de.adesso.softauthn.authenticator

Class WebAuthnAuthenticator

java.lang.Object

de.adesso.softauthn.authenticator.WebAuthnAuthenticator

All Implemented Interfaces:

Authenticator

public class WebAuthnAuthenticator
extends java.lang.Object
implements Authenticator

An implementation of Authenticator that attempts to cover most of the WebAuthn specification for authenticators.

The idea behind this implementation is that it can represent many kinds of authenticators by behaving in ways that depend on the configuration of the specific instance.
I.e., you can configure what capabilities should be emulated by instances of this implementation. One instance could support resident keys and user verification while another could not, for example.

See Also:

builder(), Authenticators

Constructor Summary

Constructors

Modifier

Constructor and Description

protected

WebAuthnAuthenticator(byte[] aaguid, com.yubico.webauthn.data.AuthenticatorAttachment attachment, java.util.Collection<com.yubico.webauthn.data.COSEAlgorithmIdentifier> supportedAlgorithms, boolean supportsClientSideDiscoverablePublicKeyCredentialSources, boolean supportsUserVerification, SignatureCounter signatureCounter, java.util.function.Function<? super java.util.Set<PublicKeyCredentialSource>,PublicKeyCredentialSource> credentialSelection)

Method Summary

Modifier and Type	Method and Description
static WebAuthnAuthenticatorBuilder	builder() Creates a new builder that can be used to configure instances of this class.
AuthenticatorAssertionData	getAssertion(java.lang.String rpId, byte[] hash, java.util.List<com.yubico.webauthn.data.PublicKeyCredentialDescriptor> allowedCredentialDescriptorList, boolean requireUserVerification, byte[] extensions) Method that will be called by a client platform to create an assertion for an existing credential.
com.yubico.webauthn.data.AuthenticatorAttachment	getAttachment() Returns this authenticator's attachment.
com.upokecenter.cbor.CBORObject	makeCredential(byte[] hash, com.yubico.webauthn.data.RelyingPartyIdentity rpEntity, com.yubico.webauthn.data.UserIdentity userEntity, boolean requireResidentKey, boolean requireUserVerification, java.util.List<com.yubico.webauthn.data.PublicKeyCredentialParameters> credTypesAndPubKeyAlgs, java.util.Set<com.yubico.webauthn.data.PublicKeyCredentialDescriptor> excludeCredentials, boolean enterpriseAttestationPossible, byte[] extensions) Method that will be called by a client platform to create a new credential on this authenticator.
boolean	supportsClientSideDiscoverablePublicKeyCredentialSources() Returns whether this authenticator supports the creation of client-side discoverable credentials, also known as resident keys.
boolean	supportsUserVerification() Returns whether this authenticator can perform user verification.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WebAuthnAuthenticator

protected WebAuthnAuthenticator(byte[] aaguid,
                                com.yubico.webauthn.data.AuthenticatorAttachment attachment,
                                java.util.Collection<com.yubico.webauthn.data.COSEAlgorithmIdentifier> supportedAlgorithms,
                                boolean supportsClientSideDiscoverablePublicKeyCredentialSources,
                                boolean supportsUserVerification,
                                SignatureCounter signatureCounter,
                                java.util.function.Function<? super java.util.Set<PublicKeyCredentialSource>,PublicKeyCredentialSource> credentialSelection)

Method Detail

builder

public static WebAuthnAuthenticatorBuilder builder()

Creates a new builder that can be used to configure instances of this class.

Returns:

a new WebAuthnAuthenticatorBuilder object.

makeCredential

public com.upokecenter.cbor.CBORObject makeCredential(byte[] hash,
                                                      com.yubico.webauthn.data.RelyingPartyIdentity rpEntity,
                                                      com.yubico.webauthn.data.UserIdentity userEntity,
                                                      boolean requireResidentKey,
                                                      boolean requireUserVerification,
                                                      java.util.List<com.yubico.webauthn.data.PublicKeyCredentialParameters> credTypesAndPubKeyAlgs,
                                                      java.util.Set<com.yubico.webauthn.data.PublicKeyCredentialDescriptor> excludeCredentials,
                                                      boolean enterpriseAttestationPossible,
                                                      byte[] extensions)

Description copied from interface: Authenticator

Method that will be called by a client platform to create a new credential on this authenticator.

Specified by:

makeCredential in interface Authenticator

Parameters:

hash - The hash of the serialized client data, provided by the client.

rpEntity - The Relying Party entity

userEntity - The user account's entity, containing the user handle given by the Relying Party.

requireResidentKey - The effective resident key requirement for credential creation, a Boolean value determined by the client.

requireUserVerification - The effective user verification requirement for credential creation, a Boolean value determined by the client.

credTypesAndPubKeyAlgs - A sequence of credential types and algorithms requested by the Relying Party. This sequence is ordered from most preferred to least preferred. The authenticator makes a best-effort to create the most preferred credential that it can.

excludeCredentials - A nullable list of PublicKeyCredentialDescriptor objects provided by the Relying Party with the intention that, if any of these are known to the authenticator, it SHOULD NOT create a new credential. excludeCredentials contains a list of known credentials.

enterpriseAttestationPossible - A Boolean value that indicates that individually-identifying attestation MAY be returned by the authenticator.

extensions - A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any.

Returns:

An Attestation object created by the authenticator for the request.

See Also:

The authenticatorMakeCredential Operation

getAssertion

public AuthenticatorAssertionData getAssertion(java.lang.String rpId,
                                               byte[] hash,
                                               java.util.List<com.yubico.webauthn.data.PublicKeyCredentialDescriptor> allowedCredentialDescriptorList,
                                               boolean requireUserVerification,
                                               byte[] extensions)

Description copied from interface: Authenticator

Method that will be called by a client platform to create an assertion for an existing credential.

Specified by:

getAssertion in interface Authenticator

Parameters:

rpId - The caller’s RP ID, as determined by the user agent and the client.

hash - The hash of the serialized client data, provided by the client.

allowedCredentialDescriptorList - A nullable list of PublicKeyCredentialDescriptors describing credentials acceptable to the Relying Party (possibly filtered by the client), if any.

requireUserVerification - The effective user verification requirement for assertion, a Boolean value provided by the client.

extensions - A CBOR map from extension identifiers to their authenticator extension inputs, created by the client based on the extensions requested by the Relying Party, if any.

Returns:

The result data of the assertion.

See Also:

The authenticatorGetAssertion Operation

getAttachment

public com.yubico.webauthn.data.AuthenticatorAttachment getAttachment()

Description copied from interface: Authenticator

Returns this authenticator's attachment.

Specified by:

getAttachment in interface Authenticator

Returns:

the attachment.

supportsClientSideDiscoverablePublicKeyCredentialSources

public boolean supportsClientSideDiscoverablePublicKeyCredentialSources()

Description copied from interface: Authenticator

Returns whether this authenticator supports the creation of client-side discoverable credentials, also known as resident keys.

Specified by:

supportsClientSideDiscoverablePublicKeyCredentialSources in interface Authenticator

Returns:

Whether this authenticator can store credentials itself.

See Also:

Credential Storage Modality

supportsUserVerification

public boolean supportsUserVerification()

Description copied from interface: Authenticator

Returns whether this authenticator can perform user verification.

Specified by:

supportsUserVerification in interface Authenticator

Returns:

Whether user verification is supported.

See Also:

Authentication Factor Capability