other documents to wade through.
For example the Begin Registration for Yubion seems to be (after quality time tracing).
POST https://yubionfido2.azurewebsites.net/attestation/start
Content-Type: application/json; charset=utf-8
payload:
{
"displayName": "richard redpath",
"username": "Redpath",
"attestation": "none",
"authenticatorSelection": {
"authenticatorAttachment": "",
"userVerification": "discouraged",
"requireResidentKey": false
}
}
and then a response is returned from the Server
{
"rp": {
"id": "yubionfidodemo.azurewebsites.net",
"name": "Fido2 Tutorial"
},
"user": {
"name": "Redpath",
"id": {},
"displayName": "richard redpath"
},
"challenge": {},
"pubKeyCredParams": [
{ "type": "public-key", "alg": -7 },
{ "type": "public-key", "alg": -257 },
{ "type": "public-key", "alg": -65535 },
{ "type": "public-key", "alg": -37 },
{ "type": "public-key", "alg": -35 },
{ "type": "public-key", "alg": -258 },
{ "type": "public-key", "alg": -38 },
{ "type": "public-key", "alg": -36 },
{ "type": "public-key", "alg": -259 },
{ "type": "public-key", "alg": -39 },
{ "type": "public-key", "alg": -8 }
],
"timeout": 60000,
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": false,
"userVerification": "discouraged"
},
"excludeCredentials": [],
"extensions": {
"example.extension.bool": true
},
"status": "ok",
"errorMessage": ""
}
I noticed the Challenge is not supplied.
So what are the detailsfor this Payload information and configuration?
I need this document.
For completeness the Yubion REST API is called to complete with a Payload constructed
from the Browser create function that uses an authenticator for a public key.
Of course details of this construction would be needed if I am supplying a public create
and building this payload.
POST https://yubionfido2.azurewebsites.net/attestation/finish
Content-Type: application/json; charset=utf-8
Payload
{
"rawId": "AYSlVxe_qEgKly2dw0mgVuKuQ8pQZfcbAo0ohf_ouzN65-a4PgPjezfPomTJvOw8dUpnem7w53L6i8B5arvmkPk",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFE690Pi8lbHJkQnQBQikhio8YjkTLve2Lp4SiXO_FTwBFAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQGEpVcXv6hICpctncNJoFbirkPKUGX3GwKNKIX_6LszeufmuD4D43s3z6JkybzsPHVKZ3pu8Ody-ovAeWq75pD5pQECAyYgASFYIMBcq2Q35ZitbQeAGjhK0OREMn70t569NDVFhq-0Ar0NIlgg4dm3UQKGZoUhdshonJfVomUX8bS-rxPDvkBBtZCAthw",
"getAuthenticatorData": {},
"getPublicKey": {},
"getPublicKeyAlgorithm": {},
"getTransports": {},
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiV3RVLS0zWk13NlJreW1TM2tpa1RjUSIsIm9yaWdpbiI6Imh0dHBzOi8veXViaW9uZmlkb2RlbW8uYXp1cmV3ZWJzaXRlcy5uZXQiLCJjcm9zc09yaWdpbiI6ZmFsc2V9"
},
"authenticatorAttachment": "cross-platform",
"getClientExtensionResults": {},
"id": "AYSlVxe_qEgKly2dw0mgVuKuQ8pQZfcbAo0ohf_ouzN65-a4PgPjezfPomTJvOw8dUpnem7w53L6i8B5arvmkPk",
"type": "public-key"
For example the Begin Registration for Yubion seems to be (after quality time tracing).
POST https://yubionfido2.azurewebsites.net/attestation/start
Content-Type: application/json; charset=utf-8
payload:
{
"displayName": "richard redpath",
"username": "Redpath",
"attestation": "none",
"authenticatorSelection": {
"authenticatorAttachment": "",
"userVerification": "discouraged",
"requireResidentKey": false
}
}
and then a response is returned from the Server
{
"rp": {
"id": "yubionfidodemo.azurewebsites.net",
"name": "Fido2 Tutorial"
},
"user": {
"name": "Redpath",
"id": {},
"displayName": "richard redpath"
},
"challenge": {},
"pubKeyCredParams": [
{ "type": "public-key", "alg": -7 },
{ "type": "public-key", "alg": -257 },
{ "type": "public-key", "alg": -65535 },
{ "type": "public-key", "alg": -37 },
{ "type": "public-key", "alg": -35 },
{ "type": "public-key", "alg": -258 },
{ "type": "public-key", "alg": -38 },
{ "type": "public-key", "alg": -36 },
{ "type": "public-key", "alg": -259 },
{ "type": "public-key", "alg": -39 },
{ "type": "public-key", "alg": -8 }
],
"timeout": 60000,
"attestation": "none",
"authenticatorSelection": {
"requireResidentKey": false,
"userVerification": "discouraged"
},
"excludeCredentials": [],
"extensions": {
"example.extension.bool": true
},
"status": "ok",
"errorMessage": ""
}
I noticed the Challenge is not supplied.
So what are the detailsfor this Payload information and configuration?
I need this document.
For completeness the Yubion REST API is called to complete with a Payload constructed
from the Browser create function that uses an authenticator for a public key.
Of course details of this construction would be needed if I am supplying a public create
and building this payload.
POST https://yubionfido2.azurewebsites.net/attestation/finish
Content-Type: application/json; charset=utf-8
Payload
{
"rawId": "AYSlVxe_qEgKly2dw0mgVuKuQ8pQZfcbAo0ohf_ouzN65-a4PgPjezfPomTJvOw8dUpnem7w53L6i8B5arvmkPk",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFE690Pi8lbHJkQnQBQikhio8YjkTLve2Lp4SiXO_FTwBFAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQGEpVcXv6hICpctncNJoFbirkPKUGX3GwKNKIX_6LszeufmuD4D43s3z6JkybzsPHVKZ3pu8Ody-ovAeWq75pD5pQECAyYgASFYIMBcq2Q35ZitbQeAGjhK0OREMn70t569NDVFhq-0Ar0NIlgg4dm3UQKGZoUhdshonJfVomUX8bS-rxPDvkBBtZCAthw",
"getAuthenticatorData": {},
"getPublicKey": {},
"getPublicKeyAlgorithm": {},
"getTransports": {},
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiV3RVLS0zWk13NlJreW1TM2tpa1RjUSIsIm9yaWdpbiI6Imh0dHBzOi8veXViaW9uZmlkb2RlbW8uYXp1cmV3ZWJzaXRlcy5uZXQiLCJjcm9zc09yaWdpbiI6ZmFsc2V9"
},
"authenticatorAttachment": "cross-platform",
"getClientExtensionResults": {},
"id": "AYSlVxe_qEgKly2dw0mgVuKuQ8pQZfcbAo0ohf_ouzN65-a4PgPjezfPomTJvOw8dUpnem7w53L6i8B5arvmkPk",
"type": "public-key"
Tim Cappalli
Oct 14, 2023, 3:58:57 PM10/14/23
to richard redpath, FIDO Dev (fido-dev), Arshad Noor, richard redpath
Your library of choice will provide this in their documentation.
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of richard redpath <consult...@gmail.com>
Sent: Saturday, October 14, 2023 8:20:04 AM
Sent: Saturday, October 14, 2023 8:20:04 AM
Cc: Arshad Noor <arsha...@strongkey.com>; richard redpath <consult...@gmail.com>
Subject: Re: [FIDO-DEV] Simple Endpoints Documentation Anyone?
Subject: Re: [FIDO-DEV] Simple Endpoints Documentation Anyone?
To unsubscribe from this group and stop receiving emails from it, send an email to
fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0937baeb-888f-48be-bdc6-26d630074d73n%40fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0937baeb-888f-48be-bdc6-26d630074d73n%40fidoalliance.org.
richard redpath
Oct 16, 2023, 12:15:41 PM10/16/23
to FIDO Dev (fido-dev), Tim Cappalli, Arshad Noor, richard redpath
Just looking for the documention of how to create the Complete payload from the
options returned by a FIDO server. Example image shows
options returned from demo FIDO Webauthn.io Begin request options which is then made into a payload
using the navigator.credentials.create for a passkey from an Android. It is then sent to
the FIDO server to complete registration.
I am not using a JS library, I am writing one. I am not using a Browser nor do I need one.
So if you have any idea where this Document is and the name apparently there are zillions of
docs.
options returned by a FIDO server. Example image shows
options returned from demo FIDO Webauthn.io Begin request options which is then made into a payload
using the navigator.credentials.create for a passkey from an Android. It is then sent to
the FIDO server to complete registration.
I am not using a JS library, I am writing one. I am not using a Browser nor do I need one.
So if you have any idea where this Document is and the name apparently there are zillions of
docs.
Thanks in advance.
Emil Lundberg
Oct 17, 2023, 11:06:22 AM10/17/23
to richard redpath, FIDO Dev (fido-dev), Tim Cappalli, Arshad Noor
Do you want to use platform APIs to create (and later authenticate) a credential on a security key or in the platform keyring, or do you want to create and use software keys managed by your app?
If the former, refer to the platform's WebAuthn/FIDO documentation for how to use those credential creation (or assertion) arguments to create (or assert) a credential.
If the latter, then it sounds like you need to implement the client and authenticator parts (sections 5 and 6) of the WebAuthn spec: https://www.w3.org/TR/2021/REC-webauthn-2-20210408/ . In particular §6. Authenticator Operations descibes in detail what cryptographic operations to perform and the output formats to produce, and §5. Web Authentication API describes how to transform the high-level parameters you receive from the server into the low-level parameters defined in §6. Authenticator Operations.
Emil Lundberg
Senior Software Engineer | Yubico
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0fcd740f-8073-4cd4-a436-cba08bf3f344n%40fidoalliance.org.
richard redpath
Oct 18, 2023, 6:53:14 AM10/18/23
to FIDO Dev (fido-dev), Emil Lundberg, FIDO Dev (fido-dev), Tim Cappalli, Arshad Noor, richard redpath
Yep thats it
thanks in advance.
If the latter, then it sounds like you need to implement the client and authenticator parts (sections 5 and 6) of the WebAuthn spec: https://www.w3.org/TR/2021/REC-webauthn-2-20210408/ . In particular §6. Authenticator Operations descibes in detail what cryptographic operations to perform and the output formats to produce, and §5. Web Authentication API describes how to transform the high-level parameters you receive from the server into the low-level parameters defined in §6. Authenticator Operations.
Also Quick question is the public key to provide compressed or uncompressed, yes I know there is some COSE_key format talked about
and is the Challenge hashed and then signed?
thanks in advance.
Emil Lundberg
Oct 18, 2023, 7:15:24 AM10/18/23
to richard redpath, FIDO Dev (fido-dev), Tim Cappalli, Arshad Noor
Also Quick question is the public key to provide compressed or uncompressed, yes I know there is some COSE_key format talked about
Neither, it must be conveyed in COSE_Key format.
and is the Challenge hashed and then signed?
Not directly. The challenge is embedded into the "collected client data", which is then JSON-serialized and hashed and then signed along with the "authenticator data". See §5.1.3 Create a New Credential and §5.1.4. Use an Existing Credential to Make an Assertion for how to produce the clientDataHash to sign, and §6.3. Authenticator Operations for how to generate the signature.
Reply all
Reply to author
Forward
0 new messages