The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, can be extended to suit particular use cases. Each case is addressed by defining a registration extension.
This library is ready to handle extension inputs and outputs, but no concrete implementations are provided.
It is up to you, depending on the extensions you want to support, to create the extension handlers.
Creation/Request Options
The following example is totally fictive. We will add an extension input loc=true to the request option object.
<?phpdeclare(strict_types=1);useWebauthn\AuthenticationExtensions\AuthenticationExtension;useWebauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;useWebauthn\PublicKeyCredentialRequestOptions;// Extensions$extensions =newAuthenticationExtensionsClientInputs();$extensions->add(newAuthenticationExtension('loc',true));// List of registered PublicKeyCredentialDescriptor classes associated to the user$registeredPublicKeyCredentialDescriptors = …;// Public Key Credential Request Options$publicKeyCredentialRequestOptions =newPublicKeyCredentialRequestOptions(random_bytes(32),// Challenge60000,// Timeout'foo.example.com',// Relying Party ID $registeredPublicKeyCredentialDescriptors,// Registered PublicKeyCredentialDescriptor classesPublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_PREFERRED,// User verification requirement $extensions);
Extension Output Checker
An Extension Output Checker will check the extension inputs and output.
It must implement the interface Webauthn\AuthenticationExtensions\ExtensionOutputChecker and throw an exception of type Webauthn\AuthenticationExtension\ExtensionOutputError in case of error.
Devices may ignore the extension inputs. The extension outputs are therefore not guaranteed.
In the previous example, we asked for the location of the device and we expect to receive geolocation data in the extension output.
<?phpdeclare(strict_types=1);namespaceAcme\Extension;useWebauthn\AuthenticationExtensions\ExtensionOutputChecker;useWebauthn\AuthenticationExtensions\ExtensionOutputError;finalclassLocationExtensionOutputChecker{publicfunctioncheck(AuthenticationExtensionsClientInputs $inputs,AuthenticationExtensionsClientOutputs $outputs):void {if (!$inputs->has('loc')|| $inputs->get('loc')!==true) {return; }if (!$outputs->has('loc')) {//You may simply return but here we consider it is a mandatory extension output.thrownewExtensionOutputError( $inputs->get('loc'),'The location of the device is missing' ); } $location = $outputs->get('loc');//... Proceed with the output e.g. by logging the location of the device// or verifying it is in a specific area. }}
Extension Input
To enable an authenticator feature like the geolocation, you must ask it through the creation or the request option objects.