WebAuthn Registration | Response

The server responds to the client’s registration options request (e.g., POST /sgcWebAuthn/Registration/Options) with a JSON payload that looks like the following (after base64url-encoding binary fields):

 

{
  "publicKey": {
    "rp": {
      "name": "esegece software",
      "id": "esegece.com"
    },
    "user": {
      "id": "c3ViamVjdC1pZA",             // base64url-encoded ArrayBuffer (user handle)
      "name": "webauthn@esegece.com",
      "displayName": "Delphi Developer"
    },
    "challenge": "Xz8x2K6nY3gZ...",         // base64url-encoded challenge
    "pubKeyCredParams": [
      { "type": "public-key", "alg": -7 }, // ES256
      { "type": "public-key", "alg": -257 } // RS256
    ],
    "timeout": 60000,
    "attestation": "none",
    "authenticatorSelection": {
      "authenticatorAttachment": "platform",
      "userVerification": "preferred",
      "residentKey": "discouraged"
    }
  }
}

 

 

Find below a description of the fields:

 

• rp: Relying Party info:
  • name: Friendly display name (e.g., “Example Inc.”).
  • id: Relying Party ID (must match site origin or be a registrable suffix).
• user: Information identifying the user account:
  • id: Unique, stable byte array (e.g., user UUID).
  • name: Unique user identifier (username or email).
  • displayName: User-facing display name.
• challenge: A cryptographically random nonce (16–64 bytes), base64url-encoded.
• pubKeyCredParams: Algorithms the RP is willing to accept:
  • Common: -7 (ES256), -257 (RS256)
• timeout: Optional timeout for the creation operation (in ms).
• attestation: One of "none", "indirect", "direct".
• authenticatorSelection:
  • authenticatorAttachment: "platform" (built-in) or "cross-platform" (e.g., YubiKey).
  • userVerification: "required", "preferred", or "discouraged".
  • residentKey: "required", "preferred", or "discouraged".

 

Before the Response is sent to the client, the event OnWebAuthnRegistrationOptionsResponse is called allowing to customize the response.

 

procedure OnWebAuthnRegistrationOptionsResponse(Sender: TObject; const aRequest: TsgcWebAuthn_RegistrationOptions_Request; const aResponse: TsgcWebAuthn_RegistrationOptions_Response);
begin
  if aRequest.Username = 'esegece.com' then
  begin
    aResponse.ExcludeCredentials.AddCredentialRecordFromJSON('json1.txt');
    aResponse.ExcludeCredentials.AddCredentialRecordFromJSON('json2.txt');
  end;
end;