README
¶
warp - WebAuthn Relying Party
warp is a WebAuthn Relying Party implementation which is intended to be 100% compliant with the W3C WebAuthn Level 1 standard while being HTTP implementation agnostic. It is completely standalone; simply provide your own HTTP server, backend storage and session storage.
Requires Go 1.13+
This library is still pre-v1, and API stability is not guaranteed. The library will adhere to SemVer and Go backward campatibilty promises.
Design goals
warp was built with the following goals in mind:
- 100% compliance with the WebAuthn Level 1 specification
- HTTP implementation agnostic. This library makes no assumptions about the structure or operation of your web application. Use your implementation's canonical method to parse the WebAuthn JSON.
- No assumptions about application data models. Implement and use the required interfaces wherever is appropriate in your implementation
- Minimal dependencies outside of the standard library, with those used chosen carefully to keep the dependency tree clean. At the time of this writing, the following external dependencies are used:
- fxamacker/cbor - A fantastic CBOR implementation by Faye Amacker
- Simple package structure - just one package to import
- Structure and member naming parity with the WebAuthn spec, so that you can follow along and understand
Specification coverage
- Key algorithms:
- Supported: ES256, ES384, ES512, EdDSA, RS1, RS256, RS384, RS512, PS256, PS384, PS512
- To be implemented: None plannned
- Attestation formats
- Supported: none
- To be implemented: packed, tpm, android-key, android-safetynet, fido-u2f
- Defined extensions
- Supported: appid
- To be implemented: txAuthSimple, txAuthGeneric, authnSel, exts, uvi, loc, uvm, biometricPerfBounds
High level API
WebAuthn relying parties have two responsibilities: managing the registration ceremony, and managing the authentication ceremony. In order to support these ceremonies, interfaces are defined such that the methods will return the required data.
Interfaces
RelyingParty
type RelyingParty interface {
ID() string
Name() string
Icon() string
Origin() string
}
RelyingParty contains all of the non-user-specific data required to be stored
or configured by the relying party for use during the registration or
authentication ceremonies.
ID() string: Returns the Relying Party ID, which scopes the credential. Credentials can only be used for authentication with the same entity (identified by RP ID) it was registered with. The RP ID must be equal to or a registrable domain suffix of the origin.Name() string: A human-palatable name for the Relying Party.Icon() string: A URL which resolves an image associated with the Relying Party. May be the empty string.Origin() string: The fully qualified origin of the Relying Party.
User
type User interface {
Name() string
Icon() string
ID() []byte
DisplayName() string
Credentials() map[string]Credential
}
User contains all of the user-specific information which needs to be stored and provided during the registration and authentication ceremonies.
Name() string: A human-palatable name for a user account, such as a username or email addressIcon() string: A URL which resolves to an image associated with the user. May be the empty string.ID() string: The user handle for the account. This should be an opaque byte sequence with a maximum of 64 bytes which does not contain any other identifying information about the user.DisplayName() string: A human-palatable name for a user account, such as a user's full name, intended for display.Credentials() map[string]Credentialreturns a map of objects which implement theCredentialinterface. The map is keyed by the base64url-encoded form of the credential ID.
Credential
type Credential interface {
User() User
ID() string
PublicKey() []byte
SignCount() uint
}
Credential contains the credential-specific information which needs to be stored and provided during the authentication ceremony to verify an authentication assertion.
User() User: Returns the object implementing theUserinterface to which this credential belongs.ID() string: The base64url-encoded credential ID.PublicKey() []byte: The credential public key as returned fromFinishRegistration. The key is encoded in the COSE key format, and may vary in size depending on the key algorithm.SignCount() uint: The stored signature counter. If the credential returns a signature counter that is less than this value, it is evidence of tampering or a duplicated credential, and the authentication ceremony will fail. If you do not wish to verify this, return0from this method.
Helper functions
UserFinder
type UserFinder func([]byte) (User, error)
UserFinder defines a function which takes a user handle as an argument and returns an object conforming to the User interface. If the user does not exist in the system, return nil and an appropriate error.
CredentialFinder
type CredentialFinder func(string) (Credential, error)
CredentialFinder defines a function which takes a base64url-encoded credential ID and returns an object conforming to the Credential interface. If the credential does not exist in the system, return nil and an appropriate error.
Registration:
StartRegistration
func StartRegistration(rp RelyingParty, user User, opts ...Option) (*PublicKeyCredentialCreationOptions, error)
StartRegistration begins the registration ceremony by generating a cryptographic challenge and sending it to the client along with information about the user and Relying Party in the form of a PublicKeyCredentialCreationOptions object.
The returned object or its data must be stored in the server-side session cache such that it can be reconstructed to pass to the
FinishRegistration function.
rp: any value which implements theRelyingPartyinterface.optional if the default port for the scheme is being used.user: any value which implements theUserinterface.opts: zero or moreOptionfunctions to adjust thePublicKeyCredentialCreationOptionsas needed. These do not need to be set, and likely shouldn't unless you know what you are doing. The following function generators are included:Timeout(uint): Sets the client timeoutExcludeCredentials([]PublicKeyCredentialDescriptors): Provides a list of credentials to excludeAuthenticatorSelection(AuthenticatorSelectionCriteria): Sets the criteria for choosing an authenticatorAttestation(AttestationConveyancePreference): Sets the preferred attestation conveyanceExtensions(...Extension)takes zero or moreExtensionwhich can be used to set WebAuthn client extension inputs
- A pointer to a
PublicKeyCredentialCreationOptionsstruct. This value must be marshaled to JSON and returned to the client. It must also be stored in a server-side session cache in order to verify the client's subsequent response. Returnsnilon error. - An error if there was a problem generating the options struct, or
nilon success.
FinishRegistration
func FinishRegistration(rp RelyingParty, credFinder CredentialFinder, opts *PublicKeyCredentialCreationOptions, cred *AttestationPublicKeyCredential) (string, []byte, error)
FinishRegistration completes the registration ceremony, by verifying the public key credential sent by the client against the stored creation options. If the verification is successful, a credential ID and public key are returned which must be stored. It is the responsibility of the implementor to store these and associate with the calling user.
rp: An object which implements theRelyingPartyinterfacecredFinder: A function conforming toCredentialFinderwhich is used to check if a credential ID already exists in the systemopts: A pointer to the storedPublicKeyCredentialCreationOptionswhich was previously sent to the clientcred: The parsedAttestationPublicKeyCredentialthat was sent from the client in response to the server challenge
- A string containing the base64url-encoded credential ID, or an empty string on error
- A byte slice containing the credential's public key in COSE key format, or
nilon error - An error identifying the cause of the registration failure, or
nilon success.
Authentication
StartAuthentication
func StartAuthentication(opts ...Option) (*PublicKeyCredentialRequestOptions, error)
StartAuthentication starts the authentication ceremony by generating a cryptographic challenge and sending it to the client along with options in the form of a PublicKeyCredentialRequestOptions object.
opts: zero or moreOptionfunctions to adjust thePublicKeyCredentialRequestOptionsas needed. These do not need to be set, and likely shouldn't unless you know what you are doing. The follownig function generators are included:Timeout(uint): Sets the client timeoutRelyingPartyID(string): Adds the explicit relying party ID to the objectAllowCredentials([]PublicKeyCredentialDescriptor): Restrict allowed credentialsUserVerification(UserVerificationRequirement): Require user verification (PIN, biometric, etc)
- A pointer to a
PublicKeyCredentialRequestOptionsstruct. This value must be marshaled to JSON and returned to the client. It must also be stored in a server-side session cache in order to verify the client's subsequent response. Returnsnilon error. - An error if there was a problem generating the options struct, or
nilon success.
FinishAuthentication
func FinishAuthentication(rp RelyingParty, userFinder UserFinder, opts *PublicKeyCredentialRequestOptions, cred *AssertionPublicKeyCredential) (uint, error)
FinishAuthentication completes the authentication ceremony by verifying the signed challenge and credential data with the stored public key for the credential. If the verification is successful, it returns a new signature counter value to be stored, and a nil error. Otherwise, 0 and an error describing the failure are returned. It is the responsibility of the caller to store the updated signature counter if they are choosing to verify this.
rp: An object implementing theRelyingPartyinterface.userFinder: A function conforming to theUserFindertype which accepts a user handle as an argument and returns an object implementing theUserinterface. If the caller is not implementing the passwordless/single factor flow, the function can ignore the user handle and just return the already-knownUser.opts: A pointer to the storedPublicKeyCredentialRequestOptionswhich was previously sent to the client.cred: The parsedAssertionPublicKeyCredentialthat was sent from the client in response to the server challenge.
- An unsigned int which is the new signature counter returned by the authenticator. This value should be stored with the credential.
- An error if there was a problem verifying the user, or
nilon success
License
Copyright (c) 2020 Nick Meyer.
This project is released under the MIT license
Documentation
¶
Index ¶
- Constants
- Variables
- func DecodePublicKey(coseKey *COSEKey) (crypto.PublicKey, error)
- func EffectiveRPID(rp RelyingParty, in AuthenticationExtensionsClientInputs, ...) string
- func FinishAuthentication(rp RelyingParty, userFinder UserFinder, ...) (uint, error)
- func FinishRegistration(rp RelyingParty, credFinder CredentialFinder, ...) (string, []byte, error)
- func VerifyAppID(_, out interface{}) error
- func VerifyNoneAttestationStatement(attStmt []byte, _ []byte, _ [32]byte) error
- func VerifySignature(rawKey cbor.RawMessage, message, sig []byte) error
- type AssertionPublicKeyCredential
- type AttestationConveyancePreference
- type AttestationObject
- type AttestationPublicKeyCredential
- type AttestationStatementFormat
- type AttestedCredentialData
- type AuthenticationExtensionsClientInputs
- type AuthenticationExtensionsClientOutputs
- type AuthenticatorAssertionResponse
- type AuthenticatorAttachment
- type AuthenticatorAttestationResponse
- type AuthenticatorData
- type AuthenticatorResponse
- type AuthenticatorSelectionCriteria
- type AuthenticatorTransport
- type CMCredential
- type COSEAlgorithmIdentifier
- type COSEEllipticCurve
- type COSEKey
- type COSEKeyType
- type CollectedClientData
- type Credential
- type CredentialCreationOptions
- type CredentialFinder
- type CredentialRequestOptions
- type Error
- type Extension
- type ExtensionValidator
- type Option
- func AllowCredentials(creds []PublicKeyCredentialDescriptor) Option
- func Attestation(pref AttestationConveyancePreference) Option
- func AuthenticatorSelection(criteria AuthenticatorSelectionCriteria) Option
- func ExcludeCredentials(creds []PublicKeyCredentialDescriptor) Option
- func Extensions(exts ...Extension) Option
- func RelyingPartyID(rpID string) Option
- func Timeout(timeout uint) Option
- func UserVerification(req UserVerificationRequirement) Option
- type PublicKeyCredential
- type PublicKeyCredentialCreationOptions
- type PublicKeyCredentialDescriptor
- type PublicKeyCredentialEntity
- type PublicKeyCredentialParameters
- type PublicKeyCredentialRPEntity
- type PublicKeyCredentialRequestOptions
- type PublicKeyCredentialType
- type PublicKeyCredentialUserEntity
- type RelyingParty
- type TokenBinding
- type TokenBindingStatus
- type User
- type UserFinder
- type UserVerificationRequirement
Constants ¶
const ( StatusSupported = "supported" StatusPresent = "present" )
enum values for the TokenBindingStatus type
const (
ExtensionAppID = "appid"
)
Identifiers for defined extensions
Variables ¶
var ( ErrDecodeAttestedCredentialData = Error{/* contains filtered or unexported fields */} ErrDecodeAuthenticatorData = Error{/* contains filtered or unexported fields */} ErrDecodeCOSEKey = Error{/* contains filtered or unexported fields */} ErrGenerateChallenge = Error{/* contains filtered or unexported fields */} ErrOption = Error{/* contains filtered or unexported fields */} ErrNotImplemented = Error{/* contains filtered or unexported fields */} ErrVerifyAttestation = Error{/* contains filtered or unexported fields */} ErrVerifyAuthentication = Error{/* contains filtered or unexported fields */} ErrVerifyClientExtensionOutput = Error{/* contains filtered or unexported fields */} ErrVerifyRegistration = Error{/* contains filtered or unexported fields */} ErrVerifySignature = Error{/* contains filtered or unexported fields */} )
Categorical top-level errors
var ChallengeLength = 32
ChallengeLength represents the size of the generated challenge. Must be greater than 16.
var ExtensionValidators map[string]ExtensionValidator = map[string]ExtensionValidator{ ExtensionAppID: VerifyAppID, }
ExtensionValidators is a map to all implemented extension validators
Functions ¶
func DecodePublicKey ¶
DecodePublicKey parses a crypto.PublicKey from a COSEKey
func EffectiveRPID ¶
func EffectiveRPID(rp RelyingParty, in AuthenticationExtensionsClientInputs, out AuthenticationExtensionsClientOutputs) string
EffectiveRPID returns the effective relying party ID for the ceremony based on the usage of the AppID extension
func FinishAuthentication ¶
func FinishAuthentication( rp RelyingParty, userFinder UserFinder, opts *PublicKeyCredentialRequestOptions, cred *AssertionPublicKeyCredential, ) (uint, error)
FinishAuthentication completes the authentication ceremony by validating the provided credential assertion against the stored public key.
func FinishRegistration ¶
func FinishRegistration( rp RelyingParty, credFinder CredentialFinder, opts *PublicKeyCredentialCreationOptions, cred *AttestationPublicKeyCredential, ) ( string, []byte, error, )
FinishRegistration completes the registration ceremony by validating the provided public key credential, and returns the credential elements that need to be stored.
func VerifyAppID ¶
func VerifyAppID(_, out interface{}) error
VerifyAppID verifies the AppID extension response
func VerifyNoneAttestationStatement ¶
VerifyNoneAttestationStatement verifies that at attestation statement of type "none" is valid
func VerifySignature ¶
func VerifySignature(rawKey cbor.RawMessage, message, sig []byte) error
VerifySignature verifies a signature using a provided COSEKey, message, and signature
Types ¶
type AssertionPublicKeyCredential ¶
type AssertionPublicKeyCredential struct {
PublicKeyCredential
Response AuthenticatorAssertionResponse `json:"response"`
}
AssertionPublicKeyCredential is the PublicKeyCredential returned from a call to navigator.credentials.get(), with an AuthenticatorAssertionResponse
type AttestationConveyancePreference ¶
type AttestationConveyancePreference string
AttestationConveyancePreference may be used by relying parties to specify their preference regarding attestation conveyance during credential generation.
const ( ConveyanceNone AttestationConveyancePreference = "none" ConveyanceIndirect AttestationConveyancePreference = "indirect" ConveyanceDirect AttestationConveyancePreference = "direct" )
enum values for AttestationConveyancePreference type
type AttestationObject ¶
type AttestationObject struct {
AuthData []byte `cbor:"authData"`
Fmt AttestationStatementFormat `cbor:"fmt"`
AttStmt cbor.RawMessage `cbor:"attStmt"`
}
AttestationObject contains both authenticator data and an attestation statement.
type AttestationPublicKeyCredential ¶
type AttestationPublicKeyCredential struct {
PublicKeyCredential
Response AuthenticatorAttestationResponse `json:"response"`
}
AttestationPublicKeyCredential is the PublicKeyCredential returned from a call to navigator.credentials.create(), with an AuthenticatorAttestationResponse
type AttestationStatementFormat ¶
type AttestationStatementFormat string
AttestationStatementFormat is the identifier for an attestation statement format.
const ( AttestationFormatPacked AttestationStatementFormat = "packed" AttestationFormatTPM AttestationStatementFormat = "tpm" AttestationFormatAndroidKey AttestationStatementFormat = "android-key" AttestationFormatAndroidSafetyNet AttestationStatementFormat = "android-safetynet" AttestationFormatFidoU2F AttestationStatementFormat = "fido-u2f" AttestationFormatNone AttestationStatementFormat = "none" )
enum values for AttestationStatementFormat
func SupportedAttestationStatementFormats ¶
func SupportedAttestationStatementFormats() []AttestationStatementFormat
SupportedAttestationStatementFormats returns the list of attestation formats currently supported by the library
func (AttestationStatementFormat) Valid ¶
func (asf AttestationStatementFormat) Valid() error
Valid determines if the Attestation Format Identifier is a valid value
type AttestedCredentialData ¶
type AttestedCredentialData struct {
AAGUID [16]byte
CredentialID []byte
CredentialPublicKey COSEKey
}
AttestedCredentialData is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential. §6.4.1
type AuthenticationExtensionsClientInputs ¶
type AuthenticationExtensionsClientInputs map[string]interface{}
AuthenticationExtensionsClientInputs contains the client extension input values for zero or more extensions. §5.7
func BuildExtensions ¶
func BuildExtensions(exts ...Extension) AuthenticationExtensionsClientInputs
BuildExtensions builds the extension map to be added to the options object
type AuthenticationExtensionsClientOutputs ¶
type AuthenticationExtensionsClientOutputs map[string]interface{}
AuthenticationExtensionsClientOutputs containing the client extension output values for zero or more WebAuthn extensions. §5.8
type AuthenticatorAssertionResponse ¶
type AuthenticatorAssertionResponse struct {
AuthenticatorResponse
AuthenticatorData []byte `json:"authenticatorData"`
Signature []byte `json:"signature"`
UserHandle []byte `json:"userHandle"`
}
AuthenticatorAssertionResponse represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of.
type AuthenticatorAttachment ¶
type AuthenticatorAttachment string
AuthenticatorAttachment describes authenticators' attachment modalities.
const ( AttachmentPlatform AuthenticatorAttachment = "platform" AttachmentCrossPlatform AuthenticatorAttachment = "cross-platform" )
enum values for AuthenticatorAttachment type
type AuthenticatorAttestationResponse ¶
type AuthenticatorAttestationResponse struct {
AuthenticatorResponse
AttestationObject []byte `json:"attestationObject"`
}
AuthenticatorAttestationResponse represents the authenticator's response to a client’s request for the creation of a new public key credential.
type AuthenticatorData ¶
type AuthenticatorData struct {
RPIDHash [32]byte
UP bool
UV bool
AT bool
ED bool
SignCount uint32
AttestedCredentialData AttestedCredentialData
Extensions map[string]interface{}
}
AuthenticatorData encodes contextual bindings made by the authenticator.
type AuthenticatorResponse ¶
type AuthenticatorResponse struct {
ClientDataJSON []byte `json:"clientDataJSON"`
}
AuthenticatorResponse is the is the basic authenticator response
type AuthenticatorSelectionCriteria ¶
type AuthenticatorSelectionCriteria struct {
AuthenticatorAttachment AuthenticatorAttachment `json:"authenticatorAttachment,omitempty"`
RequireResidentKey bool `json:"requireResidentKey,omitempty"`
UserVerification UserVerificationRequirement `json:"userVerification,omitempty"`
}
AuthenticatorSelectionCriteria may be used to specify their requirements regarding authenticator attributes.
type AuthenticatorTransport ¶
type AuthenticatorTransport string
AuthenticatorTransport defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential.
const ( TransportUSB AuthenticatorTransport = "usb" TransportNFC AuthenticatorTransport = "nfc" TransportBLE AuthenticatorTransport = "ble" TransportInternal AuthenticatorTransport = "internal" )
enum values for AuthenticatorTransport type
type CMCredential ¶
CMCredential is the basic Credential Management Credential type that is inherited by PublicKeyCredential
type COSEAlgorithmIdentifier ¶
type COSEAlgorithmIdentifier int
COSEAlgorithmIdentifier is a number identifying a cryptographic algorithm
const ( AlgorithmRS1 COSEAlgorithmIdentifier = -65535 AlgorithmRS512 COSEAlgorithmIdentifier = -259 AlgorithmRS384 COSEAlgorithmIdentifier = -258 AlgorithmRS256 COSEAlgorithmIdentifier = -257 AlgorithmPS512 COSEAlgorithmIdentifier = -39 AlgorithmPS384 COSEAlgorithmIdentifier = -38 AlgorithmPS256 COSEAlgorithmIdentifier = -37 AlgorithmES512 COSEAlgorithmIdentifier = -36 AlgorithmES384 COSEAlgorithmIdentifier = -35 AlgorithmEdDSA COSEAlgorithmIdentifier = -8 AlgorithmES256 COSEAlgorithmIdentifier = -7 )
enum values for COSEAlgorithmIdentifier type
func SupportedKeyAlgorithms ¶
func SupportedKeyAlgorithms() []COSEAlgorithmIdentifier
SupportedKeyAlgorithms returns the list of key algorithms currently supported by the library
type COSEEllipticCurve ¶
type COSEEllipticCurve int
COSEEllipticCurve is a number identifying an elliptic curve
const ( CurveP256 COSEEllipticCurve = 1 CurveP384 COSEEllipticCurve = 2 CurveP521 COSEEllipticCurve = 3 )
enum values for COSEEllipticCurve type
type COSEKey ¶
type COSEKey struct {
Kty int `cbor:"1,keyasint,omitempty"`
Kid []byte `cbor:"2,keyasint,omitempty"`
Alg int `cbor:"3,keyasint,omitempty"`
KeyOpts int `cbor:"4,keyasint,omitempty"`
IV []byte `cbor:"5,keyasint,omitempty"`
CrvOrNOrK cbor.RawMessage `cbor:"-1,keyasint,omitempty"` // K for symmetric keys, Crv for elliptic curve keys, N for RSA modulus
XOrE cbor.RawMessage `cbor:"-2,keyasint,omitempty"` // X for curve x-coordinate, E for RSA public exponent
Y cbor.RawMessage `cbor:"-3,keyasint,omitempty"` // Y for curve y-cooridate
D []byte `cbor:"-4,keyasint,omitempty"`
}
COSEKey represents a key decoded from COSE format.
type COSEKeyType ¶
type COSEKeyType int
COSEKeyType is a number identifying a key type
const ( KeyTypeOKP COSEKeyType = 1 KeyTypeEC2 COSEKeyType = 2 KeyTypeRSA COSEKeyType = 3 )
enum values for COSEKeyType type
type CollectedClientData ¶
type CollectedClientData struct {
Type string `json:"type"`
Challenge string `json:"challenge"`
Origin string `json:"origin"`
TokenBinding *TokenBinding `json:"tokenBinding,omitempty"`
}
CollectedClientData represents the contextual bindings of both the WebAuthn Relying Party and the client.
type Credential ¶
Credential defines functions which return data required about the stored credentials
type CredentialCreationOptions ¶
type CredentialCreationOptions struct {
PublicKey PublicKeyCredentialCreationOptions `json:"publicKey"`
}
CredentialCreationOptions specifies the parameters to create a credential
type CredentialFinder ¶
type CredentialFinder func(string) (Credential, error)
CredentialFinder defines a function which takes a credential ID as a parameter and returns an object which implements the Credential interface and an error
type CredentialRequestOptions ¶
type CredentialRequestOptions struct {
PublicKey PublicKeyCredentialRequestOptions `json:"publicKey"`
}
CredentialRequestOptions specifies the parameters to retrieve a credential
type Error ¶
type Error struct {
// contains filtered or unexported fields
}
Error represents an error in a WebAuthn relying party operation
type Extension ¶
type Extension func(AuthenticationExtensionsClientInputs)
Extension defines an extension to a creation options or request options object
type ExtensionValidator ¶
type ExtensionValidator func(interface{}, interface{}) error
ExtensionValidator defines a function which validates an extension output
type Option ¶
type Option func(interface{}) error
Option is a function that can be passed as a parameter to StartRegistration or StartAuthentication functions which adjusts the final options object. Options must typecheck for a pointer to PublicKeyCredentialCreationOptions or PublicKeyCredentialRequestOptions
func AllowCredentials ¶
func AllowCredentials(creds []PublicKeyCredentialDescriptor) Option
AllowCredentials returns an option that adds a list of allowed credentials to the credential request object
func Attestation ¶
func Attestation(pref AttestationConveyancePreference) Option
Attestation returns an option that adds an attestation conveyance preference to the creation options object
func AuthenticatorSelection ¶
func AuthenticatorSelection(criteria AuthenticatorSelectionCriteria) Option
AuthenticatorSelection returns an option that adds authenticator selection criteria to the creation options object
func ExcludeCredentials ¶
func ExcludeCredentials(creds []PublicKeyCredentialDescriptor) Option
ExcludeCredentials returns an option that adds a list of credentials to exclude to the creation options object
func Extensions ¶
Extensions returns an option that adds one or more extensions to the creation options object or request options object
func RelyingPartyID ¶
RelyingPartyID returns an option that specifies the Relying Party ID in the credential request object
func Timeout ¶
Timeout returns an option that adds a custom timeout to the credential creation options or credential request options object
func UserVerification ¶
func UserVerification(req UserVerificationRequirement) Option
UserVerification returns an option that adds the relying party argument for user verification to the credential request object
type PublicKeyCredential ¶
type PublicKeyCredential struct {
CMCredential
RawID []byte `json:"rawId"`
Extensions AuthenticationExtensionsClientOutputs `json:"extensions,omitempty"`
}
PublicKeyCredential inherits from Credential and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.
type PublicKeyCredentialCreationOptions ¶
type PublicKeyCredentialCreationOptions struct {
RP PublicKeyCredentialRPEntity `json:"rp"`
User PublicKeyCredentialUserEntity `json:"user"`
Challenge []byte `json:"challenge"`
PubKeyCredParams []PublicKeyCredentialParameters `json:"pubKeyCredParams"`
Timeout uint `json:"timeout,omitempty"`
ExcludeCredentials []PublicKeyCredentialDescriptor `json:"excludeCredentials,omitempty"`
AuthenticatorSelection *AuthenticatorSelectionCriteria `json:"authenticatorSelection,omitempty"`
Attestation AttestationConveyancePreference `json:"attestation,omitempty"`
Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}
PublicKeyCredentialCreationOptions represent options for credential creation
func StartRegistration ¶
func StartRegistration( rp RelyingParty, user User, opts ...Option, ) ( *PublicKeyCredentialCreationOptions, error, )
StartRegistration starts the registration ceremony by creating a credential creation options object to be sent to the client.
type PublicKeyCredentialDescriptor ¶
type PublicKeyCredentialDescriptor struct {
Type PublicKeyCredentialType `json:"type"`
ID []byte `json:"id"`
Transports []AuthenticatorTransport `json:"transports,omitempty"`
}
PublicKeyCredentialDescriptor contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the create() or get() methods.
type PublicKeyCredentialEntity ¶
type PublicKeyCredentialEntity struct {
Name string `json:"name"`
Icon string `json:"icon,omitempty"`
}
PublicKeyCredentialEntity describes a user account, or a WebAuthn Relying Party, which a public key credential is associated with or scoped to, respectively.
type PublicKeyCredentialParameters ¶
type PublicKeyCredentialParameters struct {
Type PublicKeyCredentialType `json:"type"`
Alg COSEAlgorithmIdentifier `json:"alg"`
}
PublicKeyCredentialParameters is used to supply additional parameters when creating a new credential.
func SupportedPublicKeyCredentialParameters ¶
func SupportedPublicKeyCredentialParameters() []PublicKeyCredentialParameters
SupportedPublicKeyCredentialParameters enumerates the credential types and algorithms currently supported by this library.
type PublicKeyCredentialRPEntity ¶
type PublicKeyCredentialRPEntity struct {
PublicKeyCredentialEntity
ID string `json:"id,omitempty"`
}
PublicKeyCredentialRPEntity is used to supply additional Relying Party attributes when creating a new credential.
type PublicKeyCredentialRequestOptions ¶
type PublicKeyCredentialRequestOptions struct {
Challenge []byte `json:"challenge"`
Timeout uint `json:"timeout,omitempty"`
RPID string `json:"rpId,omitempty"`
AllowCredentials []PublicKeyCredentialDescriptor `json:"allowCredentials,omitempty"`
UserVerification UserVerificationRequirement `json:"userVerification,omitempty"`
Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"`
}
PublicKeyCredentialRequestOptions supplies get() with the data it needs to generate an assertion.
func StartAuthentication ¶
func StartAuthentication( opts ...Option, ) ( *PublicKeyCredentialRequestOptions, error, )
StartAuthentication starts the authentication ceremony by creating a credential request options object to be sent to the client
type PublicKeyCredentialType ¶
type PublicKeyCredentialType string
PublicKeyCredentialType defines the valid credential types.
const (
PublicKey PublicKeyCredentialType = "public-key"
)
enum values for PublicKeyCredentialType type
type PublicKeyCredentialUserEntity ¶
type PublicKeyCredentialUserEntity struct {
PublicKeyCredentialEntity
ID []byte `json:"id"`
DisplayName string `json:"displayName"`
}
PublicKeyCredentialUserEntity is used to supply additional user account attributes when creating a new credential.
type RelyingParty ¶
RelyingParty defines functions which return data required about the Relying Party in order to perform WebAuthn transactions.
type TokenBinding ¶
type TokenBinding struct {
Status TokenBindingStatus `json:"status"`
ID string `json:"id,omitempty"`
}
TokenBinding contains information about the state of the Token Binding protocol used when communicating with the Relying Party.
type TokenBindingStatus ¶
type TokenBindingStatus string
TokenBindingStatus represents a token binding status value.
type User ¶
type User interface {
Name() string
Icon() string
ID() []byte
DisplayName() string
Credentials() map[string]Credential
}
User defines functions which return data required about the authenticating user in order to perform WebAuthn transactions.
type UserFinder ¶
UserFinder defines a function which takes a user handle as a parameter and returns an object which implements the User interface and an error
type UserVerificationRequirement ¶
type UserVerificationRequirement string
UserVerificationRequirement describes relying party user verification requirements
const ( VerificationRequired UserVerificationRequirement = "required" VerificationPreferred UserVerificationRequirement = "preferred" VerificationDiscouraged UserVerificationRequirement = "discouraged" )
enum values for UserVerificationRequirement type
Source Files
Directories