Register Additional Authenticators
In some circumstances, you may need to register a new authenticator for a user e.g. when adding a new authenticator or when an administrator acts as another user to replace a lost device.
It is possible to perform this ceremony programmatically.
You can attach several authenticators to a user account. It is recommended in case of lost devices or if the user gets access on your application using multiple platforms (smartphone, laptop…).

The Easy Way

The procedure is the same as the one described in this page, except that you don’t have to save the user entity again.

The Hard Way

The procedure is the same as the one described in this page.

The Symfony Way

The following procedure is only available with the version 3.3.0+ of the bundle.
With a Symfony application, the fastest way for a user to register additional authenticators is to use the “controller” feature.
To add a new authenticator to a user, the bundle needs to know to whom it should be added. This can be:
    The current user itself e.g. from its own account
    An administrator acting for another user from a dashboard
For that purpose, a User Entity Guesser service should be created. This servuce shall implement the interface Webauthn\Bundle\Security\Guesser\UserEntityGuesser and its unique method findUserEntity. In the example herafter, the current user is used as User Entity.
1
<?php
2
3
declare(strict_types=1);
4
5
namespace App\Service;
6
7
use Assert\Assertion;
8
use Symfony\Component\HttpFoundation\Request;
9
use Symfony\Component\Security\Core\Security;
10
use Webauthn\Bundle\Security\Guesser\UserEntityGuesser;
11
use Webauthn\PublicKeyCredentialUserEntity;
12
13
final class CurrentUserEntityGuesser implements UserEntityGuesser
14
{
15
/**
16
* @var Security
17
*/
18
private $security;
19
20
public function __construct(Security $security)
21
{
22
$this->security = $security;
23
}
24
25
public function findUserEntity(Request $request): PublicKeyCredentialUserEntity
26
{
27
$user = $this->security->getUser();
28
Assertion::isInstanceOf($user, PublicKeyCredentialUserEntity::class, 'Unable to find the user entity');
29
30
return $user;
31
}
32
}
Copied!
In the case the current user is an administrator, the user entity can be determined using query parameters e.g. using routes like /admin/add-authenticator/for/{USER_ID}.
The user is retrieved using the associated repository and the given ID.
Now you just have to enable the feature and set the routes to your options and response controllers.
1
webauthn:
2
controllers:
3
enabled: true # We enable the feature
4
creation:
5
from_user_account: # Unique name of our endpoints
6
options_path: '/profile/security/devices/add/options' # Path to the creation options controller
7
result_path: '/profile/security/devices/add' # Path to the response controller
8
user_entity_guesser: App\Service\CurrentUserEntityGuesser # See above
9
from_admin_dashboard: # Unique name of our endpoints
10
options_path: '/admin/security/user/{USER_ID}/devices/add/options' # Path to the creation options controller
11
result_path: '/admin/security/user/{USER_ID}/devices/add' # Path to the response controller
12
user_entity_guesser: App\Service\AdminGuesser # Fictive service
Copied!
As the user shall be authenticated to register a new authenticator, you should protect these routes in the security.yaml file.
config/packages/security.yaml
1
security:
2
access_control:
3
- { path: ^/profile, roles: IS_AUTHENTICATED_FULLY } # We protect all the /profile path
4
- { path: ^/admin, roles: ROLE_ADMIN }
Copied!
Now you can send requests to these new endpoints. For example, if you are using the Javascript library, the calls will look like as follow:
1
// Import the registration hook
2
import {useRegistration} from 'webauthn-helper';
3
4
// Create your register function.
5
// By default the urls are "/register" and "/register/options"
6
// but you can change those urls if needed.
7
const register = useRegistration({
8
actionUrl: '/profile/security/devices/add',
9
optionsUrl: '/profile/security/devices/add/options'
10
});
11
12
13
// We can call this register function whenever we need
14
// No "username" or "displayName" parameters are needed
15
// as the user entity is guessed by the dedicated service
16
register({})
17
.then((response) => console.log('Registration success'))
18
.catch((error) => console.log('Registration failure'))
19
;
Copied!

Creation Profile

The default creation profile is used. You can change it using the dedicated option.
1
webauthn:
2
controllers:
3
enabled: true
4
creation:
5
from_user_account:
6
7
profile: custom_profile
Copied!

Response Handlers

You can customize the responses returned by the controllers by using custom handlers. This could be useful when you want to return additional information to your application.
There are 3 types of responses and handlers:
    Creation options,
    Success,
    Failure.

Creation Options Handler

This handler is called during the registration of a authenticator and has to implement the interface Webauthn\Bundle\Security\Handler\CreationOptionsHandler.
1
webauthn:
2
controllers:
3
enabled: true
4
creation:
5
from_user_account:
6
7
options_handler:# Your handler here
Copied!

Success Handler

This handler is called when a client sends a valid assertion from the authenticator. This handler shall implement the interface Webauthn\Bundle\Security\Handler\SuccessHandler. The default handler is Webauthn\Bundle\Service\DefaultSuccessHandler.
1
webauthn:
2
controllers:
3
enabled: true
4
creation:
5
from_user_account:
6
7
success_handler:# Your handler here
Copied!

Failure Handler

This handler is called when an error occurred during the process. This handler shall implement the interface Webauthn\Bundle\Security\Handler\SuccessHandler. The default handler is Webauthn\Bundle\Service\DefaultFailureHandler.
1
webauthn:
2
controllers:
3
enabled: true
4
creation:
5
from_user_account:
6
7
failure_handler:# Your handler here
Copied!
Last modified 1d ago