dainnilsson
commented
4 years ago CTAP is the protocol used to communicate between the FIDO/WebAuthn client (typically a browser) and the Autenticator, and this is always executed locally on the end user client. WebAuthn specifies how this is invoked from a JavaScript API, which can be called by a website. How the server transmits the need to perform a WebAuthn operation, or the parameters for such an operation, are not specified by the protocol and can be done in several ways, which is completely up to the RP to decide.
If you're working on a native application, then you implement the FIDO client (which python-fido2 can certainly help you with) rather than the browser. Again, how you communicate with a backend server is up to you.
Hi 👋
In other examples i have seen previously (without python-fido2), the server returns the view containing the webauthn javascript that communicates with the authenticator on the device. (the server does a redirect to a page that it hosts)
Having had a look through the server example here, am i right in thinking that the ctap code is run locally (not hosted from the server)? If the CTAP code is hosted locally, how does the server talk to the client to say that the assertions need to take place
I'm working on a project where I'd like to use fido2 to provide usernameless/passwordless auth, but i don't want to use a webbrowser; all the ctap code would live locally on the device
Many thanks