StartAssertionOptions.restrictCredential

[fcorneli]

RelyingParty.startAssertion constructs a list of allowCredentials based on the credentialRepository, which makes sense. However, it would be handy if you could also restrict the allowed credential via some StartAssertionOptions option. Two use cases I have for this:

• on the user profile page, a user can register new authenticators. Here it would be interesting if a user could selectively test a new (or existing) authenticator after registration.
• when you want to use PRF, you need to perform a selective authenticator authentication after registration to retrieve the PRF salt. Hence the authentication should not be performed by any of the user's authenticators, but specifically by the newly registered one.

[emlun]

Hi! Note that you can do this by modifying the AssertionRequest object before sending it to the client, as long as those changes are preserved when the AssertionRequest is passed into finishAssertion(). Like this:

AssertionRequest request = rp.finishAssertion(...);
request =
  request.toBuilder()
    .publicKeyCredentialRequestOptions(
      request.getPublicKeyCredentialRequestOptions().toBuilder()
        .allowCredentials(
          request
            .getPublicKeyCredentialRequestOptions()
            .getAllowCredentials()
            .map(
              allowCredentials ->
                allowCredentials.stream()
                  .filter(pkcDescriptor -> true)
                  .collect(Collectors.toList())))
        .build())
    .build();

It's a bit verbose, but if it's any consolation it's at least only a single expression. Does that work for you?

[fcorneli]

Will try this out (internal ticket 12668).