Webauthn Framework
v4.0
v4.0
  • The project
    • Introduction
    • Web Browser Support
    • Installation
    • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
    • Metadata Statement
    • User Verification
    • Extensions
    • Token Binding
  • Prerequisites
    • The Relying Party
    • Credential Source Repository
    • User Entity
    • Javascript
  • Pure PHP
    • Webauthn Server
    • Register Authenticators
    • Authenticate Your Users
    • Advanced Behaviours
      • Debugging
      • User Verification
      • Authenticator Selection Criteria
      • Attestation and Metadata Statement
      • Authentication without username
      • Extensions
      • Authenticator Counter
      • Dealing with “localhost”
  • Symfony Bundle
    • Bundle Installation
    • Credential Source Repository
    • User Entity Repository
    • Firewall
    • Configuration References
    • Advanced Behaviors
      • Register Additional Authenticators
      • Debugging
      • User Verification
      • Attestation and Metadata Statement
      • Authenticator Selection Criteria
      • Authentication without username
      • Extensions
      • Token Binding
      • Authenticator Counter
      • Dealing with “localhost”
  • Migration
    • From v3.x to v4.0
Powered by GitBook
On this page
  • Class, Constant and Property Names
  • Supported features
  • Compatible Authenticators
  • Support
  • Contributing

Was this helpful?

Edit on GitHub
Export as PDF
  1. The project

Introduction

Overview of the framework

Webauthn defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

The complete specification can be found on the W3C dedicated page.

This framework contains PHP libraries and Symfony bundle to allow developers to integrate that authentication mechanism into their web applications.

Class, Constant and Property Names

Naming things may be complicated. That’s why the following rule applies on the whole framework: the name of classes, constants and properties are identical to the ones you will find in the specification.

As an example, the section 5.2.2 “Web Authentication Assertion” shows an object named AuthenticatorAssertionResponse that extends AuthenticatorResponse with the following properties:

  • authenticatorData

  • signature

  • userHandle

    You will find EXACTLY the same structure in the PHP class provided by the library.

Supported features

  • Attestation Types

    • Empty

    • Basic

    • Self

    • Private CA

    • Anonymization CA

    • Elliptic Curve Direct Anonymous Attestation (ECDAA)

  • Attestation Formats

    • FIDO U2F

    • Packed

    • TPM

    • Android Key

    • Android Safetynet

    • Apple

  • Token Binding support

  • Cose Algorithms

    • RS1, RS256, RS384, RS512

    • PS256, PS384, PS512

    • ES256, ES256K, ES384, ES512

    • ED25519

  • Extensions

    • Supported (not fully tested)

    • appid extension (compatibility with FIDO U2F authenticator)

Compatible Authenticators

The framework is already compatible with all authenticators except the ones that use ECDAA Attestation format.

The ECDAA Attestation format is very rare at that time (April 2021) thus this framework can safely be used in production.

The compliance of the framework is ensured by running unit and functional tests during its development.

It is also tested using the official FIDO Alliance testing tools. The status of the compliance tests are reported in this issue. At the time of writing (end of April 2021), the main features and algorithms are supported and 99% of the tests pass.

Support

I bring solutions to your problems and answer your questions.

If you really love that project, and the work I have done or if you want I prioritize your issues, then you can help me out for a couple of🍻 or more!

Contributing

Requests for new features, bug fixed and all other ideas to make this framework useful are welcome.

If you feel comfortable writing code, you could try to fix opened issues where help is wanted or those that are easy to fix.

Do not forget to follow these best practices.

If you think you have found a security issue, DO NOT open an issue. You MUST submit your issue here.

NextWeb Browser Support

Last updated 1 year ago

Was this helpful?