During this step, your application will send a challenge to the device. The device will resolve this challenge by adding information and digitally signing the data.
The application will check the response from the device and get its credential ID. This ID will be used for further authentication requests.
Creation Request
To associate a device to a user, you need to instantiate a Webauthn\PublicKeyCredentialCreationOptions object.
Let’s see an example of the PublicKeyCredentialCreationOptions object. The following example is a possible Public Key Creation page for a dummy user "@cypher-Angel-3000".
<?phpdeclare(strict_types=1);useCose\Algorithms;useWebauthn\AuthenticatorSelectionCriteria;useWebauthn\PublicKeyCredentialDescriptor;useWebauthn\PublicKeyCredentialCreationOptions;useWebauthn\PublicKeyCredentialParameters;useWebauthn\PublicKeyCredentialRpEntity;useWebauthn\PublicKeyCredentialUserEntity;// RP Entity$rpEntity =newPublicKeyCredentialRpEntity('My Super Secured Application',//Name'foo.example.com',//IDnull//Icon);// User Entity$userEntity =newPublicKeyCredentialUserEntity('@cypher-Angel-3000',//Name'123e4567-e89b-12d3-a456-426655440000',//ID'Mighty Mike',//Display namenull//Icon);// Challenge$challenge =random_bytes(16);// Timeout$timeout =60000; // 60 seconds// Public Key Credential Parameters$publicKeyCredentialParametersList = [newPublicKeyCredentialParameters('public-key',Algorithms::COSE_ALGORITHM_ES256),newPublicKeyCredentialParameters('public-key',Algorithms::COSE_ALGORITHM_RS256),];// Devices to exclude$excludedPublicKeyDescriptors = [newPublicKeyCredentialDescriptor(PublicKeyCredentialDescriptor::CREDENTIAL_TYPE_PUBLIC_KEY,'ABCDEFGH…'),];$publicKeyCredentialCreationOptions =newPublicKeyCredentialCreationOptions( $rpEntity, $userEntity, $challenge, $publicKeyCredentialParametersList, $timeout, $excludedPublicKeyDescriptors,newAuthenticatorSelectionCriteria(),PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,null// Extensions);
The options object can be converted into JSON and sent to the authenticator using a JS script.
It is important to store the user entity and the options object (e.g. in the session) for the next step; they will be needed to check the response from the device.
Creation Response
What you receive must be a JSON object that looks like as follow:
If no exception is thrown, you can go to the next step: the verification.
Response Verification
Now we have a fully loaded Public Key Credential object, but we need now to make sure that:
The authenticator response is of type AuthenticatorAttestationResponse
This response is valid.
The first is easy to perform:
<?phpdeclare(strict_types=1);useWebauthn\AuthenticatorAttestationResponse;$authenticatorAttestationResponse = $publicKeyCredential->getResponse();if (!$authenticatorAttestationResponse instanceofAuthenticatorAttestationResponse) {//e.g. process here with a redirection to the public key creation page. }
The second step is the verification against
The Public Key Creation Options we created earlier,
The HTTP request
The Authenticator Attestation Response Validator service (variable $authenticatorAttestationResponseValidator) will check everything for you: challenge, origin, attestation statement and much more.
The library needs PSR-7 requests. In the example below, we use nyholm/psr7-server to get that request.
If no exception is thrown, the response is valid. You can store the Public Key Credential Source ($publicKeyCredentialSource) and associate it to the user entity.
The way you store and associate these objects to the user is out of scope of this library. However, please note that these objects implement \JsonSerializable and have a static method createFromJson(string $json). This will allow you to serialize the objects into JSON and easily go back to an object.
If you have just registered a new user, don’t forget to store it in your database as well.