You will need the following components before loading or verifying the data:
An Attestation Statement Support Manager and at least one Attestation Statement Support object
An Attestation Object Loader
A Public Key Credential Loader
An Authenticator Attestation Response Validator
An Extension Output Checker Handler
That’s a lot off classes! But don’t worry, as their configuration is the same for all your application, you just have to set them once. Let’s see all of these in the next sections.
The Public Key Credential Source Repository must implement
Webauthn\PublicKeyCredentialSourceRepository. It will retrieve the credential source and update them when needed.
You can implement the required methods the way you want: Doctrine ORM, file storage… as mentioned on the dedicated page.
The token binding handler is a service that will verify if the token binding set in the device response corresponds to the one set in the request.
Please refer to the dedicated page.
Every Creation Responses contain an Attestation Statement. This attestation contains data regarding the authenticator depending on several factors such as its manufacturer and model, what you asked in the options, the capabilities of the browser or what the user allowed.
Hereafter the types of attestations you can have:
none: no attestation is provided.
fido-u2f: for non-FIDO2 compatible devices (old U2F security tokens).
packed: generally used by authenticators with limited resources (e.g., secure elements). It uses a very compact but still extensible encoding method.
android key: commonly used by old or disconnected Android devices.
android safety net: for new Android devices like smartphones.
trusted platform module: for devices with built-in security chips.
<?phpdeclare(strict_types=1);use Webauthn\AttestationStatement\AttestationStatementSupportManager;use Webauthn\AttestationStatement\NoneAttestationStatementSupport;// The manager will receive data to load and select the appropriate$attestationStatementSupportManager = new AttestationStatementSupportManager();// The none type$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
This object will load the Attestation statements received from the devices. It will need the Attestation Statement Support Manager created above.
<?phpdeclare(strict_types=1);use Webauthn\AttestationStatement\AttestationObjectLoader;$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager);
This object will load the Public Key using from the Attestation Object.
<?phpdeclare(strict_types=1);use Webauthn\PublicKeyCredentialLoader;$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader);
If you use extensions, you may need to check the value returned by the security devices. This behaviour is handled by an Extension Output Checker Manager.
<?phpdeclare(strict_types=1);use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();
You can add as many extension checkers as you want. Each extension checker must implement
Webauthn\AuthenticationExtensions\ExtensionOutputChecker and throw a
Webauthn\AuthenticationExtensions\ExtensionOutputError in case of an error.
This object is what you will directly use when receiving Attestation Responses (authenticator registration).
<?phpdeclare(strict_types=1);use Webauthn\AuthenticatorAttestationResponseValidator;$authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator($attestationStatementSupportManager,$publicKeyCredentialSourceRepository,$tokenBindingHandler,$extensionOutputCheckerHandler);
This object is what you will directly use when receiving Assertion Responses (user authentication).
<?phpdeclare(strict_types=1);use Webauthn\AuthenticatorAssertionResponseValidator;$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator($publicKeyCredentialSourceRepository, // The Credential Repository service$tokenBindingHandler, // The token binding handler$extensionOutputCheckerHandler, // The extension output checker handler$coseAlgorithmManager // The COSE Algorithm Manager);