Documentation ¶
Overview ¶
protocol is a low-level package that closely resembles the WebAuthn specification. You should prefer to use the webauthn package. The main methods in this package are ParseAttestationResponse, ParseAssertionResponse, IsValidAssertion and IsValidAttestation.
The version of the specification that is implemented is https://www.w3.org/TR/2018/CR-webauthn-20180807/.
Index ¶
- Constants
- Variables
- func IsValidAssertion(p ParsedAssertionResponse, originalChallenge []byte, ...) (bool, error)
- func IsValidAttestation(p ParsedAttestationResponse, originalChallenge []byte, ...) (bool, error)
- func RegisterFormat(name string, f AttestationFormatFunction)
- type AssertionResponse
- type Attestation
- type AttestationConveyancePreference
- type AttestationFormatFunction
- type AttestationResponse
- type AttestedCredentialData
- type AuthenticationExtensionsClientInputs
- type AuthenticatorAssertionResponse
- type AuthenticatorAttachment
- type AuthenticatorAttestationResponse
- type AuthenticatorData
- type AuthenticatorDataFlags
- type AuthenticatorResponse
- type AuthenticatorSelectionCriteria
- type AuthenticatorTransport
- type COSEAlgorithmIdentifier
- type Challenge
- type CollectedClientData
- type CredentialCreationOptions
- type CredentialRequestOptions
- type Error
- func (e *Error) Error() string
- func (e *Error) WithCause(cause error) *Error
- func (e *Error) WithDebug(debug string) *Error
- func (e *Error) WithDebugf(debug string, args ...interface{}) *Error
- func (e *Error) WithHint(hint string) *Error
- func (e *Error) WithHintf(hint string, args ...interface{}) *Error
- type ParsedAssertionResponse
- type ParsedAttestationResponse
- type ParsedAuthenticatorAssertionResponse
- type ParsedAuthenticatorAttestationResponse
- type ParsedAuthenticatorResponse
- type ParsedPublicKeyCredential
- type PublicKeyCredential
- type PublicKeyCredentialCreationOptions
- type PublicKeyCredentialDescriptor
- type PublicKeyCredentialEntity
- type PublicKeyCredentialParameters
- type PublicKeyCredentialRequestOptions
- type PublicKeyCredentialRpEntity
- type PublicKeyCredentialType
- type PublicKeyCredentialUserEntity
- type TokenBinding
- type TokenBindingStatus
- type UserVerificationRequirement
Constants ¶
const ( // AuthenticatorTransportUSB indicates the respective authenticator can be contacted over removable USB. AuthenticatorTransportUSB AuthenticatorTransport = "usb" // AuthenticatorTransportNFC indicates the respective authenticator can be contacted over Near Field Communication (NFC). AuthenticatorTransportNFC = "nfc" // AuthenticatorTransportBLE indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE). AuthenticatorTransportBLE = "ble" // AuthenticatorTransportInternal indicates the respective authenticator is contacted using a client device-specific transport. These // authenticators are not removable from the client device. AuthenticatorTransportInternal = "internal" )
const ( // UserVerificationRequired indicates that the Relying Party requires user verification for the operation and will fail the // operation if the response does not have the UV flag set. UserVerificationRequired UserVerificationRequirement = "required" // UserVerificationPreferred indicates that the Relying Party prefers user verification for the operation if possible, but // will not fail the operation if the response does not have the UV flag set. UserVerificationPreferred = "preferred" // UserVerificationDiscouraged indicates that the Relying Party does not want user verification employed during the operation // (e.g., in the interest of minimizing disruption to the user interaction flow). UserVerificationDiscouraged = "discouraged" )
const ( // AttestationConveyancePreferenceNone indicates that the Relying Party is not interested in authenticator attestation. For example, in // order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, // or to save a roundtrip to an Attestation CA. This is the default value. AttestationConveyancePreferenceNone = "none" // AttestationConveyancePreferenceIndirect indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation // statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace // the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, // in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a // heterogeneous ecosystem. AttestationConveyancePreferenceIndirect = "indirect" // AttestationConveyancePreferenceDirect indicates that the Relying Party wants to receive the attestation statement as generated by the // authenticator. AttestationConveyancePreferenceDirect = "direct" )
const ( // AuthenticatorDataFlagUserPresent indicates the UP flag. AuthenticatorDataFlagUserPresent = 0x001 // 0000 0001 // AuthenticatorDataFlagUserVerified indicates the UV flag. AuthenticatorDataFlagUserVerified = 0x004 // 0000 0100 // AuthenticatorDataFlagHasCredentialData indicates the AT flag. AuthenticatorDataFlagHasCredentialData = 0x040 // 0100 0000 // AuthenticatorDataFlagHasExtension indicates the ED flag. AuthenticatorDataFlagHasExtension = 0x080 // 1000 0000 )
const ChallengeSize = 32
ChallengeSize represents the size of a challenge created by NewChallenge.
Variables ¶
var ( ErrInvalidSignature = &Error{ Name: "invalid_signature", Description: "The signature is invalid", Hint: "Check that the provided token is in the correct format", Code: http.StatusUnauthorized, } ErrInvalidRequest = &Error{ Name: "invalid_request", Description: "The request is malformed", Hint: "Make sure that the parameters provided are correct", Code: http.StatusBadRequest, } ErrUnsupportedAttestationFormat = &Error{ Name: "unsupported_attestation_format", Description: "The attestation format is unsupported", Code: http.StatusBadRequest, } ErrInvalidAttestation = &Error{ Name: "invalid_attestation", Description: "The attestation is malformed", Hint: "Check that you provided a token in the right format.", Code: http.StatusBadRequest, } ErrInvalidType = &Error{ Name: "invalid_type", Description: "The attestion/assertion type is invalid", Hint: "Check that the client data was submitted for the right call", Code: http.StatusBadRequest, } ErrInvalidChallenge = &Error{ Name: "invalid_challenge", Description: "The challenge is invalid", Hint: "Check that the challenge was supplied for the right request", Code: http.StatusBadRequest, } ErrInvalidOrigin = &Error{ Name: "invalid_origin", Description: "The origin is invalid", Code: http.StatusBadRequest, } ErrNoUserPresent = &Error{ Name: "no_user_present", Description: "No user was presented during authentication", Code: http.StatusBadRequest, } )
Default errors
Functions ¶
func IsValidAssertion ¶
func IsValidAssertion(p ParsedAssertionResponse, originalChallenge []byte, relyingPartyID, relyingPartyOrigin string, cert *x509.Certificate) (bool, error)
IsValidAssertion may be used to check whether an assertion is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyID is empty, the relying party hash will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party origin will not be checked (INSEUCRE). If cert is nil, the hash will not be checked (INSECURE). Before calling this method, clients should execute the following steps: If the allowCredentials option was given when this authentication ceremony was initiated, verify that credential.id identifies one of the public key credentials that were listed in allowCredentials; If credential.response.userHandle is present, verify that the user identified by this value is the owner of the public key credential identified by credential.id. If the data is invalid, an error is returned, usually of the type Error.
func IsValidAttestation ¶
func IsValidAttestation(p ParsedAttestationResponse, originalChallenge []byte, relyingPartyID, relyingPartyOrigin string) (bool, error)
IsValidAttestation may be used to check whether an attestation is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyID is empty, the relying party ID hash will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party origin will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.
func RegisterFormat ¶
func RegisterFormat(name string, f AttestationFormatFunction)
RegisterFormat will register an attestation format. If the name already exists, it will be overwritten without warning.
Types ¶
type AssertionResponse ¶
type AssertionResponse struct { PublicKeyCredential // This attribute contains the authenticator's response to the client’s request to generate an authentication assertion. Response AuthenticatorAssertionResponse `json:"response"` }
AssertionResponse contains the attributes that are returned to the caller when a new assertion is requested. https://www.w3.org/TR/webauthn/#publickeycredential
type Attestation ¶
type Attestation struct { Fmt string `json:"fmt"` AuthData AuthenticatorData `json:"authData"` AttStmt map[string]interface{} `json:"attStmt"` }
Attestation represents the attestionObject. An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation: https://www.w3.org/TR/webauthn/#attestation-object
func (Attestation) IsValid ¶
func (a Attestation) IsValid(relyingPartyID string, clientDataHash []byte) error
IsValid checks whether the Attestation is valid. If relyingPartyID is empty, the relying party ID hash will not be checked (INSEUCRE). To register a new attestation type, use RegisterFormat. If the data is invalid, an error is returned, usually of the type Error.
type AttestationConveyancePreference ¶
type AttestationConveyancePreference string
AttestationConveyancePreference may be used by WebAuthn Relying Parties to specify their preference regarding attestation conveyance during credential generation. https://www.w3.org/TR/webauthn/#enumdef-attestationconveyancepreference
type AttestationFormatFunction ¶
type AttestationFormatFunction func(Attestation, []byte) error
AttestationFormatFunction will be called when checking whether an Attestation is valid.
type AttestationResponse ¶
type AttestationResponse struct { PublicKeyCredential // This attribute contains the authenticator's response to the client’s request to create a public key credential. Response AuthenticatorAttestationResponse `json:"response"` }
AttestationResponse contains the attributes that are returned to the caller when a new credential is created. https://www.w3.org/TR/webauthn/#publickeycredential
type AttestedCredentialData ¶
type AttestedCredentialData struct { // The AAGUID of the authenticator. AAGUID []byte // A probabilistically-unique byte sequence identifying a public key credential source and its authentication // assertions. CredentialID []byte // The decoded credential public key. COSEKey interface{} }
AttestedCredentialData represents the AttestedCredentialData type in the WebAuthn specification. https://www.w3.org/TR/webauthn/#attested-credential-data
type AuthenticationExtensionsClientInputs ¶
type AuthenticationExtensionsClientInputs map[string]interface{}
AuthenticationExtensionsClientInputs contains the client extension input values for zero or more WebAuthn extensions, as defined in §9 WebAuthn Extensions. https://www.w3.org/TR/webauthn/#dictdef-authenticationextensionsclientinputs
type AuthenticatorAssertionResponse ¶
type AuthenticatorAssertionResponse struct { AuthenticatorResponse // This attribute contains the authenticator data returned by the authenticator. See §6.1 Authenticator data. AuthenticatorData []byte `json:"authenticatorData"` // This attribute contains the raw signature returned from the authenticator. See §6.3.3 The // authenticatorGetAssertion operation. Signature []byte `json:"signature"` // This attribute contains the user handle returned from the authenticator, or null if the authenticator did not // return a user handle. See §6.3.3 The authenticatorGetAssertion operation. UserHandle []byte `json:"userHandle,omitempty"` }
The AuthenticatorAssertionResponse interface represents an authenticator's response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party's challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction. https://www.w3.org/TR/webauthn/#authenticatorassertionresponse
type AuthenticatorAttachment ¶
type AuthenticatorAttachment string
AuthenticatorAttachment's values describe authenticators' attachment modalities. Relying Parties use this for two purposes: to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and to inform the client of the Relying Party's best belief about how to locate the managing authenticators of the credentials listed in allowCredentials when calling navigator.credentials.get(). https://www.w3.org/TR/webauthn/#enumdef-authenticatorattachment
const ( // AuthenticatorAttachmentPlatform indicates platform attachment. AuthenticatorAttachmentPlatform AuthenticatorAttachment = "platform" // AuthenticatorAttachmentCrossPlatform indicates cross-platform attachment. AuthenticatorAttachmentCrossPlatform = "cross-platform" )
type AuthenticatorAttestationResponse ¶
type AuthenticatorAttestationResponse struct { AuthenticatorResponse // This attribute contains an attestation object, which is opaque to, and cryptographically protected against // tampering by, the client. The attestation object contains both authenticator data and an attestation statement. // The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the // attestation statement are determined by the attestation statement format used by the authenticator. It also // contains any additional information that the Relying Party's server requires to validate the attestation // statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data. // For more details, see §6.4 Attestation, §6.4.4 Generating an Attestation Object, and Figure 5. AttestationObject []byte `json:"attestationObject"` }
The AuthenticatorAttestationResponse interface represents the authenticator's response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration. https://www.w3.org/TR/webauthn/#authenticatorattestationresponse
type AuthenticatorData ¶
type AuthenticatorData struct { // SHA-256 hash of the RP ID associated with the credential. RPIDHash []byte // Flags Flags AuthenticatorDataFlags // Signature counter, 32-bit unsigned big-endian integer. SignCount uint32 // attested credential data (if present). See §6.4.1 Attested credential data for details. Its length depends on the // length of the credential ID and credential public key being attested. AttestedCredentialData AttestedCredentialData // Raw contains the raw bytes of this AuthenticatorData. Raw []byte }
AuthenticatorData encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party's assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.
func (AuthenticatorData) IsValid ¶
func (a AuthenticatorData) IsValid(relyingPartyID string) error
IsValid checks whether the AuthenticatorData is valid. If relyingPartyID is empty, the relying party will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.
func (*AuthenticatorData) MarshalBinary ¶
func (a *AuthenticatorData) MarshalBinary() ([]byte, error)
MarshalBinary implements the encoding.BinaryMarshaler interface.
func (*AuthenticatorData) UnmarshalBinary ¶
func (a *AuthenticatorData) UnmarshalBinary(authData []byte) error
UnmarshalBinary implements the encoding.BinaryUnmarshaler interface.
type AuthenticatorDataFlags ¶
type AuthenticatorDataFlags byte
AuthenticatorDataFlags are the flags that are present in the authenticator data.
func (AuthenticatorDataFlags) HasAttestedCredentialData ¶
func (f AuthenticatorDataFlags) HasAttestedCredentialData() bool
HasAttestedCredentialData returns whether the AT flag is set.
func (AuthenticatorDataFlags) HasExtensions ¶
func (f AuthenticatorDataFlags) HasExtensions() bool
HasExtensions returns whether the ED flag is set.
func (AuthenticatorDataFlags) UserPresent ¶
func (f AuthenticatorDataFlags) UserPresent() bool
UserPresent returns whether the UP flag is set.
func (AuthenticatorDataFlags) UserVerified ¶
func (f AuthenticatorDataFlags) UserVerified() bool
UserVerified returns whether the UV flag is set.
type AuthenticatorResponse ¶
type AuthenticatorResponse struct { // This attribute contains a JSON serialization of the client data passed to the authenticator by the client in // its call to either create() or get(). ClientDataJSON []byte `json:"clientDataJSON"` }
AuthenticatorResponse is used by authenticators to respond to Relying Party requests. https://www.w3.org/TR/webauthn/#authenticatorresponse
type AuthenticatorSelectionCriteria ¶
type AuthenticatorSelectionCriteria struct { // If this member is present, eligible authenticators are filtered to only authenticators attached with the // specified §5.4.5 Authenticator Attachment enumeration (enum AuthenticatorAttachment). AuthenticatorAttachment AuthenticatorAttachment `json:"authenticatorAttachment,omitempty"` // This member describes the Relying Parties' requirements regarding resident credentials. If the parameter is set // to true, the authenticator MUST create a client-side-resident public key credential source when creating a // public key credential. RequireResidentKey bool `json:"requireResidentKey"` // This member describes the Relying Party's requirements regarding user verification for the create() operation. // Eligible authenticators are filtered to only those capable of satisfying this requirement. UserVerification UserVerificationRequirement `json:"userVerification,omitempty"` }
The AuthenticatorSelectionCriteria may be used by WebAuthn Relying Parties to specify their requirements regarding authenticator attributes. https://www.w3.org/TR/webauthn/#dictdef-authenticatorselectioncriteria
type AuthenticatorTransport ¶
type AuthenticatorTransport string
AuthenticatorTransport represents the transport used by an authenticator. Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party's best belief as to how an authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism. https://www.w3.org/TR/webauthn/#enumdef-authenticatortransport
type COSEAlgorithmIdentifier ¶
type COSEAlgorithmIdentifier int
A COSEAlgorithmIdentifier's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG], for instance, -7 for "ES256" and -257 for "RS256". https://www.w3.org/TR/webauthn/#alg-identifier
const ( // ES256 is the COSE Algorithm Identifier of ECDSA 256 ES256 COSEAlgorithmIdentifier = -7 // RS256 is the COSE Algorithm Identifier of RSA 256 RS256 COSEAlgorithmIdentifier = -257 )
type Challenge ¶
type Challenge []byte
Challenge represents a challenge. It is defined as a separate type to make it clear that NewChallenge should be used to create it.
func NewChallenge ¶
NewChallenge creates a new cryptographically secure random challenge of ChallengeSize bytes.
type CollectedClientData ¶
type CollectedClientData struct { // This member contains the string "webauthn.create" when creating new credentials, and "webauthn.get" when getting // an assertion from an existing credential. The purpose of this member is to prevent certain types of signature // confusion attacks (where an attacker substitutes one legitimate signature for another). Type string `json:"type"` // This member contains the base64url encoding of the challenge provided by the RP. See the §13.1 Cryptographic // Challenges security consideration. Challenge string `json:"challenge"` // This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, // in the syntax defined by [RFC6454]. Origin string `json:"origin"` // This OPTIONAL member contains information about the state of the Token Binding protocol used when communicating // with the Relying Party. Its absence indicates that the client doesn’t support token binding. TokenBinding *TokenBinding `json:"tokenBinding,omitempty"` }
CollectedClientData represents the contextual bindings of both the WebAuthn Relying Party and the client. It is a key-value mapping whose keys are strings. Values can be any type that has a valid encoding in JSON. Its structure is defined by the following Web IDL. https://www.w3.org/TR/webauthn/#client-data
func (CollectedClientData) IsValid ¶
func (c CollectedClientData) IsValid(requiredType string, originalChallenge []byte, relyingPartyOrigin string) error
IsValid checks whether the CollectedClientData is valid. If originalChallenge is nil, the challenge value will not be checked (INSECURE). If relyingPartyOrigin is empty, the relying party will not be checked (INSEUCRE). If the data is invalid, an error is returned, usually of the type Error.
type CredentialCreationOptions ¶
type CredentialCreationOptions struct {
PublicKey PublicKeyCredentialCreationOptions `json:"publicKey"`
}
CredentialCreationOptions contains the options that should be passed to navigator.credentials.create(). https://www.w3.org/TR/webauthn/#credentialcreationoptions-extension
type CredentialRequestOptions ¶
type CredentialRequestOptions struct {
PublicKey PublicKeyCredentialRequestOptions `json:"publicKey"`
}
CredentialRequestOptions contains the options that should be passed to navigator.credentials.get(). https://www.w3.org/TR/webauthn/#credentialrequestoptions-extension
type Error ¶
type Error struct { // Name is the name of this error. Name string `json:"error"` // Description is the description of this error. Description string `json:"description"` // Hint contains further information about the error. Hint string `json:"hint,omitempty"` // Code contains the status code that should be returned when this error is returned. Code int `json:"status_code,omitempty"` // Debug contains debug information about this error that should not be shown to the user. Debug string `json:"debug,omitempty"` // Cause contains the error that caused this error, if available Cause error `json:"-"` }
Error is a representation of errors returned from this package.
func ToWebAuthnError ¶
ToWebAuthnError converts any error into the *Error type. If that is not possible, it will return an *Error which wraps the error.
func (*Error) WithDebugf ¶
WithDebugf will add/replace the debug information of the error.
type ParsedAssertionResponse ¶
type ParsedAssertionResponse struct { ParsedPublicKeyCredential // This attribute contains the authenticator's response to the client’s request to generate an authentication assertion. Response ParsedAuthenticatorAssertionResponse // RawResponse contains the unparsed AssertionResponse. RawResponse AssertionResponse }
ParsedAssertionResponse is a parsed version of AssertionResponse. https://www.w3.org/TR/webauthn/#publickeycredential
func ParseAssertionResponse ¶
func ParseAssertionResponse(p AssertionResponse) (ParsedAssertionResponse, error)
ParseAssertionResponse will parse a raw AssertionResponse as supplied by a client to a ParsedAssertionResponse that may be used by clients to examine data. If the data is invalid, an error is returned, usually of the type Error.
type ParsedAttestationResponse ¶
type ParsedAttestationResponse struct { ParsedPublicKeyCredential // This attribute contains the authenticator's response to the client’s request to create a public key credential. Response ParsedAuthenticatorAttestationResponse // RawResponse contains the unparsed AttestationResponse. RawResponse AttestationResponse }
ParsedAttestationResponse is a parsed version of AttestationResponse https://www.w3.org/TR/webauthn/#publickeycredential
func ParseAttestationResponse ¶
func ParseAttestationResponse(p AttestationResponse) (ParsedAttestationResponse, error)
ParseAttestationResponse will parse a raw AttestationResponse as supplied by a client to a ParsedAttestationResponse that may be used by clients to examine data. If the data is invalid, an error is returned, usually of the type Error.
type ParsedAuthenticatorAssertionResponse ¶
type ParsedAuthenticatorAssertionResponse struct { ParsedAuthenticatorResponse // This attribute contains the authenticator data returned by the authenticator. See §6.1 Authenticator data. AuthData AuthenticatorData // This attribute contains the raw signature returned from the authenticator. See §6.3.3 The // authenticatorGetAssertion operation. Signature []byte // This attribute contains the user handle returned from the authenticator, or null if the authenticator did not // return a user handle. See §6.3.3 The authenticatorGetAssertion operation. UserHandle []byte }
ParsedAuthenticatorAssertionResponse is a parsed version of AuthenticatorAssertionResponse. https://www.w3.org/TR/webauthn/#authenticatorassertionresponse
type ParsedAuthenticatorAttestationResponse ¶
type ParsedAuthenticatorAttestationResponse struct { ParsedAuthenticatorResponse // This attribute contains an attestation object, which is opaque to, and cryptographically protected against // tampering by, the client. The attestation object contains both authenticator data and an attestation statement. // The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the // attestation statement are determined by the attestation statement format used by the authenticator. It also // contains any additional information that the Relying Party's server requires to validate the attestation // statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data. // For more details, see §6.4 Attestation, §6.4.4 Generating an Attestation Object, and Figure 5. Attestation Attestation }
ParsedAuthenticatorAttestationResponse is a parsed version of AuthenticatorAttestationResponse https://www.w3.org/TR/webauthn/#authenticatorattestationresponse
type ParsedAuthenticatorResponse ¶
type ParsedAuthenticatorResponse struct { // This attribute contains the parsed client data passed to the authenticator by the client in its call to either // create() or get(). ClientData CollectedClientData }
ParsedAuthenticatorResponse is a parsed version of AuthenticatorResponse. https://www.w3.org/TR/webauthn/#authenticatorresponse
type ParsedPublicKeyCredential ¶
type ParsedPublicKeyCredential struct { // This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead // returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot. ID string // This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot. RawID []byte // The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key". Type string }
ParsedPublicKeyCredential is a parsed version of PublicKeyCredential https://www.w3.org/TR/webauthn/#publickeycredential
type PublicKeyCredential ¶
type PublicKeyCredential struct { // This attribute is inherited from Credential, though PublicKeyCredential overrides Credential's getter, instead // returning the base64url encoding of the data contained in the object’s [[identifier]] internal slot. ID string `json:"id"` // This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot. RawID []byte `json:"rawId"` // The PublicKeyCredential interface object's [[type]] internal slot's value is the string "public-key". Type string `json:"type"` }
The PublicKeyCredential interface inherits from Credential [CREDENTIAL-MANAGEMENT-1], and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested. See AttestationResponse and AssertionResponse https://www.w3.org/TR/webauthn/#publickeycredential
type PublicKeyCredentialCreationOptions ¶
type PublicKeyCredentialCreationOptions struct { // This member contains data about the Relying Party responsible for the request. // Its value’s name member is REQUIRED. See §5.4.1 Public Key Entity Description (dictionary // PublicKeyCredentialEntity) for further details. // Its value’s id member specifies the RP ID with which the credential should be associated. If omitted, its value // will be the CredentialsContainer object’s relevant settings object's origin's effective domain. See §5.4.2 // Relying Party Parameters for Credential Generation (dictionary PublicKeyCredentialRpEntity) for further details. RP PublicKeyCredentialRpEntity `json:"rp"` // This member contains data about the user account for which the Relying Party is requesting attestation. // Its value’s name, displayName and id members are REQUIRED. See §5.4.1 Public Key Entity Description // (dictionary PublicKeyCredentialEntity) and §5.4.3 User Account Parameters for Credential Generation // (dictionary PublicKeyCredentialUserEntity) for further details. User PublicKeyCredentialUserEntity `json:"user"` // This member contains a challenge intended to be used for generating the newly created credential’s attestation // object. See the §13.1 Cryptographic Challenges security consideration. Challenge Challenge `json:"challenge"` // This member contains information about the desired properties of the credential to be created. The sequence is // ordered from most preferred to least preferred. The client makes a best-effort to create the most preferred // credential that it can. PubKeyCredParams []PublicKeyCredentialParameters `json:"pubKeyCredParams,omitempty"` // This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. // This is treated as a hint, and MAY be overridden by the client. Timeout uint `json:"timeout,omitempty"` // This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for // the same account on a single authenticator. The client is requested to return an error if the new credential // would be created on an authenticator that also contains one of the credentials enumerated in this parameter. ExcludeCredentials []PublicKeyCredentialDescriptor `json:"excludeCredentials,omitempty"` // This member is intended for use by Relying Parties that wish to select the appropriate authenticators to // participate in the create() operation. AuthenticatorSelection AuthenticatorSelectionCriteria `json:"authenticatorSelection,omitempty"` // This member is intended for use by Relying Parties that wish to express their preference for attestation // conveyance. The default is none. Attestation AttestationConveyancePreference `json:"attestation,omitempty"` // This member contains additional parameters requesting additional processing by the client and authenticator. For // example, the caller may request that only authenticators with certain capabilities be used to create the // credential, or that particular information be returned in the attestation object. Some extensions are defined in // §9 WebAuthn Extensions; consult the IANA "WebAuthn Extension Identifier" registry established by // [WebAuthn-Registries] for an up-to-date list of registered WebAuthn Extensions. Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"` }
The PublicKeyCredentialCreationOptions dictionary supplies create() with the data it needs to generate an attestation. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions
type PublicKeyCredentialDescriptor ¶
type PublicKeyCredentialDescriptor struct { // This member contains the type of the public key credential the caller is referring to. Type PublicKeyCredentialType `json:"type"` // This member contains the credential ID of the public key credential the caller is referring to. ID []byte `json:"id"` // This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of // the public key credential the caller is referring to. Transport []AuthenticatorTransport `json:"transports,omitempty"` }
PublicKeyCredentialDescriptor contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the create() or get() methods. It mirrors the fields of the PublicKeyCredential object returned by the latter methods. https://www.w3.org/TR/webauthn/#credential-dictionary
type PublicKeyCredentialEntity ¶
type PublicKeyCredentialEntity struct { // A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents. Name string `json:"name"` }
The PublicKeyCredentialEntity dictionary describes a user account, or a WebAuthn Relying Party, with which a public key credential is associated. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialentity
type PublicKeyCredentialParameters ¶
type PublicKeyCredentialParameters struct { // This member specifies the type of credential to be created. Type PublicKeyCredentialType `json:"type"` // This member specifies the cryptographic signature algorithm with which the newly generated credential will be // used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve. Algorithm COSEAlgorithmIdentifier `json:"alg"` }
PublicKeyCredentialParameters is used to supply additional parameters when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialparameters
type PublicKeyCredentialRequestOptions ¶
type PublicKeyCredentialRequestOptions struct { // This member represents a challenge that the selected authenticator signs, along with other data, when producing // an authentication assertion. See the §13.1 Cryptographic Challenges security consideration. Challenge Challenge `json:"challenge"` // This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to // complete. The value is treated as a hint, and MAY be overridden by the client. Timeout uint `json:"timeout,omitempty"` // This OPTIONAL member specifies the relying party identifier claimed by the caller. If omitted, its value will be // the CredentialsContainer object’s relevant settings object's origin's effective domain. RPID string `json:"rpId,omitempty"` // This OPTIONAL member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials // acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most // preferred credential, and so on down the list). AllowCredentials []PublicKeyCredentialDescriptor `json:"allowCredentials,omitempty"` // This member describes the Relying Party's requirements regarding user verification for the get() operation. // Eligible authenticators are filtered to only those capable of satisfying this requirement. UserVerification UserVerificationRequirement `json:"userVerification,omitempty"` // This OPTIONAL member contains additional parameters requesting additional processing by the client and // authenticator. For example, if transaction confirmation is sought from the user, then the prompt string might // be included as an extension. Extensions AuthenticationExtensionsClientInputs `json:"extensions,omitempty"` }
The PublicKeyCredentialRequestOptions dictionary supplies get() with the data it needs to generate an assertion. Its challenge member MUST be present, while its other members are OPTIONAL. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions
type PublicKeyCredentialRpEntity ¶
type PublicKeyCredentialRpEntity struct { PublicKeyCredentialEntity // A unique identifier for the Relying Party entity, which sets the RP ID. ID string `json:"id,omitempty"` }
The PublicKeyCredentialRpEntity dictionary is used to supply additional Relying Party attributes when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrpentity
type PublicKeyCredentialType ¶
type PublicKeyCredentialType string
PublicKeyCredentialType defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator. Currently one credential type is defined, namely "public-key". https://www.w3.org/TR/webauthn/#enumdef-publickeycredentialtype
const ( // PublicKeyCredentialTypePublicKey is the only credential type defined, namely "public-key". PublicKeyCredentialTypePublicKey PublicKeyCredentialType = "public-key" )
type PublicKeyCredentialUserEntity ¶
type PublicKeyCredentialUserEntity struct { PublicKeyCredentialEntity // The user handle of the user account entity. To ensure secure operation, authentication and authorization // decisions MUST be made on the basis of this id member, not the displayName nor name members. See // Section 6.1 of [RFC8266]. ID []byte `json:"id"` // A human-palatable name for the user account, intended only for display. For example, "Alex P. Müller" or // "田中 倫". The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than // necessary. DisplayName string `json:"displayName"` }
The PublicKeyCredentialUserEntity dictionary is used to supply additional user account attributes when creating a new credential. https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialuserentity
type TokenBinding ¶
type TokenBinding struct { // This member is one of the following: Status TokenBindingStatus `json:"status,omitempty"` // This member MUST be present if status is present, and MUST a base64url encoding of the Token Binding ID that was // used when communicating with the Relying Party. ID string `json:"id,omitempty"` }
TokenBinding represents the token binding. https://www.w3.org/TR/webauthn/#dictdef-tokenbinding
type TokenBindingStatus ¶
type TokenBindingStatus string
TokenBindingStatus represents the status of a TokenBinding. https://www.w3.org/TR/webauthn/#enumdef-tokenbindingstatus
const ( // TokenBindingStatusPresent indicates the client supports token binding, but it was not negotiated when // communicating with the Relying Party. TokenBindingStatusPresent TokenBindingStatus = "present" // TokenBindingStatusSupported indicates token binding was used when communicating with the Relying Party. In this // case, the id member MUST be present. TokenBindingStatusSupported = "supported" )
type UserVerificationRequirement ¶
type UserVerificationRequirement string
UserVerificationRequirement may be used by a WebAuthn Relying Party to require user verification for some of its operations but not for others. https://www.w3.org/TR/webauthn/#enumdef-userverificationrequirement