First authenticator registration
Now we want to register a new authenticator and attach it to a user. This step can be done during the creation of a new user account or if the user already exists and you want to add another authenticator.
You can attach several authenticators to a user account. It is recommended in case of lost devices or if the user gets access on your application using multiple platforms (smartphone, laptop…).
To register a new authenticator, you need to generate and send a set of options to it. These options are defined in a Webauthn\PublicKeyCredentialCreationOptions
object.
To generate that object, you just need to call the methodgeneratePublicKeyCredentialCreationOptions
of the $server
object. This method requires a Webauthn\PublicKeyCredentialUserEntity
object that represents the user entity to be associated with this new authenticator.
Now send the options to the authenticator using your favorite Javascript framework, library or the example available in the Javascript page.
The Public Key Credential Creation Options object (variable $publicKeyCredentialCreationOptions
) can be serialized into JSON.
The variable $publicKeyCredentialCreationOptions
and $userEntity
have to be stored somewhere. These are needed during the next step. Usually these values are set in the session or solutions like Redis.
When the authenticator sends you the computed response (i.e. the user touched the button, fingerprint reader, submitted the PIN…), you can load it and check it.
The authenticator response looks similar to the following example:
The library needs PSR-7 requests. In the example below, we use nyholm/psr7-server
to get that request.
First user authentication
To authenticate you user, you need to send a Webauthn\PublicKeyCredentialRequestOptions
object.
To generate that object, you just need to call the method generatePublicKeyCredentialRequestOptions
of the $server
object.
In general, to authenticate your user you will ask them for their username first. With this username and your user repository, you will find the associated Webauthn\PublicKeyCredentialUserEntity
.
And with the user entity you will get all associated Public Key Credential Source objects. The credential list is used to build the Public Key Credential Request Options.
Now send the options to the authenticator using your favorite Javascript framework, library or the example available in the Javascript page.
When the authenticator sends you the computed response (i.e. the user touched the button, fingerprint reader, submitted the PIN…), you can load it and check it.
The authenticator response looks similar to the following example:
The library needs PSR-7 requests. In the example below, we use nyholm/psr7-server
to get that request.
How to run a basic Webauthn server?
The easiest way to create a Webauthn Server is to use the class Webauthn\Server
.
That’s it!
You can now register a new authenticator or authenticate your users.