Closed tcompiegne closed 1 year ago
Hi @tcompiegne the ctsProfileMatch
is required to be true
to be a valid webauthn implementation, when that flag is true
then basicIntegrity
can only be true
either (from the table you shared).
What you're asking is to be able to relax that validation, right?
A configuration option like: safetyNetIntegrityVeridictRelaxed : boolean
where it defaults to false
.
And in the code we check:
if (!token.getJsonObject("payload")
.getBoolean(
safetyNetIntegrityVeridictRelaxed ? "basicIntegrity" : "ctsProfileMatch", // <-- here it depends on the config
false)) {
...
Hey @pmlopes,
Yes that could be a good option.
Regards
Describe the feature
Currently Vert.x only check the ctsProfileMatch flag to determine if the attestation should be valid or not :
According to Google documentation : https://developer.android.com/training/safetynet/attestation#potential-integrity-verdicts
It might interesting to look after the
basicIntegrity
flag as well to make decision regarding the integrity of the user device and the context of a specific customer.Would it makes sense for Vert.x to add options (WebAuthnOptions maybe ?) to be more granular regarding this topic ?
Thanks