server side session.challenge should be stored as base64?

[supersensen]

relaying party: webAuthn.BeginRegistration returned a session containing a string type of challenge, not base64url

user-agent: authenticator navigator.credentials.create() returned credential.response.clientDataJSON is base64urlEncode, clientDataJSON.challenge is also base64urlencode.

these two challenges need to be the same when server side verification is required.

My question is, should I encode the session.challenge returned at the time of BeginRegistration into base64url and then store it in session? Or should I decode the challenge in clientDataJSON from navigator.credentials.create() in browser before verifying?

[james-d-elliott]

The library handles the encoding / decoding and assumes you've used a fairly standard library to collect the data which would have the browser side content base64 encoded. You should store it as is or at least return it in the exact same format.

[supersensen]

webAuthn.BeginRegistration() returned session.challenge is NOT Base64URL encoded, while the challenge returned by the browser in credential.response.clientDataJSON is Base64url encoded. The library's func (*webauthn.WebAuthn).FinishRegistration(user webauthn.User, session webauthn.SessionData, response *http.Request) (*webauthn.Credential, error) directly handles session and r * http.Request, which may result in an Error validating challenge error. should I store session.challenge as Base64URL encoded on the server side?

[james-d-elliott]

should I store session.challenge as Base64URL encoded on the server side?

You should store it as is or at least return it in the exact same format.

I already answered this. It's completely irrelevant how you store it unless the SessionData struct does not have the exact same field values between the start and finish of a session.

Please conduct yourself professionally when interacting with users in this project or projects within this org.

[supersensen]

thanks, really appreciate it.