WebAuthn Authentication | Request

When a user attempts to log in, the browser sends a request to the server asking for the authentication options (also called "assertion options").

 

{
  "username": "alice@example.com"
}

 

This request allows the server to:

 

• Generate a challenge (a secure, random value).
• Look up which credentials (public key IDs) are valid for this user.
• Respond with cryptographic parameters that the browser will use in navigator.credentials.get().

 

When the WebAuthn Server Component receives this request, this is typically done via an HTTPS POST request from the browser to a server endpoint (e.g., /sgcWebAuthn/Authentication/Options), the event OnWebAuthnAuthenticationOptionsRequest is called, so you can add here the Credentials associated to the username (if any).

 

procedure OnWebAuthnAuthenticationOptionsRequest(
    Sender: TObject; const aRequest:
    TsgcWebAuthn_AuthenticationOptions_Request; var CredentialRecords:
    TsgcWebAuthn_CredentialRecords; var Accept: Boolean);
begin
  if UserExistsInDB(aRequest.Username) then
  begin
    While not EOF do
    begin
      CredentialRecords.AddCredentialRecordFromJSON(RecordFromDB);
      Next;
    end;
  end;
end;