1 of 49

v4.0

The project

Introduction

Overview of the framework

Webauthn defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.

The complete specification can be found on the W3C dedicated page.

This framework contains PHP libraries and Symfony bundle to allow developers to integrate that authentication mechanism into their web applications.

Class, Constant and Property Names

Naming things may be complicated. That’s why the following rule applies on the whole framework: the name of classes, constants and properties are identical to the ones you will find in the specification.

As an example, the shows an object named AuthenticatorAssertionResponse that extends AuthenticatorResponse with the following properties:

authenticatorData
signature
userHandle

Supported features

Attestation Types
- Empty
- Basic

Compatible Authenticators

The framework is already compatible with all authenticators except the ones that use ECDAA Attestation format.

The ECDAA Attestation format is very rare at that time (April 2021) thus this framework can safely be used in production.

The compliance of the framework is ensured by running unit and functional tests during its development.

It is also tested using the official FIDO Alliance testing tools. The status of the compliance tests are . At the time of writing (end of April 2021), the main features and algorithms are supported and 99% of the tests pass.

Support

I bring solutions to your problems and answer your questions.

If you really love that project, and the work I have done or if you want I prioritize your issues, then !

Contributing

Requests for new features, bug fixed and all other ideas to make this framework useful are welcome.

If you feel comfortable writing code, you could try to fix or .

Do not forget to follow .

If you think you have found a security issue, DO NOT open an issue. .

Web Browser Support

Adoption by web browsers

Webauthn is now supported by all main web browsers:

Mozilla Firefox 60+ and Firefox for Android 68+
Google Chrome 67+
Microsoft EDGE 18+ and Microsoft EDGE Chromium 79+
Opera 54+
Safari 13+ and iOS Safari 13.3+
Android Browser 76+

For more information and limitation on these browsers, please have a look at the following page:

Installation

How to install the library or the Symfony bundle?

This framework contains several sub-packages that you don’t necessarily need. It is highly recommended to install what you need and not the whole framework.

The preferred way to install the library you need is to use composer:

Hereafter the dependency tree:

web-auth/webauthn-lib: this is the core library. This package can be used in any PHP project or within any popular framework (Laravel, CakePHP…)
web-auth/webauthn-symfony-bundle: this is a Symfony bundle that ease the integration of this authentication mechanism in your Symfony project.

The core library also depends on web-auth/cose-lib and web-auth/metadata-service. What are these dependencies?

web-auth/cose-lib contains several cipher algorithms and COSE key support to verify the digital signatures sent by the authenticators during the creation and authentication ceremonies. These algorithms are compliant with the . This library can be used by any other PHP projects. At the moment only signature algorithms are available, but it is planned to add encryption algorithms.

web-auth/metadata-service provides classes to support the . If you plan to use Attestation Statements during the creation ceremony, this service is mandatory. Please note that Attestation Statements decreases the user privacy as they may leak data that allow to identify a specific user. The use of Attestation Statements and this service are generally not recommended unless you REALLY need this information. This library can also be used by any other PHP projects.

Framework and Dependency Sizes

The total size of the core package is approximately 760ko. Hereafter the detail for each component:

web-auth/cose-lib: 85ko
web-auth/metadata-service: 81ko
web-auth/webauthn-lib

The total size of the core package + the direct dependencies is approximately 1.7Mo.

Contributing

You have just found a bug?

First of all, thank you for contributing.

Bugs or feature requests can be posted online on the GitHub issues section of the project.

Few rules to ease code reviews and merges:

You MUST follow the for coding standards.

Webauthn In A Nutshell

Authenticators

What is an authenticator?

An Authenticator is a cryptographic entity used to generate a public key credential and registered by a Relying Party (i.e. an application). This public key is used to authenticate by potentially verifying a user in the form of an authentication assertion and other data.

Authenticators may have additional features such as PIN code or biometric sensors (fingerprint, facial recognition…) that offer user verification.

Roaming Authenticators

Ceremonies

Registration and Authentication process overview

In the Webauthn context, there are two ceremonies:

The attestation ceremony: it corresponds to the registration of a new authenticator,
The assertion ceremony: it is used for the authentication of a user.

For both ceremonies, there are two steps to perform:

Metadata Statement

Disclaimer: you should not ask for the Attestation Statement unless you are working on an application that requires a high level of trust (e.g. Banking/Financial Company, Government Agency...).

Attestation Statement

During the Attestation Ceremony (i.e. the registration of the authenticator), you can ask for the Attestation Statement of the authenticator. The Attestation Statements have one of the following types:

None (none): no Attestation Statement is provided
Basic Attestation (basic): Authenticator’s attestation key pair is specific to an authenticator model.

Metadata Statement

The Metadata Statements are issued by the manufacturers of the authenticators. These statements contain details about the authenticators (supported algorithms, biometric capabilities...) and all the necessary information to verify the Attestation Statements generated during the attestation ceremony.

There are several possible sources to get these Metadata Statements. The main source is the that allows fetching statements on-demand, but some of them may be provided by other means.

The FIDO Alliance Metadata Service provides a limited number of Metadata Statements. It is mandatory to get the statement from the manufacturer of your authenticators otherwise the Attestation Statement won't be verified and the Attestation Ceremony will fail.

User Verification

User verification may be instigated through various authorization gesture modalities: a touch plus PIN code, password entry, or biometric recognition (presenting a fingerprint). The intent is to be able to distinguish individual users.

Eligible authenticators are filtered and only capable of satisfying this requirement will interact with the user.

Possible user verification values are:

required: this value indicates that the application requires user verification for the operation and will fail the operation if the response does not have the UV flag set.
preferred: this value indicates that the application prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
discouraged: this value indicates that the application does not want user verification employed during the operation (e.g.,in the interest of minimizing disruption to the user interaction flow).

Public constants are provided by AuthenticatorSelectionCriteria.

AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_DISCOURAGED

Extensions

The mechanism for generating public key credentials, as well as requesting and generating Authentication assertions, can be extended to suit particular use cases. Each case is addressed by defining a registration extension.

Standard extensions are usually listed in the dedicated IANA Registry available at

Among the available extensions, you have:

loc: The location registration extension and authentication extension provides the client device's current location to the WebAuthn Relying Party, if supported by the client platform and subject to user consent.

Token Binding

Browsers may support the Token Binding protocol (see RFC 8471). This protocol defines a way to bind a token (the Responses in the Webauthn context) to the underlying TLS layer.

When receiving a Webauthn Response, the property tokenBinding in the Webauthn\CollectedClientData object has one of the following values:

null: the token binding is not supported by the browser
"supported": the browser supports token binding, but no negotiation was performed during the communication
"present": the browser supports token binding, and it is present in the response. The token binding ID is provided.

This feature is not yet implemented in the library, but you can decide how the library will react in case of the presence of the token binding ID.

The library provides two concrete classes for the moment:

Webauthn\TokenBinding\IgnoreTokenBindingHandler: the library will ignore the token binding (recommended),
Webauthn\TokenBinding\TokenBindingNotSupportedHandler: the library will throw an exception if the token binding is present.

You can change this behavior by creating your own implementation. The handler must implement the interface Webauthn\TokenBinding\TokenBindingHandler.

Prerequisites

The Relying Party

aka the application you are interacting with

The Relying Party (or rp) corresponds to the application that will ask for the user to interact with the authenticator.

The library provides a simple class to handle the rp information: Webauthn\PublicKeyCredentialRpEntity.

This $rpEntity object will be useful for the next steps.

Relying Party ID

In the example above, we created a simple relying party object with it’s name. The relying party may also have an ID that corresponds to the domain applicable for that rp. By default, the relying party ID is null i.e. the current domain will be used.

It may be useful to specify the rp ID, especially if your application has several sub-domains. The rp ID can be set during the creation of the object as 2nd constructor parameter.

Even if it is optional, we highly recommend setting the application ID

The rp ID shall be the domain of the application without the scheme, userinfo, port, path, user…. IP addresses are not allowed either.

Allowed: www.sub.domain.com, sub.domain.com, domain.com

Not allowed:

www.sub.domain.com:1337, https://domain.com:443, sub.domain.com/index

The domain localhost can be used if the browser considers the context is safe (especially the IP address corresponds to a local address)

How to determine the Relying Party ID?

The Relying Party ID should be determined depending on the common URLs for your web application.

If you have a web application that can be reached at (for mobiles) and or (for other devices), your Relying Party ID should be my-app.com.

If the domain is shared between sub-projects, the rp ID should be limited to that sub-projects.

For example, a web site is located at https://(www.)site1.host.com and another at https://(www.)site2.host.com, then the Relying Party IDs should be site1.host.com and site2.host.com respectively. If you set host.com, there is a risk that users from site1.host.com can log in at site2.host.com.

Relying Party Icon

Your application may also have a logo. You can indicate this logo as third argument. Please note that for safety reason this icon is a priori authenticated URL i.e. an image that uses the data scheme.

The Webauthn specification does not set any limit for the length of the third argument.

The icon may be ignored by browsers, especially if its length is greater than 128 bytes.

Credential Source Repository

Authenticator details and how to manage them

After the registration of an authenticator, you will get a Public Key Credential Source object. It contains all the credential data needed to perform user authentication and much more.

Each Credential Source is managed using the Public Key Credential Source Repository.

The library does not provide any concrete implementation. It is up to you to create it depending on your application constraints. This only constraint is that your repository class must implement the interface Webauthn\PublicKeyCredentialSourceRepository.

The PublicKeyCredentialSourceRepository interface requires the following methods to be implemented:

User Entity

It's all about users

User Entity

A User Entity object represents a user in the Webauthn context. It has the following constraints:

The user ID must be unique and must be a string,

Pure PHP

Register Authenticators

During this step, your application will send a challenge to the device. The device will resolve this challenge by adding information and digitally signing the data.

The application will check the response from the device and get its credential ID. This ID will be used for further authentication requests.

Creation Request

To associate a device to a user, you need to instantiate a Webauthn\PublicKeyCredentialCreationOptions object.

It will need:

The Relying Party
The User data
A challenge (random binary string)

Optionally, you can customize the following parameters:

A timeout
A list of public key credential to exclude from the registration process
The Authenticator Selection Criteria

Let’s see an example of the PublicKeyCredentialCreationOptions object. The following example is a possible Public Key Creation page for a dummy user "@cypher-Angel-3000".

The options object can be converted into JSON and sent to the authenticator .

It is important to store the user entity and the options object (e.g. in the session) for the next step. The data will be needed to check the response from the device.

You can change the default values for each and all options

Creation Response

What you receive must be a JSON object that looks like as follow:

There are two steps to perform with this object:

Load the data
Verify it with the creation options set above

Data Loading

Now that all components are set, we can load the data we receive using the Public Key Credential Loader service (variable $publicKeyCredential).

If no exception is thrown, you can go to the next step: the verification.

Response Verification

Now we have a fully loaded Public Key Credential object, but we need now to make sure that:

The authenticator response is of type AuthenticatorAttestationResponse
This response is valid.

The first step is easy to perform:

The second step is the verification against

The Public Key Creation Options we created earlier,
The HTTP request

The Authenticator Attestation Response Validator service (variable $authenticatorAttestationResponseValidator) will check everything for you: challenge, origin, attestation statement and much more.

The library needs PSR-7 requests. In the example below, we use nyholm/psr7-server to get that request.

If no exception is thrown, the response is valid. You can store the Public Key Credential Source ($publicKeyCredentialSource) and associate it to the user entity.

The way you store and associate these objects to the user is out of scope of this library. However, please note that these objects implement \JsonSerializable and have a static method createFromArray(array $data). This will allow you to serialize the objects into JSON and easily go back to an object.

Advanced Behaviours

Debugging

If you have troubles during the development of your application or if you want to keep track of every critical/error messages in production, you can use a .

The following classes provide a setLogger function to pass your PSR-3 logger instance.

Webauthn\AttestationStatement\AttestationObjectLoader

User Verification

You can indicate the user verification requirements during the ceremonies by setting the value in your options.

Authenticator registration

Authenticator Selection Criteria

By default, any type of authenticator can be used by your users and interact with you application. In certain circumstances, you may need to select specific authenticators e.g. when user verification is required.

The Webauthn API and this library allow you to define a set of options to disallow the registration of authenticators that do not fulfill with the conditions.

The class Webauthn\AuthenticatorSelectionCriteria is designed for this purpose. It is used when generating the Webauthn\PublicKeyCredentialCreationOptions object.

Available Criteria

Authenticator Attachment Modality

You can indicate if the authenticator must be attached to the client (platform authenticator i.e. it is usually not removable from the client device) or must be detached (roaming authenticator).

Possible values are:

AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE: there is no requirement (default value),
AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_PLATFORM: the authenticator must be attached,

A primary use case for platform authenticators is to register a particular client device as a "trusted device" for future authentication. This gives the user the convenience benefit of not needing a roaming authenticator, e.g., the user will not have to dig around in their pocket for their key fob or phone.

Resident Key

With this criterion, a Public Key Credential Source will be stored in the authenticator, client or client device. Such storage requires an authenticator capable to store such a resident credential.

A resident key shall be created you want to .

User Verification

Example

With this example, with require the user verification (PIN, fingerprint...), a resident key and an authenticator embedded onto a device. This is typacally what you will require for Windows Hello or Face ID authentication.

Attestation and Metadata Statement

Disclaimer: you should not ask for the Attestation Statement unless you are working on an application that requires a high level of trust (e.g. Banking/Financial Company, Government Agency...).

Receiving Attestation Statement

Attestation Metadata Repository

First of all, you must prepare an Attestation Metadata Repository. This service will manage all Metadata Statements depending on their sources (local storage or distant service).

Your Metadata Statement Repository must implement the interface Webauthn\MetadataService\MetadataStatementRepository that has two methods:

findOneByAAGUID(string $aaguid): this method retrieves the MetadataStatement object with AAGUID. It shall return null in case of the absence of the MDS.

The library does not provide any Metadata Statement Repository. It is up to you to select the MDS suitable for your application and store them in your database.

There are few steps to acheive. First, you have to add support classes for all attestation statement types into your Attestation Metatdata Manager.

The Android SafetyNet Attestation Statement is a JWT that can be verified by the library, but can also be checked online by hitting the Google API. This method drastically increase the security for the attestation type but requires a and .

Next, you must inject the Metadata Statement Repository to your Attestation Object Loader.

Credential Creation Options

By default, no Attestation Statement is asked to the Authenticators (type = none). To change this behavior, you just have to set the corresponding parameter in the Webauthn\PublicKeyCredentialCreationOptions object.

There are 3 conveyance modes available using PHP constants provided by the class Webauthn\PublicKeyCredentialCreationOptions:

ATTESTATION_CONVEYANCE_PREFERENCE_NONE: the Relying Party is not interested in authenticator attestation (default)
ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT: the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements.

The Hard Way

Authentication without username

With Webauthn, it is possible to authenticate a user without username. This behavior implies several constraints:

During the registration of the authenticator, a ,
The user verification is required,

Extensions

The following example is totally fictive. We will add an extension input loc=true to the request option object.

Extension Output Checker

An Extension Output Checker will check the extension output.

It must implement the interface Webauthn\AuthenticationExtensions\ExtensionOutputChecker

Authenticator Counter

The authenticators may have an internal counter. This feature is very helpful to detect cloned devices.

The default behaviour is to reject the assertions. This behaviour might cause some troubles as it could reject the real device whilst the fake one can continue to be used.

It is therefore required to go deeper in the protection of your application by logging the error and locking the associated account.

To do so , you have to create a custom Counter Checker and inject it to your Authenticator Assertion Response Validator. The checker must implement the interface Webauthn\Counter\CounterChecker.

Dealing with “localhost”

Secured Context

If your are working on a development environment, https may not be available but the context could be considered as secured. You can bypass the scheme verification by passing the list of rpIds you consider secured.

Symfony Bundle

Credential Source Repository

Where the public keys and details are stored

The Credential Source can be stored the way you want. As the Webauthn\PublicKeyCredentialSource class can be converted into JSON, it could be stored in a filesystem.

In general, Symfony applications use Doctrine. That is why the bundle provides a way to use Doctrine as storage system.

The Doctrine Entity

Hereafter an example of an entity.

This is the most simple example. Feel free to add custom fields that fits on your needs e.g. created_at or is_revoked.

Do not forget to update your database schema!

The Repository

To ease the integration into your application, the bundle provides a concrete class that you can extend.

In this following example, we extend that class and add a method to get all credentials for a specific user handle. Feel free to add your own methods.

We must override the method saveCredentialSource because we may receive Webauthn\PublicKeyCredentialSource objects instead of App\Entity\PublicKeyCredentialSource.

This repository should be declared as a Symfony service.

With Symfony autowiring and autoconfiguration, this is usually done automatically

User Entity Repository

User Entity

Your application certainly has a user repository. Good news: there is no need to modify it!

The User Entity Repository can be completely decoupled from the user entity used by your application.

This repository should be declared as a Symfony service and shall implement Webauthn\Bundle\Repository\PublicKeyCredentialUserEntityRepository

Advanced Behaviors

Register Additional Authenticators

In some circumstances, you may need to register a new authenticator for a user e.g. when adding a new authenticator or when an administrator acts as another user to replace a lost device.

It is possible to perform this ceremony programmatically.

You can attach several authenticators to a user account. It is recommended in case of lost devices or if the user gets access on your application using multiple platforms (smartphone, laptop…).

With a Symfony application, the fastest way for a user to register additional authenticators is to use the “controller” feature.

Debugging

If you have troubles during the development of your application or if you want to keep track of every critical/error messages in production, you can use a .

User Verification

The easiest way to manage the user verification requirements in your Symfony application is by using the creation and request profiles.

config/packages/webauthn.yaml

webauthn:
    …
    creation_profiles:
        default:
            rp:
                name: 'My Application'
                id: 'example.com'
            authenticator_selection_criteria:
                user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
    request_profiles:
        default:
            rp_id: 'example.com'
            user_verification: !php/const Webauthn\AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED

Attestation and Metadata Statement

Disclaimer: you should not ask for the Attestation Statement unless you are working on an application that requires a high level of trust (e.g. Banking/Financial Company, Government Agency...).

With Symfony, you must enable this feature to enable all the metadata types.

You can set the Google API key for the Android SafetyNet Attestation Statement support with the following configuration:

If you have some troubles when validating Android SafetyNet Attestation Statement, this may be caused by the leeway of the server clocks or the age of the statement. You can modify the default values as follows:

Authenticator Selection Criteria

The Webauthn API and this library allow you to define a set of options to disallow the registration of authenticators that do not fulfill with the conditions.

The class Webauthn\AuthenticatorSelectionCriteria is designed for this purpose. It is used when generating the Webauthn\PublicKeyCredentialCreationOptions object.

Authentication without username

With Webauthn, it is possible to authenticate a user without username. This behavior implies several constraints:

During the registration of the authenticator, a ,
The user verification is required,

Extensions

Extension Output Checker

An Extension Output Checker will check the extension output.

It must implement the interface Webauthn\AuthenticationExtensions\ExtensionOutputChecker and throw an exception of type Webauthn\AuthenticationExtension\ExtensionOutputError in case of error.

Devices may ignore the extension inputs. The extension outputs are therefore not guaranteed.

In the previous example, we asked for the location of the device and we expect to receive geolocation data in the extension output.

The Symfony Way

The easiest way to manage that is by using the creation and request profiles.

Token Binding

To change the token binding behaviour, you can change the dedicated parameter in the bundle configuration.

Authenticator Counter

The authenticators may have an internal counter. This feature is very helpful to detect cloned devices.

The default behaviour is to reject the assertions. This might cause some troubles as it could reject the real device whilst the fake one can continue to be used. You may also want to log the error, warn administrators or lock the associated user account.

To do so , you have to create a custom Counter Checker and inject it to your Authenticator Assertion Response Validator. The checker must implement the interface Webauthn\Counter\CounterChecker.

config/packages/webauthn.yaml

webauthn:
    counter_checker: App\Service\CustomCounterChecker

The following example is fictive and show how to lock a user, log the error and throw an exception.

<?php

declare(strict_types=1);

namespace Acme\Service;

use Assert\Assertion;
use Psr\Log\LoggerInterface;
use Psr\Log\NullLogger;
use Throwable;
use Webauthn\PublicKeyCredentialSource;

final class CustomCounterChecker implements CounterChecker
{
    public function __construct(private UserRepository $userRepository)
    {
    }

    public function check(PublicKeyCredentialSource $publicKeyCredentialSource, int $currentCounter): void
    {
        if ($currentCounter > $publicKeyCredentialSource->getCounter()) {
            return;
        }
        
        $userId = $publicKeyCredentialSource->getUserHandle();
        $user = $this->userRepository->lockUserWithId($userId);
        $this->logger->error('The counter is invalid', [
            'current' => $currentCounter,
            'new' => $publicKeyCredentialSource->getCounter(),
        ]);
        throw new CustomSecurityException('Invalid counter. User is now locked.');
    }
}

Dealing with “localhost”

Secured Context

Please be careful using this feature. It should NOT be used in production.

Migration

From v3.x to v4.0

Step-by-step guide for migrating from v3.x to v4.0

This project follows the Semantic Versioning principles and, contrary to upgrade a minor version (where the middle number changes) where no difficulty should be encountered, upgrade a major version (where the first number changes) is subject to significant modifications.

Update the libraries

First of all, you have to make sure you are using the last v3.x release (v3.3.4 at the time of writing).

In addition, you have to make sure you are using PHP 8.1+.

Symfony Flex

If you use the Symfony bundle and Symfony Flex, please note that Flex Recipes are now provided through a dedicated server.

It is highly recommended to declare this server within your application composer.json file.

You can adapt this command line depending on the other Flex servers you are using.

Spot deprecations

Next, you have to verify you don’t use any deprecated class, interface, method or property. If you have PHPUnit tests, .

The class Webauthn\Server is removed and there is no replacement.
The Metadata Statement embraces the version 3 of the specification. There is no migration tool to convert the MDS from v2 to v3. We suggest to refer to from Yuriy Ackermann, a Fido Alliance staff member who regulary write articles on Webauthn.

Dependency Changes:

Added:
- symfony/http-client ^6.0
- symfony/uid ^6.0

Update your Configuration Files

As the bundle sensio/framework-extra-bundle is not required anymore, the associated configuration may become useless if you do not use this bundle in your project.

The most notable changes are related to the Metadata Statement section

Upgrade the libraries

It is now time to upgrade the libraries. In your composer.json, change all web-auth/* dependencies from v3.x to v4.0. When done, execute composer update.

This may also update other dependencies. You can list upgradable libraries by calling composer outdated. Please make sure these libraries do not impact your upgrade.

All Modifications In A Row

If you want to see all modifications at once, please .

v4.0

The project

Introduction

hashtagClass, Constant and Property Names

hashtagSupported features

hashtagCompatible Authenticators

hashtagSupport

hashtagContributing

Web Browser Support

Installation

hashtagFramework and Dependency Sizes

Contributing

Webauthn In A Nutshell

Authenticators

hashtagRoaming Authenticators

Ceremonies

Metadata Statement

hashtagAttestation Statement

hashtagMetadata Statement

User Verification

Extensions

Token Binding

Prerequisites

The Relying Party

hashtagRelying Party ID

hashtagHow to determine the Relying Party ID?

hashtagRelying Party Icon

Credential Source Repository

User Entity

hashtagUser Entity

Pure PHP

Register Authenticators

hashtagCreation Request

hashtagCreation Response

hashtagData Loading

hashtagResponse Verification

Advanced Behaviours

Debugging

User Verification

hashtagAuthenticator registration

hashtag

Authenticator Selection Criteria

hashtagAvailable Criteria

hashtagAuthenticator Attachment Modality

hashtagResident Key

hashtagUser Verification

hashtagExample

Attestation and Metadata Statement

hashtagReceiving Attestation Statement

hashtagAttestation Metadata Repository

hashtagCredential Creation Options

hashtagThe Hard Way

Authentication without username

Extensions

hashtagExtension Output Checker

Authenticator Counter

Dealing with “localhost”

hashtagSecured Context

Symfony Bundle

Credential Source Repository

hashtagThe Doctrine Entity

hashtagThe Repository

User Entity Repository

hashtagUser Entity

Advanced Behaviors

Register Additional Authenticators

Debugging

User Verification

Attestation and Metadata Statement

Authenticator Selection Criteria

Authentication without username

Extensions

hashtagExtension Output Checker

hashtagThe Symfony Way

Token Binding

Authenticator Counter

Dealing with “localhost”

hashtagSecured Context

Migration

From v3.x to v4.0

Class, Constant and Property Names

Supported features

Compatible Authenticators

Support

Contributing

Framework and Dependency Sizes

Roaming Authenticators

Attestation Statement

Metadata Statement

Relying Party ID

How to determine the Relying Party ID?

Relying Party Icon

User Entity

Creation Request

Creation Response

Data Loading

Response Verification

Authenticator registration

Available Criteria

Authenticator Attachment Modality

Resident Key

User Verification

Example

Receiving Attestation Statement

Attestation Metadata Repository

Credential Creation Options

The Hard Way

Extension Output Checker

Secured Context

The Doctrine Entity

The Repository

User Entity

Extension Output Checker

The Symfony Way

Secured Context

Update the libraries

Symfony Flex

Spot deprecations

Dependency Changes:

Update your Configuration Files

Upgrade the libraries

All Modifications In A Row

Class, Constant and Property Names

Supported features

Compatible Authenticators

Support

Contributing

Framework and Dependency Sizes

Attestation Statement

Metadata Statement

Extension Output Checker

Roaming Authenticators

Run test suite

Platform Authenticators

Available Criteria

Authenticator Attachment Modality

Resident Key

User Verification

Example

Secured Context

Secured Context

Authenticator registration

Credential Creation Options

The Symfony Way

Authenticator Attachment Modality

Resident Key

Extension Output Checker

The Symfony Way

User Entity