WebAuthn Registration involves the client (browser), the authenticator (security device), and the relying party (RP; TsgcWSAPIServer_WebAuthn delphi/cbuilder server).
Registration Options
Creating a new user credential usually requires the client starting the registration flow using a new HTTP Request to the Registration Options Endpoint configured in the TsgcWSAPIServer_WebAuthn server. By default, the endpoint is /sgcWebAuthn/Registration/Options, so if your server is listening in the domain https://www.test.com, the client should make a new request to the url https://www.test.com/sgcWebAuthn/Registration/Options.
The client sends a new request passing as a payload the following json (using test as username)
{"username":"test","algorithms":[]}
The server reads the javascript and returns a response with a new challenge
{
"rp": {
"name": "localhost",
"id": "localhost"
},
"user": {
"id": "36b9d6a84204487382fee62e7e67a80d",
"name": "test",
"displayName": "test"
},
"challenge": "6c6c468c99f24bf29a85a15b661f75f385654f97309c46bab2909c926e17ccbe",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": "-7"
},
{
"type": "public-key",
"alg": "-257"
}
],
"timeout": 60000,
"excludeCredentials": [],
"authenticatorSelection": {
"residentKey": "preferred",
"requireResidentKey": false,
"userVerification": "preferred"
},
"attestation": "direct",
"hints": [],
"extensions": {
"credProps": true
}
}
The response returns the following data:
Registration Verify
Now the client has the response from the server, reads the response and the authenticator returns the cryptographic data to the client web-browser. Now the client sends a new HTTP Request with the following data to the Registration Verify Endpoint configured in the TsgcWSAPIServer_WebAuthn server, by default is /sgcWebAuthn/Registration/Verify
, so if your server is listening in the domain https://www.test.com, the client should make a new request to the url https://www.test.com/sgcWebAuthn/Registration/Verify.
The authenticator responds back to the JavaScript in the browser with:
Find below an example:
{
"id": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
"rawId": "yeA4BVRlrAfLG-KzqsL_rlI4ffhuKHK8uoEkVoab065UkS82Zqlh9VFQHIYwOuOo",
"response": {
"attestationObject": "o2NmbXRmcGFja2VkZ2F0dFN0....",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3Jl....",
"transports": [
"nfc",
"usb"
],
"publicKeyAlgorithm": -7,
"publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj....",
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_k...."
},
"type": "public-key",
"clientExtensionResults": {
"credProps": {
"rk": true
}
},
"authenticatorAttachment": "cross-platform"
}
The server reads the json request from the client and decodes, verifies and store the public key and credential id.
Decode attestationObject and clientDataJSON:
Store Credential:
Get more info about the Registration Flow process using the following links: