WebAuthn - HackMD

# WebAuthn ## Registration ```mermaid sequenceDiagram participant A as Authenticator participant C as Client participant RP as Relying Party C->>RP: Yo i want to register RP->>C: CredRegistrationOpts C->>A: CredRegistrationOpts A->>A: Request User Consent A->>C: PublicKeyCred C->>RP: PublicKeyCred RP->>RP: Validate / Verify PubKeyCred RP->>RP: Store PubKeyCred (ID + PubKey) ``` ```typescript! type PublicKeyCredentialCreationOptions = { // Generated by RP server-side. Stored until registration is complete Challenge: Challenge, RelyingParty: RelyingPartyEntity, User: UserEntity, AuthenticatorSelection?: AuthenticatorSelection, Parameters?: CredentialParameter[], // the amount of time to allow the authenticator/user to respond. Milliseconds. Recommended 60s by spec Timeout?: number, // allows exclusion of an authenticator if it contains a credential described in this list. helpful for registering multiple authenticators for stuff like acct. recovery CredentialExcludeList?: CredentialDescriptor[], // tells us if we want the authenticator to attest to the creation of a credential. 2 Attestation?: "Direct" | "Indirect" | "None" }; type RelyingPartyEntity = { // organization name Name: string, // URL of a image/logo Icon: string, // usually origin url (e.g. https://chase.com). MUST have https ID: string }; type UserEntity = { // Readable name used by RP Name: string, Icon?: string, // Readable name chosen by user DisplayName?: string, // RP's ID for user ID: Uint8Array }; type CredentialParameter = { // "public-key" is only registered type Type: "public-key ", // COSE alg identifier. should be value defined in IANA COSE Registry Algorithm: string } type AuthenticatorSelection = { // tells us how it should be connected. platform are generally internal to device (e.g. TPM, SEP). Available locally to device. cross-platform (e.g. roaming authenticator). Connected via usb, bluetooth, RFC etc. AuthenticatorAttachment: "platform" | "cross-platform", // should the key be Resident? RequireResidentKey: boolean, // Should the user be verified? UserVerificationRequirement: "required" | "preferred" | "discouraged" } ``` ## Login (Assertion) ```mermaid sequenceDiagram participant A as Authenticator participant C as Client participant RP as Relying Party C->>RP: Yo i want to login RP->>RP: retrieve stored ID RP->>C: PublicKeyCredentialRequestOptions C->>A: PublicKeyCredentialRequestOptions A->>A: Request User Consent A->>C: PublicKeyCred C->>RP: PublicKeyCred RP->>RP: Validate / Verify PubKeyCred RP->>RP: Store PubKeyCred (ID + PubKey) ``` ```typescript= type PublicKeyCredentialRequestOptions = { Challenge: string, Timeout?: number, RelyingPartyId?: string, AllowedCredentials?: { Type: "public-key", // stored Credential ID CredentialID: Uint8Array, // usb, nfc, ble, internal Transport: string[] }, // defaults to "Preferred" UserVerification?: "Required" | "Preferred" | "Discouraged" } ```