passwordless: labels and better deserializing of authData

2026-01-11 14:30:48 +01:00 · 2023-10-16 11:44:05 +02:00
parent 5b61d61e4e
commit 7cb1d92b15
1 changed files with 10 additions and 5 deletions
--- a/src/main/resources/templates/OAuthResource/loginPasswordless.html
+++ b/src/main/resources/templates/OAuthResource/loginPasswordless.html
@@ -111,7 +111,7 @@
                                    <b>requireResidentKey:</b> A resident (private) key, is a key that cannot leave your authenticator device, this means that you cannot reuse the authenticator to log into a second computer. Here, it is not required.
                                </p>
                                <p>
-                                    <b>userVerification:</b> User verification is the technical process by which an authenticator locally authorizes the invocation of the authenticatorMakeCredential and authenticatorGetAssertion operations. User verification MAY be instigated through various authorization gesture modalities; for example, through a touch plus pin code, password entry, or biometric recognition (e.g., presenting a fingerprint). It can be "required", "preferred" or "discouraged".
+                                    <b>userVerification:</b> User verification is the technical process by which the user locally authorizes themselves. User verification typically involve a touch plus pin code, password entry, or biometric (face, fingerprint, ...). User verification check is stronger than a mere user presence, in which the user just confirms the operation, e.g. by pressing a simple button.
                                </p>
                            </li>
                            <li class="collection-item">
@@ -236,7 +236,7 @@
                            <li class="collection-item">
                                <p class="emphasis"><b>attestationObject</b></p>
                                <p>
-                                    This is a base64 encoded binary representation of an attestation statement. The attestation statement is produced by the authenticator to prove to the relying party (e.g., a website) that a new public key credential has been created in the authenticator. It typically contains details about the authenticator, a freshly generated public key for the user, some metadata, and a signature from the authenticator. It is <a href="https://cbor.io/">CBOR</a> encoded.
+                                    This is a base64 encoded binary representation of an attestation statement. The attestation statement is produced by the authenticator to prove to the relying party (e.g., a website) that a new public key credential has been created in the authenticator. It is <a href="https://cbor.io/">CBOR</a> encoded.
                                </p>
                                <div class="code" id="navigator-attestationObject" style="height: 150px; overflow-y: scroll;"></div>
                                <p class="button-label">The authData is <a href="https://www.w3.org/TR/webauthn-2/#sctn-attested-credential-data">binary encoded</a> and contain the actual public key, but also more flags and info about the authentication:</p>
@@ -345,7 +345,7 @@
                            <li class="collection-item">
                                <p class="emphasis"><b>authenticatorData</b></p>
                                <p>
-                                    This contains information about the authentication event. It typically includes the hash of the <b>clientDataJSON</b>, a sign count (to protect against clone attacks), and other data relevant to the authentication process.
+                                    This contains information about the authentication event.
                                </p>
                                <p class="button-label">It is <a href="https://www.w3.org/TR/webauthn-2/#sctn-attested-credential-data">binary encoded</a> and this time does not contain the public key:</p>
                                <div class="code" id="navigator-authenticatorData"></div>
@@ -560,9 +560,14 @@
        $("#navigator-attestation-body").html(JSON.stringify(response, null, 2));
        $("#navigator-attestation-clientDataJSON").html(JSON.stringify(JSON.parse(tryDecodeBase64(response.response.clientDataJSON)), null, 2));
        let attestationObject = CBOR.decode(WebAuthn.base64ToBuffer(response.response.attestationObject));
-        let authData = parseAuthenticatorData(attestationObject.authData);
+        let authDataRaw = attestationObject['authData'];
+
+        if (authDataRaw) {
+            let authData = parseAuthenticatorData(authDataRaw);
+            $("#navigator-authData").html(JSON.stringify(authData, null, 2));
+            attestationObject['authData'] = WebAuthn.bufferToBase64(authDataRaw)
+        }
        $("#navigator-attestationObject").html(JSON.stringify(attestationObject, null, 2));
-        $("#navigator-authData").html(JSON.stringify(authData, null, 2));
        return continueButton("#navigator-attestation", response);
    }