Authenticate Your Users
Last updated
Was this helpful?
Last updated
Was this helpful?
During this step, your application will send a challenge to the list of registered devices of the user. The security token will resolve this challenge by adding information and digitally signing the data.
To perform a user authentication using a security device, you need to instantiate a Webauthn\PublicKeyCredentialRequestOptions
object.
Let’s say you want to authenticate the user we used earlier. This options object will need:
A challenge (random binary string)
A timeout (optional)
i.e. your application domain (optional)
The list with the allowed credentials
(optional)
(optional)
The PublicKeyCredentialRequestOptions
object is designed to be easily serialized into a JSON object. This will ease the integration into an HTML page or through an API endpoint.
The user trying to authenticate must have registered at least one device. For this user, you have to get all Webauthn\PublicKeyCredentialDescriptor
associated to his account.
The way you receive this response is out of scope of this library. In the previous example, the data is part of the query string, but it can be done through a POST request body or a request header.
What you receive must be a JSON object that looks like as follows:
There are two steps to perform with this object:
Load the data
Verify the loaded data against the assertion options set above
Now we have a fully loaded Public Key Credential object, but we need now to make sure that:
The authenticator response is of type AuthenticatorAssertionResponse
This response is valid.
The first is easy to perform:
The second step is the verification against the Public Key Assertion Options we created earlier.
The Authenticator Assertion Response Validator service (variable $authenticatorAssertionResponseValidator
) will check everything for you.
If no exception is thrown, the response is valid and you can continue the authentication of the user.
Eligible authenticators are filtered and only capable of satisfying this requirement will interact with the user. Please refer to the for all possible values.
Please refer to the to know how to manage authentication extensions.
This step is exactly the same as the one described in process.