Pular para o conteúdo principal
  1. CoffeeBean Technology
  2. Guias e Refência Técnica
  3. Protocolos

FIDO 2

FIDO2 Server Operations

Attestation (Registration)

Attestation Options

Description

Endpoint to initiate a registration operation.

Endpoint

POST/attestation/options

 

JSON Parameters

TypeRequired/Optional
ServerPublicKeyCredentialCreationOptionsRequestrequired

Response

TypeRequired/Optional
ServerPublicKeyCredentialCreationOptionsResponserequired


Example Request

POST /attestation/options


 

{

  "username": "johndoe@example.com",

  "displayName": "John Doe",

  "authenticatorSelection": {

    "requireResidentKey": false,

    "authenticatorAttachment": "cross-platform",

    "userVerification": "preferred"

  },

  "attestation": "direct"

}


 

Example Response

{

  "status": "ok",

  "errorMessage": "",

  "rp": {

    "name": "Example Corporation"

  },

  "user": {

    "id": "S3932ee3C0JtMIQ",

    "name": "johndoe@example.com",

    "displayName": "John Doe"

  },

  "challenge": "uhUjPNlZuhNdsLPkkE5Fv-lUN",

  "pubKeyCredParams": [

    {

      "type": "public-key",

      "alg": -7

    }

  ],

  "timeout": 10000,

  "excludeCredentials": [

    {

      "type": "public-key",

      "id": "opQf1maupUKJIQp"

    }

  ],

  "authenticatorSelection": {

    "requireResidentKey": false,

    "authenticatorAttachment": "cross-platform",

    "userVerification": "preferred"

  },

  "attestation": "direct"

}

Attestation Result

Description

Endpoint to complete a registration operation.

Endpoint

POST/attestation/result


 

JSON Parameters

TypeRequired/Optional
ServerPublicKeyCredentialrequired

ServerPublicKeyCredential’s “response” field must be a ServerAuthenticatorAttestationResponse.

Response

TypeRequired/Optional
ServerResponserequired

 

Example Request

POST /attestation/result


 

{

  "id": "LFdoCFJTyB82ZzSJUHc-c72yraRc_1E8su39xXAWgWl6itMKqmDvruha6ywA",

  "rawId": "LFdoCFJTyB82ZzSJUHc-c72yraRc_1mPvGX8ToE8su39xX26JcAWgWl6itMKqmDvruha6ywA",

  "response": {

    "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJOeHlab32Iiwib3JpZ2luIjoiL2xvY2FsaG9zdDozMDAwIiwidHlwZSI6IndlYmF1dGhuLmNyZWF0ZSJ9",

    "attestationObject": "o2NmbXRoZmlkby11MmZnYXR0U3RtdKJjc2lnWEcwRQIgVzzvX3Nyp_g9j9f2B-tPWy6puW01aZHI8RXjwqfDjtQCIQDLsdniGPO9iKr7tdgVV-FnBYhvzlZLG3u28rVt10YXfGN4NWOBWQJOMIICSjCCATKgAwIBAgIEVxb3wDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNZdWJpY28gVTJpYqG4A579f3YAjfrPbgj404xJns0mqx5wkpxKlnoBKqo1rqSUmonencd4xanO_PHEfxU0iZif615X5lc87qDHZdjQQAAAAAAAAAAAAAAAAAAAAAAAAAAAEAsV2gIUlPIHzZnNIlQdz5zvbKtpFz_WY-8ZfxOgTyy7f3Ffbolyp3fUtSQo5LfoUgBaBaXqK0wqqYO-u6FrrLApQECAyYgASFYIPr9-YH8DuBsOnaI3KJa0a39hyxh9LDtHErNvfQSyxQsIlgg4rAuQQ5uy4VXGFbkiAt0uwgJJodp-DymkoBcrGsLtkI"

  },

  "type": "public-key"

}

 

Example Response

{

  "status": "ok",

  "errorMessage": ""

}

 

Assertion (Authentication)

Assertion Options

Description

Endpoint to initiate an authentication operation.

Endpoint

POST/assertion/options


JSON Parameters

TypeRequired/Optional
ServerPublicKeyCredentialGetOptionsRequestrequired

 

Response

TypeRequired/Optional
ServerPublicKeyCredentialGetOptionsResponserequired


Example Request

POST /assertion/options


 

{

  "username": "johndoe@example.com",

  "userVerification": "required"

}


 

Example Response

{

  "status": "ok",

  "errorMessage": "",

  "challenge": "6283u0svQHStwkJCaLKx",

  "timeout": 20000,

  "rpId": "https://example.com",

  "allowCredentials": [

    {

      "id": "m7xlAuwcj4m",

      "type": "public-key"

    }

  ],

  "userVerification": "required"

}


Assertion Result

Description

Endpoint to complete an authentication operation.

Endpoint

POST/assertion/result

 

JSON Parameters

TypeRequired/Optional
ServerPublicKeyCredentialrequired

ServerPublicKeyCredential’s “response” field must be a ServerAuthenticatorAssertionResponse.
 

Response

TypeRequired/Optional
ServerResponserequired


 

Example Request

POST /assertion/result


 

{

  "id":"LFdoCFJTyB82ZzSJUHc-c72yraRc_1mPvGX8ToE8su3l6itMKqmDvruha6ywA", "rawId":"LFdoCFJTyB82Z2yraRc_1mPvGX8ToE8su39xX26FIAWgWl6itMKqmDvruha6ywA",

  "response": {

    "authenticatorData":"SZYN5YgOjGLHmVzzuoMdl2MBAAAAAA",

    "signature":"MEYC9DQIhANiYig9newAJZYTzG1i5lwP-YQk9uXFnnDaHnr2yCKXL",

    "userHandle":"",

    "clientDataJSON":"eyJjaGFsbGVuZImhhc2hB2Iiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwidHlwZSI6IndlYmF1dGhuLmdldCJ9"

  },

  "type":"public-key"

}

Example Response

{

  "status": "ok",

  "errorMessage": ""

}

WebAuthn Operations

Create Credential (Registration)

Description

API to perform user registration.

 

Javascript API

navigator.credentials.create()

 

Parameters

TypeRequired/Optional
CredentialCreationOptionsrequired

 

Response

TypeRequired/Optional
PublicKeyCredentialrequired

PublicKeyCredential’s “response” will be a AuthenticatorAttestationResponse.


 

Example Request

navigator.credentials.create({

  publicKey: {

    challenge: new Uint8Array([21,31,105, ...]),

    rp: {

      name: "ACME Corporation"

    },

    user: {

      id: Uint8Array.from(window.atob("MIIBkZMwggE4oAMCAQgGTMII="), c=>c.charCodeAt(0)),

      name: "alex.p.mueller@example.com",

      displayName: "Alex P. Müller",

      icon: "https://pics.example.com/00/p/aBjjjpqPb.png"

    },

    pubKeyCredParams: [

      {

        type: "public-key",

        alg: -7

      },

      {

        type: "public-key",

         alg: -257

      }

    ],

    timeout: 60000,

    excludeCredentials: [],

    extensions: {

      "loc": true

    }

  }

});


 

Example Response

{

  rawId: “QXLsNzPhaR2aRI_-ze8IK6ru_An8gIAaZ2RMFNLNTxLd6TbMJELtEBNbR3pghe3A”,

  id: Int8Array([65, 114, -20, 55, 49, ...],

  response: {

    attestationObject: Int8Array[-93, 99, 102, 109, ...],

    clientDataJson: Int8Array[123, 34, 99, 104, 97, ....]

  },

  type: “public-key”

}


 

Get Credential (Authentication)

Description

API to perform user authentication.
 

Javascript API

navigator.credentials.get()

Parameters

TypeRequired/Optional
CredentialRequestOptionsrequired

 

Response

TypeRequired/Optional
PublicKeyCredentialrequired

PublicKeyCredential’s “response” will be a AuthenticatorAssertionResponse.
 

Example Request

navigator.credentials.get({

  publicKey: {

    challenge: new Uint8Array([4,101,15, ...]),

    timeout: 60000,

    allowCredentials: [

      {

        type: “public-key”,

        id: new Uint8Array([183, 148, 245, …])

      }

    ],

  }

});

 

Example Response

{

  rawId: “_08FiVZ0EZqUUfZTf1F7R18I9xXSml3TAOIpsWw-SAt-g1lc8FCYVR_hgtWC”,

  id: Int8Array([170, 197, 31, ...],

  response: {

    authenticatorData: Int8Array[66, 107, 61, ...],

    signature: Int8Array[91, 183, 120, ...],

    userHandle: Int8Array[97, 75, 20, ...],

    clientDataJson: Int8Array[191, 4, 22, ...]

  },

  type: “public-key”

}

Models reference

AttestationConveyancePreference

TypeRequired/OptionalValues
enumrequired

none

indirect
direct

AuthenticationExtensionsClientInputs

TypeRequired/OptionalName
stringoptionalappId
stringoptionaltxAuthSimple
TxAuthGenericArgoptionaltxAuthGeneric
AuthenticatorSelectionListoptionalauthnSel
booleanoptionalexts
booleanoptionaluvi
booleanoptionalloc
booleanoptionaluvm

AuthenticationExtensionsClientOutputs

TypeRequired/OptionalName
booleanoptionalappId
stringoptionaltxAuthSimple
byte[]optionaltxAuthGeneric
booleanoptionalauthnSel
AuthenticationExtensionsSupportedoptionalexts
byte[]optionaluvi
Coordinatesoptionalloc
UvmEntriesoptionaluvm

AuthenticationExtensionsSupported

Typedef
string[]

AuthenticatorAssertionResponse

TypeRequired/OptionalName
BufferSourcerequiredclientDataJSON
BufferSourcerequiredauthenticatorData
BufferSourcerequiredsignature
BufferSourcerequireduserHandle

AuthenticatorAttachment

TypeRequired/OptionalValues
enumrequiredplatform
cross-platform

AuthenticatorAttestationResponse

TypeRequired/OptionalName
BufferSourcerequiredclientDataJSON
BufferSourcerequiredattestationObject

AuthenticatorSelectionCriteria

TypeRequired/OptionalName
AuthenticatorAttachmentoptionalauthenticatorAttachment
booleanoptionalrequireResidentKey
UserVerificationRequirementoptionaluserVerification

AuthenticatorSelectionList

Typedef
string[]

AuthenticatorTransport

TypeRequired/OptionalValues
enumrequired

usb

nfc

ble

internal

Coordinates

TypeRequired/OptionalName
doubleoptionallatitude
doubleoptionallongitude
doubleoptionalaltitude
doubleoptionalaccuracy
doubleoptionalaltitudeAccuracy
doubleoptionalheading
doubleoptionalspeed

COSEAlgorithmIdentifier

TypeRequired/OptionalValues
enumrequired

-257 (RS256)

-37 (PS256)

-7 (ES256)

CredentialCreationOptions

TypeRequired/OptionalName
PublicKeyCredentialCreationOptionsrequiredpublicKey

CredentialRequestOption

TypeRequired/OptionalName
PublicKeyCredentialRequestOptionsrequiredpublicKey

PublicKeyCredential

TypeRequired/OptionalName
stringrequiredid
stringrequiredtype
BufferSourcerequiredrawId
AuthenticatorResponse*requiredresponse
AuthenticationExtensionsClientOutputsoptionalgetClientExtensionResults

*Either a AuthenticatorAssertionResponse or a AuthenticatorAttestationResponse

 

PublicKeyCredentialCreationOptions

TypeRequired/OptionalName
PublicKeyCredentialRpEntityrequiredrp
PublicKeyCredentialUserEntityrequireduser
BufferSourcerequiredchallenge
PublicKeyCredentialParameters[]requiredpubKeyCredParams
longoptionaltimeout
PublicKeyCredentialDescriptor[]optionalexcludeCredentials
AuthenticatorSelectionCriteriaoptionalauthenticatorSelection
AttestationConveyancePreferenceoptionalattestation
AuthenticationExtensionsClientInputsoptionalextensions

PublicKeyCredentialDescriptor

TypeRequired/OptionalName
PublicKeyCredentialTyperequiredtype
BufferSourcerequiredid
AuthenticatorTransport[]optionaltransports

PublicKeyCredentialParameters

TypeRequired/OptionalName
PublicKeyCredentialTyperequiredtype
COSEAlgorithmIdentifierrequiredalg

PublicKeyCredentialRequestOptions

TypeRequired/OptionalName
BufferSourcerequiredchallenge
longoptionaltimeout
stringoptionalrpId
PublicKeyCredentialDescriptor[]optionalallowCredentials
UserVerificationRequirementoptionaluserVerification
AuthenticationExtensionsClientInputs[]optionalextensions

PublicKeyCredentialRpEntity

TypeRequired/OptionalName
stringrequiredname
stringoptionalicon
stringoptionalid

PublicKeyCredentialType

TypeRequired/OptionalValues
enumrequiredpublic-key

PublicKeyCredentialUserEntity

TypeRequired/OptionalName
stringrequiredname
stringoptionalicon
BufferSourcerequiredid
stringrequireddisplayName

ServerAuthenticatorAssertionResponse

TypeRequired/OptionalName
stringrequiredclientDataJSON
stringrequiredauthenticatorData
stringrequiredsignature
stringrequireduserHandle

ServerAuthenticatorAttestationResponse

TypeRequired/OptionalName
stringrequiredclientDataJSON
stringrequiredattestationObject

ServerPublicKeyCredential

TypeRequired/OptionalName
stringrequiredid
stringrequiredtype
stringrequiredrawId
ServerAuthenticatorResponse*requiredresponse
AuthenticationExtensionsClientOutputsoptionalgetClientExtensionResults

 

 

ServerPublicKeyCredentialCreationOptionsRequest

TypeRequired/OptionalName
stringrequiredusername
stringrequireddisplayName
AuthenticatorSelectionCriteriaoptionalauthenticatorSelection
AttestationConveyancePreferenceoptionalattestation

ServerPublicKeyCredentialCreationOptionsResponse

TypeRequired/OptionalName
Statusrequiredstatus
stringrequirederrorMessage
PublicKeyCredentialRpEntityrequiredrp
ServerPublicKeyCredentialUserEntityrequireduser
stringrequiredchallenge
PublicKeyCredentialParameters[]requiredpubKeyCredParams
longoptionaltimeout
ServerPublicKeyCredentialDescriptor[]optionalexcludeCredentials
AuthenticatorSelectionCriteriaoptionalauthenticatorSelection
AttestationConveyancePreferenceoptionalattestation
AuthenticationExtensionsClientInputsoptionalextensions

ServerPublicKeyCredentialDescriptor

TypeRequired/OptionalName
PublicKeyCredentialTyperequiredtype
stringrequiredid
AuthenticatorTransport[]optionaltransports

ServerPublicKeyCredentialGetOptionsRequest

TypeRequired/OptionalName
stringrequiredusername
UserVerificationRequirementoptionaluserVerification

ServerPublicKeyCredentialGetOptionsResponse

TypeRequired/OptionalName
Statusrequiredstatus
stringrequirederrorMessage
stringrequiredchallenge
longoptionaltimeout
stringoptionalrpId
ServerPublicKeyCredentialDescriptor[]optionalallowCredentials
UserVerificationRequirementoptionaluserVerification
AuthenticationExtensionsClientInputs[]optionalextensions

ServerPublicKeyCredentialUserEntity

TypeRequired/OptionalName
stringrequiredname
stringoptionalicon
stringrequiredid
stringrequireddisplayName

ServerResponse

TypeRequired/OptionalName
Statusrequiredstatus
stringrequirederrorMessage

Status

TypeRequired/OptionalValues
enumrequired

ok

failed

TxAuthGenericArg

TypeRequired/OptionalName
stringrequiredcontentType
stringrequiredcontent

UserVerificationRequirement

TypeRequired/OptionalValues
enumrequired

required

preferred

discouraged

UvmEntries

Typedef
UvmEntry[]

UvmEntry

Typedef
long[]
English (United States)