Webauthn Framework
v4.7
v4.7
  • WebAuthn: Strong Authentication for your PHP applications
  • The project
    • What is Webauthn?
    • Web Browser Support
    • Installation
    • Contributing
  • Webauthn In A Nutshell
    • Authenticators
    • Ceremonies
    • User Verification
    • Metadata Statement
    • Extensions
  • Prerequisites
    • The Relying Party
    • Credential Source
    • User Entity
    • Javascript
  • Pure PHP
    • Webauthn Server
    • Register Authenticators
    • Authenticate Your Users
    • Advanced Behaviours
      • Debugging
      • User Verification
      • Authenticator Selection Criteria
      • Attestation and Metadata Statement
      • Authentication without username
      • Extensions
      • Authenticator Counter
      • Dealing with “localhost”
  • Symfony Bundle
    • Bundle Installation
    • Credential Source Repository
    • User Entity Repository
    • Firewall
    • Configuration References
    • Advanced Behaviors
      • Register Additional Authenticators
      • Debugging
      • User Verification
      • Attestation and Metadata Statement
      • Authenticator Selection Criteria
      • Authentication without username
      • Extensions
      • Token Binding
      • Authenticator Counter
      • Dealing with “localhost”
  • Migration
    • From v3.x to v4.0
    • From 4.x to 5.0
  • Symfony UX
    • Installation
    • Integration
Powered by GitBook
On this page
  • Attestation Statement Support Manager
  • Supported Attestation Statement Types
  • Attestation Object Loader
  • Public Key Credential Loader
  • Extension Output Checker Handler
  • Algorithm Manager
  • Authenticator Attestation Response Validator
  • Authenticator Assertion Response Validator

Was this helpful?

Edit on GitHub
Export as PDF
  1. Pure PHP

Webauthn Server

PreviousJavascriptNextRegister Authenticators

Last updated 1 year ago

Was this helpful?

To launch a Webauthn server, you will need the following components:

That’s a lot off services! But don’t worry, as their configuration is the same for all your application, you just have to set them once. Let’s see all of these in the next sections.

Attestation Statement Support Manager

Every Creation Responses contain an Attestation Statement. This attestation contains data regarding the authenticator depending on several factors such as its manufacturer and model, what you asked in the options, the capabilities of the browser or what the user allowed.

The user may refuse to send information about the security token for privacy reasons.Hereafter the types of attestations you may have:

Supported Attestation Statement Types

The following attestation types are supported. Note that you should only use the none one unless you have specific needs described in .

  • none: no attestation is provided.

  • fido-u2f: for non-FIDO2 compatible devices (old FIDO / U2F security tokens).

  • packed: generally used by authenticators with limited resources (e.g. secure elements). It uses a very compact but still extensible encoding method.

  • android key: commonly used by old or disconnected Android devices.

  • android safety net: for new Android devices like smartphones.

  • trusted platform module: for devices with built-in security chips.

  • apple: for Apple devices

<?php

declare(strict_types=1);

use Webauthn\AttestationStatement\AttestationStatementSupportManager;
use Webauthn\AttestationStatement\NoneAttestationStatementSupport;

// The manager will receive data to load and select the appropriate 
$attestationStatementSupportManager = AttestationStatementSupportManager::create();
$attestationStatementSupportManager->add(NoneAttestationStatementSupport::create());

Attestation Object Loader

This object will load the Attestation statements received from the devices. It will need the Attestation Statement Support Manager created above.

<?php

declare(strict_types=1);

use Webauthn\AttestationStatement\AttestationObjectLoader;

$attestationObjectLoader = AttestationObjectLoader::create(
    $attestationStatementSupportManager
);

Public Key Credential Loader

This object will load the Public Key using from the Attestation Object.

<?php

declare(strict_types=1);

use Webauthn\PublicKeyCredentialLoader;

$publicKeyCredentialLoader = PublicKeyCredentialLoader::create(
    $attestationObjectLoader
);

Extension Output Checker Handler

If you use extensions, you may need to check the value returned by the security devices. This behaviour is handled by an Extension Output Checker Manager.

<?php

declare(strict_types=1);

use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;

$extensionOutputCheckerHandler = ExtensionOutputCheckerHandler::create();

You can add as many extension checkers as you want. Each extension checker must implement Webauthn\AuthenticationExtensions\ExtensionOutputChecker and throw a Webauthn\AuthenticationExtensions\ExtensionOutputError in case of an error.

Algorithm Manager

The Webauthn data verification is based on cryptographic signatures and thus you need to provide cryptographic algorithms to perform those checks.

There is no mandatory algorithm list, however, we recommend the following as minimum list:

<?php

declare(strict_types=1);

use Cose\Algorithm\Manager;
use Cose\Algorithm\Signature\ECDSA\ES256;
use Cose\Algorithm\Signature\RSA\RS256;

$algorithmManager = Manager::create()
    ->add(
        ES256::create(),
        RS256::create()
    )
;

The order is important. By adding ES256 first, the relyaing party prefers an ES256 credential. Browsers are eager to satisfy preferences.

The complete list of supported algorithms:

<?php

declare(strict_types=1);

use Cose\Algorithm\Manager;
use Cose\Algorithm\Signature\ECDSA\ES256;
use Cose\Algorithm\Signature\ECDSA\ES256K;
use Cose\Algorithm\Signature\ECDSA\ES384;
use Cose\Algorithm\Signature\ECDSA\ES512;
use Cose\Algorithm\Signature\EdDSA\Ed256;
use Cose\Algorithm\Signature\EdDSA\Ed512;
use Cose\Algorithm\Signature\RSA\PS256;
use Cose\Algorithm\Signature\RSA\PS384;
use Cose\Algorithm\Signature\RSA\PS512;
use Cose\Algorithm\Signature\RSA\RS256;
use Cose\Algorithm\Signature\RSA\RS384;
use Cose\Algorithm\Signature\RSA\RS512;

$algorithmManager = Manager::create()
    ->add(
        ES256::create(),
        ES256K::create(),
        ES384::create(),
        ES512::create(),

        RS256::create(),
        RS384::create(),
        RS512::create(),

        PS256::create(),
        PS384::create(),
        PS512::create(),

        Ed256::create(),
        Ed512::create(),
    )
;

Authenticator Attestation Response Validator

This object is what you will directly use when receiving Attestation Responses (authenticator registration).

<?php

declare(strict_types=1);

use Webauthn\AuthenticatorAttestationResponseValidator;

$authenticatorAttestationResponseValidator = AuthenticatorAttestationResponseValidator::create(
    $attestationStatementSupportManager,
    null, //Deprecated Public Key Credential Source Repository. Please set null.
    null, //Deprecated Token Binding Handler. Please set null.
    $extensionOutputCheckerHandler
);

Authenticator Assertion Response Validator

This object is what you will directly use when receiving Assertion Responses (user authentication).

<?php

declare(strict_types=1);

use Webauthn\AuthenticatorAssertionResponseValidator;

$authenticatorAssertionResponseValidator = AuthenticatorAssertionResponseValidator::create(
    null,                           //Deprecated Public Key Credential Source Repository. Please set null.
    null,                           //Deprecated Token Binding Handler. Please set null.
    $extensionOutputCheckerHandler, // The extension output checker handler
    $algorithmManager               // The COSE Algorithm Manager  
);

The Android SafetyNet Attestation API is deprecated. Full turndown is planned in June 2024. More information at

More about that .

https://developer.android.com/training/safetynet/deprecation-timeline
in this page
the dedicated page
An Attestation Statement Support Manager
At least one Attestation Statement Support object
An Attestation Object Loader
A Public Key Credential Loader
An Extension Output Checker Handler
An Algorithm Manager
An Authenticator Attestation Response Validator
An Authenticator Assertion Response Validator