Attestation and Metadata Statement
Disclaimer: you should not ask for the Attestation Statement unless you are working on an application that requires a high level of trust (e.g. Banking/Financial Company, Government Agency...).
Receiving Attestation Statement
Attestation Metadata Repository
First of all, you must prepare an Attestation Metadata Repository. This service will manage all Metadata Statements depending on their sources (local storage or distant service).
Your Metadata Statement Repository must implement the interface Webauthn\MetadataService\MetadataStatementRepository
that has two methods:
findOneByAAGUID(string $aaguid)
: this method retrieves theMetadataStatement
object with AAGUID. It shall returnnull
in case of the absence of the MDS.
The library does not provide any Metadata Statement Repository. It is up to you to select the MDS suitable for your application and store them in your database.
There are few steps to acheive. First, you have to add support classes for all attestation statement types into your Attestation Metatdata Manager.
The Android SafetyNet Attestation Statement is a JWT that can be verified by the library, but can also be checked online by hitting the Google API. This method drastically increase the security for the attestation type but requires a PSR-18 compatible HTTP Client and an API key.
Next, you must inject the Metadata Statement Repository to your Attestation Object Loader.
Credential Creation Options
By default, no Attestation Statement is asked to the Authenticators (type = none
). To change this behavior, you just have to set the corresponding parameter in the Webauthn\PublicKeyCredentialCreationOptions
object.
There are 3 conveyance modes available using PHP constants provided by the class Webauthn\PublicKeyCredentialCreationOptions
:
ATTESTATION_CONVEYANCE_PREFERENCE_NONE
: the Relying Party is not interested in authenticator attestation (default)ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT
: the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements.ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT
: the Relying Party wants to receive the attestation statement as generated by the authenticator.
The Hard Way
Last updated