WebAuthn | Authentication

WebAuthn Authentication allows users to log in using previously registered public-key credentials. It involves validating a signed challenge using the user’s stored public key from registration.

 

 

Authentication Options

 

Authenticating requires the client starting the authentication flow using a new HTTP Request to the Authentication Options Endpoint configured in the TsgcWSAPIServer_WebAuthn server. By default, the endpoint is /sgcWebAuthn/Authentication/Options, so if your server is listening in the domain https://www.test.com, the client should make a new request to the url https://www.test.com/sgcWebAuthn/Authentication/Options.

 

Client sends the assertion (authentication response) to the Server via POST

 

{"username":"test","user_verification":"preferred"}

 

The server Generates PublicKeyCredentialRequestOptions

 

{
    "challenge": "9d0d61edf30b45f8b88aef7087f9117716e2b7d8b0ee4460b06142f39dd0ec9f",
    "timeout": 60000,
    "rpId": "localhost",
    "allowCredentials": [
        {
            "id": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
            "type": "public-key",
            "transports": [
                "nfc",
                "usb"
            ]
        }
    ],
    "userVerification": "preferred",
    "hints": [],
    "attestation": "none",
    "attestationFormats": [],
    "extensions": {}
}

 

 

Authentication Verify

 

Authenticating requires the client starting the authentication flow using a new HTTP Request to the Authentication Verify Endpoint configured in the TsgcWSAPIServer_WebAuthn server. By default, the endpoint is /sgcWebAuthn/Authentication/Verify, so if your server is listening in the domain https://www.test.com, the client should make a new request to the url https://www.test.com/sgcWebAuthn/Authentication/Verify.

 

The browser prompts the user to use their authenticator (e.g., fingerprint, YubiKey). The authenticator signs the challenge with the private key linked to the credential ID. Returned credential includes:

 

• rawId: Credential ID (base64url).
• response.authenticatorData: Metadata from the authenticator (binary).
• response.clientDataJSON: Contains the original challenge, origin, and type.
• response.signature: Signature over authenticatorData + hash(clientDataJSON).

 

Find below a json example of the client request:

 

{
    "id": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
    "rawId": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
    "response": {
        "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAABw",
        "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ.....",
        "signature": "MEQCIAJRqvvys8....",
        "userHandle": "36b9d6a84204487382fee62e7e67a80d"
    },
    "type": "public-key",
    "clientExtensionResults": {},
    "authenticatorAttachment": "cross-platform"
}

 

The server reads the request from the client and validates the credential is stored and verify the signature. If the signature is valid, the event OnWebAuthnAuthenticationSuccessful is called.

 

 

 

Authentication Flow

Get more info about the Authentication Flow process using the following links:

 

• WebAuthn Authentication Request
• WebAuthn Authentication Response
• WebAuthn Authentication Result