This registration options request is essential to bootstrap WebAuthn registration securely. It asks the server to:
The browser must obtain credential creation options from the server to initiate a secure WebAuthn credential registration. This is typically done via an HTTPS POST request from the browser to a server endpoint (e.g., /sgcWebAuthn/Registration/Options), which prepares parameters like the challenge, RP ID, and user info.
The request body contains data that identifies the user and possibly provides configuration preferences. It often looks like this:
{
"username": "alice@example.com",
"displayName": "Alice Smith",
"authenticatorSelection": {
"authenticatorAttachment": "platform", // optional: platform or cross-platform
"userVerification": "preferred" // optional: required | preferred | discouraged
},
"attestation": "none", // or "direct", "indirect"
"residentKey": "discouraged" // optional
}
The WebAuthn Server Component listens on the endpoint configured in the property EndpointOptions.RegistrationOptions the initial browser request to obtain a PublicKeyCredentialCreationOptions. When the server receives a new HTTP Request, the event OnWebAuthnRegistrationOptionsRequest is called and you can access to the Request sent by the server and Cancel the request setting the parameter Accept to False.
procedure OnWebAuthnRegistrationOptionsRequest(Sender: TObject; const aRequest: TsgcWebAuthn_RegistrationOptions_Request; var Accept: Boolean);
begin
if aRequest.Username = 'anonymous' then
Accept := False;
end;