Webauthn Framework
Search…
v4.0
Webauthn In A Nutshell
Symfony Bundle
Migration
Authenticate Your Users
During this step, your application will send a challenge to the list of registered devices of the user. The security token will resolve this challenge by adding information and digitally signing the data.
Assertion Request
To perform a user authentication using a security device, you need to instantiate a
Webauthn\PublicKeyCredentialRequestOptions object.Let’s say you want to authenticate the user we used earlier. This options object will need:
- A challenge (random binary string)
- The list with the allowed credentials (may be an option in certain circumstances)
Optionally, you can customize the following parameters:
- A timeout
- The Relying Party ID i.e. your application domain
- The user verification requirement
- Extensions
The
PublicKeyCredentialRequestOptions object is designed to be easily serialized into a JSON object. This will ease the integration into an HTML page or through an API endpoint.The timeout default value is set to
null. If you want to set a value, pleaase read the following recommended behavior showed in the specification:- If the user verification is
discouraged, timeout should be between 30 and 180 seconds - If the user verification is
preferredorrequired, the range is 300 to 600 seconds (5 to 10 minutes)
Allowed Credentials
The user trying to authenticate must have registered at least one device. For this user, you have to get all
Webauthn\PublicKeyCredentialDescriptor associated to his account.1
// We gather all registered authenticators for this user
2
$registeredAuthenticators = $publicKeyCredentialSourceRepository->findAllForUserEntity($userEntity);
3
4
// We don’t need the Credential Sources, just the associated Descriptors
5
$allowedCredentials = array_map(
6
static function (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor {
7
return $credential->getPublicKeyCredentialDescriptor();
8
},
9
$registeredAuthenticators
10
);
Copied!
For usernameless authentication, please read the dedicated page. In this case no Public Key Credential Descriptors should be passed to the the options.
Example
1
<?php
2
3
declare(strict_types=1);
4
5
use Webauthn\PublicKeyCredentialDescriptor;
6
use Webauthn\PublicKeyCredentialRequestOptions;
7
use Webauthn\PublicKeyCredentialSource;
8
9
// List of registered PublicKeyCredentialDescriptor classes associated to the user
10
$registeredAuthenticators = $publicKeyCredentialSourceRepository->findAllForUserEntity($userEntity);
11
$allowedCredentials = array_map(
12
static function (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor {
13
return $credential->getPublicKeyCredentialDescriptor();
14
},
15
$registeredAuthenticators
16
);
17
18
// Public Key Credential Request Options
19
$publicKeyCredentialRequestOptions =
20
PublicKeyCredentialRequestOptions::create(
21
random_bytes(32) // Challenge
22
)
23
->allowCredentials(...$allowedCredentials)
24
;
Copied!
User Verification
Eligible authenticators are filtered and only capable of satisfying this requirement will interact with the user. Please refer to the User Verification page for all possible values.
1
<?php
2
3
declare(strict_types=1);
4
5
use Webauthn\PublicKeyCredentialDescriptor;
6
use Webauthn\PublicKeyCredentialRequestOptions;
7
use Webauthn\PublicKeyCredentialSource;
8
9
// List of registered PublicKeyCredentialDescriptor classes associated to the user
10
$registeredAuthenticators = $publicKeyCredentialSourceRepository->findAllForUserEntity($userEntity);
11
$allowedCredentials = array_map(
12
static function (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor {
13
return $credential->getPublicKeyCredentialDescriptor();
14
},
15
$registeredAuthenticators
16
);
17
18
// Public Key Credential Request Options
19
$publicKeyCredentialRequestOptions =
20
PublicKeyCredentialRequestOptions::create(
21
random_bytes(32) // Challenge
22
)
23
->setUserVerification(
24
PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_REQUIRED
25
)
26
;
Copied!
Extensions
1
<?php
2
3
declare(strict_types=1);
4
5
use Webauthn\PublicKeyCredentialRequestOptions;
6
7
// List of registered PublicKeyCredentialDescriptor classes associated to the user
8
$registeredAuthenticators = $publicKeyCredentialSourceRepository->findAllForUserEntity($userEntity);
9
$allowedCredentials = array_map(
10
static function (PublicKeyCredentialSource $credential): PublicKeyCredentialDescriptor {
11
return $credential->getPublicKeyCredentialDescriptor();
12
},
13
$registeredAuthenticators
14
);
15
16
// Public Key Credential Request Options
17
$publicKeyCredentialRequestOptions =
18
PublicKeyCredentialRequestOptions::create(
19
random_bytes(32) // Challenge
20
)
21
->addExtension(
22
AuthenticationExtension::create('loc', true),
23
AuthenticationExtension::create('txAuthSimple', 'Please log in with a registered authenticator'),
24
)
25
;
Copied!
Response Handling
The way you receive this response is out of scope of this library. In the previous example, the data is part of the query string, but it can be done through a POST request body or a request header.
What you receive must be a JSON object that looks like as follows:
1
{
2
"id":"KVb8CnwDjpgAo[…]op61BTLaa0tczXvz4JrQ23usxVHA8QJZi3L9GZLsAtkcVvWObA",
3
"type":"public-key",
4
"rawId":"KVb8CnwDjpgAo[…]rQ23usxVHA8QJZi3L9GZLsAtkcVvWObA==",
5
"response":{
6
"clientDataJSON":"eyJjaGFsbGVuZ2UiOiJQbk1hVjBVTS[…]1iUkdHLUc4Y3BDSdGUifQ==",
7
"authenticatorData":"Y0EWbxTqi9hWTO[…]4aust69iUIzlwBfwABDw==",
8
"signature":"MEQCIHpmdruQLs[…]5uwbtlPNOFM2oTusx2eg==",
9
"userHandle":""
10
}
11
}
Copied!
There are two steps to perform with this object:
- Load the data
- Verify the loaded data against the assertion options set above
Data Loading
1
<?php
2
3
declare(strict_types=1);
4
5
$data = '
6
{
7
"id":"KVb8CnwDjpgAo[…]op61BTLaa0tczXvz4JrQ23usxVHA8QJZi3L9GZLsAtkcVvWObA",
8
"type":"public-key",
9
"rawId":"KVb8CnwDjpgAo[…]rQ23usxVHA8QJZi3L9GZLsAtkcVvWObA==",
10
"response":{
11
"clientDataJSON":"eyJjaGFsbGVuZ2UiOiJQbk1hVjBVTS[…]1iUkdHLUc4Y3BDSdGUifQ==",
12
"attestationObject":"o2NmbXRmcGFja2VkZ2F0dFN0bXSj[…]YcGhf"
13
}
14
}';
15
16
$publicKeyCredential = $publicKeyCredentialLoader->load($data);
Copied!
Response Verification
Now we have a fully loaded Public Key Credential object, but we need now to make sure that:
- 1.The authenticator response is of type
AuthenticatorAssertionResponse - 2.This response is valid.
The first is easy to perform:
1
<?php
2
3
declare(strict_types=1);
4
5
use Webauthn\AuthenticatorAssertionResponse;
6
7
$authenticatorAssertionResponse = $publicKeyCredential->getResponse();
8
if (!$authenticatorAssertionResponse instanceof AuthenticatorAssertionResponse) {
9
//e.g. process here with a redirection to the public key login/MFA page.
10
}
Copied!
The second step is the verification against the Public Key Assertion Options we created earlier.
The Authenticator Assertion Response Validator service (variable
$authenticatorAssertionResponseValidator) will check everything for you.1
<?php
2
3
declare(strict_types=1);
4
5
use Symfony\Component\HttpFoundation\Request;
6
7
$request = Request::createFromGlobals();
8
9
$publicKeyCredentialSource = $authenticatorAssertionResponseValidator->check(
10
$publicKeyCredential->getRawId(),
11
$authenticatorAssertionResponse,
12
$publicKeyCredentialRequestOptions,
13
$request,
14
$userHandle
15
);
Copied!
If no exception is thrown, the response is valid and you can continue the authentication of the user.
The Public Key Credential Source returned allows you to know which device was used by the user.
Last modified 13d ago
Export as PDF
Copy link
Edit on GitHub