WebAuthn | Registration

WebAuthn Registration involves the client (browser), the authenticator (security device), and the relying party (RP; TsgcWSAPIServer_WebAuthn delphi/cbuilder server).

 

Registration Options

 

Creating a new user credential usually requires the client starting the registration flow using a new HTTP Request to the Registration Options Endpoint configured in the TsgcWSAPIServer_WebAuthn server. By default, the endpoint is /sgcWebAuthn/Registration/Options, so if your server is listening in the domain https://www.test.com, the client should make a new request to the url https://www.test.com/sgcWebAuthn/Registration/Options.

 

The client sends a new request passing as a payload the following json (using test as username)

 

 {"username":"test","algorithms":[]}

 

The server reads the javascript and returns a response with a new challenge

 

{
    "rp": {
        "name": "localhost",
        "id": "localhost"
    },
    "user": {
        "id": "36b9d6a84204487382fee62e7e67a80d",
        "name": "test",
        "displayName": "test"
    },
    "challenge": "6c6c468c99f24bf29a85a15b661f75f385654f97309c46bab2909c926e17ccbe",
    "pubKeyCredParams": [
        {
            "type": "public-key",
            "alg": "-7"
        },
        {
            "type": "public-key",
            "alg": "-257"
        }
    ],
    "timeout": 60000,
    "excludeCredentials": [],
    "authenticatorSelection": {
        "residentKey": "preferred",
        "requireResidentKey": false,
        "userVerification": "preferred"
    },
    "attestation": "direct",
    "hints": [],
    "extensions": {
        "credProps": true
    }
}

 

The response returns the following data:

 

 

 

Registration Verify

 

Now the client has the response from the server, reads the response and the authenticator returns the cryptographic data to the client web-browser. Now the client sends a new HTTP Request with the following data to the Registration Verify Endpoint configured in the TsgcWSAPIServer_WebAuthn server, by default is /sgcWebAuthn/Registration/Verify

, so if your server is listening in the domain https://www.test.com, the client should make a new request to the url https://www.test.com/sgcWebAuthn/Registration/Verify.

 

The authenticator responds back to the JavaScript in the browser with:

 

 

Find below an example:

 

{
    "id": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
    "rawId": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
    "response": {
        "attestationObject": "o2NmbXRmcGFja2VkZ2F0dFN0....",
        "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3Jl....",
        "transports": [
            "nfc",
            "usb"
        ],
        "publicKeyAlgorithm": -7,
        "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj....",
        "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_k...."
    },
    "type": "public-key",
    "clientExtensionResults": {
        "credProps": {
            "rk": true
        }
    },
    "authenticatorAttachment": "cross-platform"
}

 

The server reads the json request from the client and decodes, verifies and store the public key and credential id. 

 

Decode attestationObject and clientDataJSON:

 

 

Store Credential:

 

 

 

 

Registration Flow

Get more info about the Registration Flow process using the following links: