search

Yubico / python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
BSD 2-Clause "Simplified" License
432 stars 109 forks source link

How to mimic `navigator.credentials.get` #195

Closed nicklan closed 1 year ago

nicklan commented 1 year ago

I'm not particularly familiar with this domain, so apologies if this should be obvious, but I'm trying to basically mimic the suggested flow from here, where factor._embedded.challenge looks like:

"challenge": {
  "challenge": "BUEaTmK_NhhVYSRqf[snip]",
  "userVerification": "preferred",
  "extensions": {}
}

It's rather unclear to me if I need to call client.get_assertion, or client.make_credential or something else, since there aren't really any docs.

I've been trying to sort of follow the credentials.py example, but without much luck so far.

Any guidance on general flow and/or which example to follow would be much appreciated.

Thanks!

dainnilsson commented 1 year ago

navigator.credentials.get in a browser setting is used to get an assertion from an existing credential. This would correspond to a call to client.get_assertion, which takes a PublicKeyCredentialRequestOptions object. You will need to populate this object with the parameters of the request, either by explicitly specifying them, or by passing values obtained from the server.

These calls are documented in the WebAuthn specification: https://www.w3.org/TR/webauthn-2/ with the more low level Authenticator commands in the CTAP2 specification: https://fidoalliance.org/specs/fido-v2.1-rd-20210309/fido-client-to-authenticator-protocol-v2.1-rd-20210309.html

nicklan commented 1 year ago

Yep thanks, I finally worked it all out by mostly following the credentials.py doc. Appreciate the answer