First the user enters their username:
New user needs to generate a new credential and register it with the application.
Returning user must prove they own the credential.
The interaction starts with an AJAX call:
Basically we are just specifying the username and his display name
The server prepares a challenge for the browser to sign:
Let's break it down...
rp
Information about the relying party. The ID of the relying party is usually the domain name of the website or service trying to authenticate the user. Name contains human-friendly name for the relying party.
user
Information about the user: id contains unique identifier in the form of base64 encoded byte array. Parameters name and displayName are taken from the initial request.
challenge
A random value generated by the relying party. It's used to ensure that the authentication request is fresh and not a replay of a previous one.
pubKeyCredParams
A list of public key credential types and cryptographic algorithm combinations supported by the relying party. Constants of -7 and -257 denote ES256 and RS256, respectively.
authenticatorSelection
Criteria for the authenticator:
requireResidentKey: A resident (private) key, is a key that cannot leave your authenticator device, this means that you cannot reuse the authenticator to log into a second computer. Here, it is not required.
userVerification: User verification is the technical process by which the user locally authorizes themselves. User verification typically involve a touch plus pin code, password entry, or biometric (face, fingerprint, ...). User verification check is stronger than a mere user presence, in which the user just confirms the operation, e.g. by pressing a simple button.
timeout
Maximum time, in milliseconds, that the caller is willing to wait for the call to complete.
attestation
Specifies the attestation conveyance preference. "none" means the relying party is not interested in authenticator attestation.
extensions
Dictionary of extension identifiers with their associated data. In this case, there's an extension "txAuthSimple" with no associated data provided.
challenge
A random value generated by the relying party. It's used to ensure that the authentication request is fresh and not a replay of a previous one.
timeout
Specifies the time, in milliseconds, that the caller is willing to wait for the call to complete.
rpId
The Relying Party Identifier. It helps the client (browser) know which key to use if there's more than one for a given domain.
userVerification
This specifies the desired user verification method. The value "discouraged" suggests that the website doesn't require a strong verification of the user, which means if the authenticator has a user verification method (like a fingerprint scanner or PIN), it's not mandatory to use it for this authentication.
extensions
Dictionary of extension identifiers with their associated data. In this case, there's an extension "txAuthSimple" with no associated data provided.
allowCredentials
An array containing one or more credentials that are allowed for the authentication:
type
Specifies the type of the public key credential.
id
The credential ID that identifies the public key to be used during the authentication.
transports
Lists the allowed transports to retrieve the credential ID. This is useful for guiding the user's client (browser) about how it can communicate with the authenticator.
The challenge is passed to the Javascript call:
Which responds:
Let's break it down...
id
A base64url encoded string representation of the rawId. It uniquely identifies the created credential.
rawId
The raw identifier of the credential, typically a byte array. It's the same as the id but in its raw binary form.
attestationObject
This is a base64 encoded binary representation of an attestation statement. The attestation statement is produced by the authenticator to prove to the relying party (e.g., a website) that a new public key credential has been created in the authenticator. It is CBOR encoded.
The authData is binary encoded and contain the actual public key, but also more flags and info about the authentication:
clientDataJSON
This is a base64 encoded JSON string that contains information about the context in which the attestation was generated. Let's break down its decoded content:
Let's break it down...
challenge
This is the challenge that was sent by the relying party during the registration request. The authenticator's response must include this challenge to ensure the action was based on a recent request and not a replayed one.
origin
The origin of the request, indicating where the request came from.
type
This indicates the type of operation, which in this context is "webauthn.create", meaning it's a credential creation operation.
type
This specifies the type of the public key credential, and it's set to "public-key" which means it's a public key credential.
We are now ready to submit data to the server.
The server will validate the request:
If everything matches, the new credential is stored with the user.
Which responds:
Let's break it down...
id
A base64url encoded string representation of the rawId. It uniquely identifies the created credential.
rawId
The raw identifier of the credential, typically a byte array. It's the same as the id but in its raw binary form.
clientDataJSON
This is a base64 encoded JSON string that contains information about the context in which the attestation was generated. Let's break down its decoded content:
Let's break it down...
challenge
This is the challenge that was sent by the relying party during the registration request. The authenticator's response must include this challenge to ensure the action was based on a recent request and not a replayed one.
origin
The origin of the request, indicating where the request came from.
type
This indicates the type of operation, which in this context is "webauthn.create", meaning it's a credential creation operation.
authenticatorData
This contains information about the authentication event.
It is binary encoded and this time does not contain the public key:
signature
This is the authenticator's digital signature over the combination of the authenticatorData and the hash of the clientDataJSON. The website will use this to verify that the response came from the user's authenticator and corresponds to the challenge it issued.
userHandle
An optional field which, if present, represents a unique identifier for the user, established during registration. It helps websites identify which user is trying to authenticate, especially in scenarios where the user doesn't explicitly provide a username during the login process.
type
This specifies the type of the public key credential, and it's set to "public-key" which means it's a public key credential.
We are now ready to submit data to the server.
The server will validate the request:
If everything matches, the user is logged in.