Webauthn Framework
v3.3
v3.3
  • Introduction
  • Web Browser Support
  • Installation
  • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
  • Pre-requisites
    • The Relying Party
    • Credential Source Repository
    • User Entity
    • Javascript
    • Easy or Hard Way?
  • The Webauthn Server
    • The Easy Way
      • Register Authenticators
      • Authenticate Your Users
    • The Hard Way
      • Register Authenticators
      • Authenticate Your Users
    • The Symfony Way
      • Entities with Doctrine
      • Firewall
  • Deep into the framework
    • Register Additional Authenticators
    • Debugging
    • User Verification
    • Attestation and Metadata Statement
    • Authenticator Selection Criteria
    • Authentication without username
    • Extensions
    • Token Binding
    • Authenticator Counter
    • Dealing with “localhost”
  • Migration
    • From v2.x to v3.0
Powered by GitBook
On this page
  • Public Key Credential Source Repository
  • Token Binding Handler
  • Attestation Statement Support Manager
  • Attestation Object Loader
  • Public Key Credential Loader
  • Extension Output Checker Handler
  • Authenticator Attestation Response Validator
  • Authenticator Assertion Response Validator

Was this helpful?

Edit on GitHub
Export as PDF
  1. The Webauthn Server

The Hard Way

If you want a fine grained Webauthn server

PreviousAuthenticate Your UsersNextRegister Authenticators

Last updated 3 years ago

Was this helpful?

You will need the following components before loading or verifying the data:

  • An Attestation Statement Support Manager and at least one Attestation Statement Support object

  • An Attestation Object Loader

  • A Public Key Credential Loader

  • An Authenticator Attestation Response Validator

  • An Extension Output Checker Handler

That’s a lot off classes! But don’t worry, as their configuration is the same for all your application, you just have to set them once. Let’s see all of these in the next sections.

Public Key Credential Source Repository

The Public Key Credential Source Repository must implement Webauthn\PublicKeyCredentialSourceRepository. It will retrieve the credential source and update them when needed.

You can implement the required methods the way you want: Doctrine ORM, file storage… as mentioned on .

Token Binding Handler

The token binding handler is a service that will verify if the token binding set in the device response corresponds to the one set in the request.

Please refer to .

Attestation Statement Support Manager

Every Creation Responses contain an Attestation Statement. This attestation contains data regarding the authenticator depending on several factors such as its manufacturer and model, what you asked in the options, the capabilities of the browser or what the user allowed.

With Firefox for example, the user may refuse to send information about the security token for privacy reasons.

Hereafter the types of attestations you can have:

  • none: no attestation is provided.

  • fido-u2f: for non-FIDO2 compatible devices (old U2F security tokens).

  • packed: generally used by authenticators with limited resources (e.g., secure elements). It uses a very compact but still extensible encoding method.

  • android key: commonly used by old or disconnected Android devices.

  • android safety net: for new Android devices like smartphones.

  • trusted platform module: for devices with built-in security chips.

<?php

declare(strict_types=1);

use Webauthn\AttestationStatement\AttestationStatementSupportManager;
use Webauthn\AttestationStatement\NoneAttestationStatementSupport;

// The manager will receive data to load and select the appropriate 
$attestationStatementSupportManager = new AttestationStatementSupportManager();

// The none type
$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());

Attestation Object Loader

This object will load the Attestation statements received from the devices. It will need the Attestation Statement Support Manager created above.

<?php

declare(strict_types=1);

use Webauthn\AttestationStatement\AttestationObjectLoader;

$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager);

Public Key Credential Loader

This object will load the Public Key using from the Attestation Object.

<?php

declare(strict_types=1);

use Webauthn\PublicKeyCredentialLoader;

$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader);

Extension Output Checker Handler

If you use extensions, you may need to check the value returned by the security devices. This behaviour is handled by an Extension Output Checker Manager.

<?php

declare(strict_types=1);

use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;

$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();

You can add as many extension checkers as you want. Each extension checker must implement Webauthn\AuthenticationExtensions\ExtensionOutputChecker and throw a Webauthn\AuthenticationExtensions\ExtensionOutputError in case of an error.

Authenticator Attestation Response Validator

This object is what you will directly use when receiving Attestation Responses (authenticator registration).

<?php

declare(strict_types=1);

use Webauthn\AuthenticatorAttestationResponseValidator;

$authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator(
    $attestationStatementSupportManager,
    $publicKeyCredentialSourceRepository,
    $tokenBindingHandler,
    $extensionOutputCheckerHandler
);

Authenticator Assertion Response Validator

This object is what you will directly use when receiving Assertion Responses (user authentication).

<?php

declare(strict_types=1);

use Webauthn\AuthenticatorAssertionResponseValidator;

$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
    $publicKeyCredentialSourceRepository,  // The Credential Repository service
    $tokenBindingHandler,                  // The token binding handler
    $extensionOutputCheckerHandler,        // The extension output checker handler
    $coseAlgorithmManager                  // The COSE Algorithm Manager  
);

All these attestation types are supported, but you should only use the none one unless you plan to use the .

The Android SafetyNet Attestation Statement is a JWT that can be verified by the library, but can also be checked online by hitting the Google API. This method drastically increases the security for the attestation type but requires a and .

The Public Key Credential Source Repository
A token binding handler
the dedicated page
the dedicated page
Attestation and Metadata Statement
PSR-18 compatible HTTP Client
an API key