WebAuthn Authentication | Response

Once the browser (client) sends a request to the server with the user's username (or a similar identifier), the server replies with the authentication options that the client will use to begin the authentication process via the browser’s navigator.credentials.get() API.

 

This response provides the parameters and constraints needed by the browser to generate a WebAuthn authentication assertion using the user’s authenticator (e.g., security key, biometric device).

 

Example JSON Response:

 

{
  "challenge": "Z3lVbWV5YXBpbmdvZG90IQ", 
  "timeout": 60000,
  "rpId": "example.com",
  "allowCredentials": [
    {
      "type": "public-key",
      "id": "dXNlckNyZWRJZA",
      "transports": ["usb", "nfc", "ble"]
    }
  ],
  "userVerification": "preferred"
}

 

Find below a description of the fields:

 

• challenge: A cryptographic challenge (randomly generated) to prevent replay attacks. Must be unique per request.
• timeout: Optional. How long the browser should wait (in ms) before canceling the operation.
• rpId: Relying Party Identifier — usually your domain name.
• allowCredentials: A list of acceptable credentials (credential IDs) that the user previously registered.
• userVerification: Informs the browser how to verify the user: "required", "preferred", or "discouraged".
• extensions (optional): Additional capabilities or data requested from the authenticator.

 

 

Before the Response is sent to the client, the event OnWebAuthnAuthenticationOptionsResponse is called allowing to customize the response.