The goal is to validate the signed assertion provided by the browser, which proves the user owns the private key originally registered. This is what securely logs the user in. After the user interacts with their authenticator (e.g., fingerprint, security key), the browser sends a POST request back to the server with the authentication result. Find below a json example:
{
"id": "credential-id",
"rawId": "base64url-encoded-credential-id",
"type": "public-key",
"response": {
"clientDataJSON": "base64url",
"authenticatorData": "base64url",
"signature": "base64url",
"userHandle": "optional"
}
}
When the server receives this request, in the endpoint configured in the endpoint ((e.g., /sgcWebAuthn/Authentication/Verify), must validate the next steps:
If all validations are correct, the authentication is successful and the event OnWebAuthnAuthenticationSuccessful is called.
If any check fails, the event OnWebAuthnAuthenticationError is called with the reason of the error.