Configuration References
Configuration
With Flex, you have a minimal configuration file installed through a Flex Recipe. You must set the repositories you have just created. You also have to modify the environment variables Relying_PARTY_ID
and Relying_PARTY_NAME
.
You may also need to adjust other parameters.
If you don’t use Flex, hereafter an example of configuration file:
webauthn:
# logger: null # PSR-3 compatible logging service
credential_repository: 'Webauthn\Bundle\Repository\DummyPublicKeyCredentialSourceRepository' # CREATE YOUR REPOSITORY AND CHANGE THIS!
user_repository: 'Webauthn\Bundle\Repository\DummyPublicKeyCredentialUserEntityRepository' # CREATE YOUR REPOSITORY AND CHANGE THIS!
token_binding_support_handler: 'Webauthn\TokenBinding\IgnoreTokenBindingHandler' # We ignore the token binding instructions by default
creation_profiles: # Authenticator registration profiles
default: # Unique name of the profile
rp: # Relying Party information
name: '%env(Relying_PARTY_NAME)%' # CHANGE THIS! or create the corresponding env variable
id: '%env(Relying_PARTY_ID)%' # Please adapt the env file with the correct relying party ID or set null
# icon: null # Secured image (data:// scheme)
# challenge_length: 32
# timeout: 60000
# authenticator_selection_criteria:
# attachment_mode: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE
# require_resident_key: false
# user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
# extensions:
# loc: true
# public_key_credential_parameters: # You should not change this list
# - !php/const Cose\Algorithms::COSE_ALGORITHM_EdDSA #Order is important. Preferred algorithms go first
# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES256
# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES256K
# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES384
# - !php/const Cose\Algorithms::COSE_ALGORITHM_ES512
# - !php/const Cose\Algorithms::COSE_ALGORITHM_RS256
# - !php/const Cose\Algorithms::COSE_ALGORITHM_RS384
# - !php/const Cose\Algorithms::COSE_ALGORITHM_RS512
# - !php/const Cose\Algorithms::COSE_ALGORITHM_PS256
# - !php/const Cose\Algorithms::COSE_ALGORITHM_PS384
# - !php/const Cose\Algorithms::COSE_ALGORITHM_PS512
# attestation_conveyance: !php/const Webauthn\PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE
request_profiles: # Authentication profiles
default: # Unique name of the profile
rp_id: '%env(Relying_PARTY_ID)%' # Please adapt the env file with the correct relying party ID or set null
# challenge_length: 32
# timeout: 60000
# user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
# extensions:
# loc: true
# metadata:
# enabled: false
# mds_repository: 'App\Repository\MetadataStatementRepository'
# status_report_repository: 'App\Repository\StatusReportRepository'
# certificate_chain_checker: 'App\Security\CertificateChainChecker'
Creation Profiles
If you don't create the creation_profiles
section, a default
profile is set.
Relying Party (rp)
The relying Party corresponds to your application. Please refer to this page for more information.
The parameter id
is optional but highly recommended.
Challenge Length
By default, the length of the challenge is 32 bytes. You may need to select a smaller or higher length. This length can be configured for each profile:
webauthn:
creation_profiles:
acme:
rp:
name: 'ACME Webauthn Server'
challenge_length: 16
Timeout
The default timeout is set to 60 seconds (60 000 milliseconds). You can change this value as follows:
webauthn:
creation_profiles:
acme:
rp:
name: 'ACME Webauthn Server'
timeout: 30000
Authenticator Selection Criteria
This set of options allows you to select authenticators depending on their capabilities. The values are described in the advanced concepts of the protocol.
webauthn:
creation_profiles:
acme:
rp:
name: 'ACME Webauthn Server'
authenticator_selection_criteria:
attachment_mode: !php/const Webauthn\AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM
require_resident_key: true
user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED
Public Key Credential Parameters
This option indicates the algorithms allowed for your application. By default, a large list of algorithms is defined, but you can add custom algorithms or reduce the list.
It is not recommended changing the default list unless you exactly know what you are doing.
webauthn:
creation_profiles:
acme:
rp:
name: 'ACME Webauthn Server'
public_key_credential_parameters:
- !php/const Cose\Algorithms::COSE_ALGORITHM_ES256
- !php/const Cose\Algorithms::COSE_ALGORITHM_RS256
Attestation Conveyance
If you need the attestation of the authenticator, you can specify the preference regarding attestation conveyance during credential generation.
The use of Attestation Statements is generally not recommended unless you REALLY need this information.
webauthn:
creation_profiles:
acme:
rp:
name: 'ACME Webauthn Server'
attestation_conveyance: !php/const Webauthn\PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT
Extensions
You can set as many extensions as you want in the profile. Please also refer to this page for more information.
webauthn:
creation_profiles:
acme:
rp:
name: 'ACME Webauthn Server'
extensions:
loc: true
txAuthSimple: 'Please add your new authenticator'
Request Profiles
If you don't create the creation_profiles
section, a default
profile is set.
The parameters for the request profiles (i.e. the authentication) are very similar to the creation profiles. The only difference is that you don’t need all the detail of the Relying Party, but only its ID (i.e. its domain).
webauthn:
request_profiles:
acme:
rp_id: 'example.com'
Please note that all parameters are optional. The following configuration is perfectly valid. However, and as mentioned above, the parameter id
is highly recommended.
webauthn:
request_profiles:
acme: ~
Last updated
Was this helpful?