Webauthn Framework
v3.3
v3.3
  • Introduction
  • Web Browser Support
  • Installation
  • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
  • Pre-requisites
    • The Relying Party
    • Credential Source Repository
    • User Entity
    • Javascript
    • Easy or Hard Way?
  • The Webauthn Server
    • The Easy Way
      • Register Authenticators
      • Authenticate Your Users
    • The Hard Way
      • Register Authenticators
      • Authenticate Your Users
    • The Symfony Way
      • Entities with Doctrine
      • Firewall
  • Deep into the framework
    • Register Additional Authenticators
    • Debugging
    • User Verification
    • Attestation and Metadata Statement
    • Authenticator Selection Criteria
    • Authentication without username
    • Extensions
    • Token Binding
    • Authenticator Counter
    • Dealing with “localhost”
  • Migration
    • From v2.x to v3.0
Powered by GitBook
On this page
  • The Easy Way
  • The Hard Way
  • The Symfony Way

Was this helpful?

Edit on GitHub
Export as PDF
  1. Deep into the framework

Token Binding

PreviousExtensionsNextAuthenticator Counter

Last updated 3 years ago

Was this helpful?

Browsers may support the Token Binding protocol (see ). This protocol defines a way to bind a token (the Responses in the Webauthn context) to the underlying TLS layer.

When receiving a Webauthn Response, the property tokenBinding in the Webauthn\CollectedClientData object has one of the following values:

  • null: the token binding is not supported by the browser

  • "supported": the browser supports token binding, but no negotiation was performed during the communication

  • "present": the browser supports token binding, and it is present in the response. The token binding ID is provided.

This feature is not yet implemented in the library, but you can decide how the library will react in case of the presence of the token binding ID.

The library provides two concrete classes for the moment:

  • Webauthn\TokenBinding\IgnoreTokenBindingHandler: the library will ignore the token binding,

  • Webauthn\TokenBinding\TokenBindingNotSupportedHandler: the library will throw an exception if the token binding is present.

You can change this behavior by creating your own implementation. The handler must implement the interface Webauthn\TokenBinding\TokenBindingHandler.

The Easy Way

<?php

use Webauthn\Server;
use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;

$server = new Server(
    $rpEntity
    $publicKeyCredentialSourceRepository
);

// Set your handler here
$server->setTokenBindingHandler(new TokenBindingNotSupportedHandler());

The Hard Way

The Symfony Way

config/packages/webauthn.yaml
webauthn:
    token_binding_support_handler: Webauthn\TokenBinding\TokenBindingNotSupportedHandler

When you create your and , just inject the correct handler.

RFC 8471
Authenticator Attestation
Authenticator Assertion Response Validators