Direct Extensions Support

[james-d-elliott]

Description

Implement all of the extensions directly in the library including all validations. It would be nice to allow backwards compat and a low level implementation as this is an evolving area, however I don't believe that either of these ideas should be a critical requirement.

• appid ^{recommendation | draft}
• appidExclude ^{recommendation | draft}
• uvm ^{recommendation | draft}
• credProps ^{recommendation | draft}
• largeBlob ^{recommendation | draft | explainer}
  • Authentication
  • Registration
• level 3:
  • prf ^{draft | explainer}
  • devicePubKey supplementalPubKeys ^draft (think this one is a higher priority)
• exterior (not part of the core spec):
  • payment (see Secure Payment Confirmation Support #132)
  • credProtect

Use Case

No response

Documentation

package protocol

// AppIDExtensionsClientInputs is the input parameters for the appid extension.
//
// This extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO U2F
// JavaScript API FIDOU2FJavaScriptAPI to request an assertion. The FIDO APIs use an alternative identifier for Relying
// Parties called an AppID FIDO-APPID, and any credentials created using those APIs will be scoped to that identifier.
// Without this extension, they would need to be re-registered in order to be scoped to an RP ID.
//
// Stages: Authentication
//
// Specification: §10.2. FIDO AppID Extension (https://www.w3.org/TR/webauthn/#sctn-appid-extension)
type AppIDExtensionsClientInputs struct {
	AppID string `json:"appid,omitempty"`
}

// AppIDExtensionsClientOutputs is the output parameters for the appid extension.
//
// This extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO U2F
// JavaScript API FIDOU2FJavaScriptAPI to request an assertion. The FIDO APIs use an alternative identifier for Relying
// Parties called an AppID FIDO-APPID, and any credentials created using those APIs will be scoped to that identifier.
// Without this extension, they would need to be re-registered in order to be scoped to an RP ID.
//
// Stages: Authentication
//
// Specification: §10.2. FIDO AppID Extension (https://www.w3.org/TR/webauthn/#sctn-appid-extension)
type AppIDExtensionsClientOutputs struct {
	AppID bool `json:"appid"`
}

// AppIDExcludeExtensionsClientInputs is the input parameters for the appidExclude extension.
//
// This registration extension allows WebAuthn Relying Parties to exclude authenticators that contain specified
// credentials that were created with the legacy FIDO U2F JavaScript API FIDOU2FJavaScriptAPI.
//
// Stages: Registration
//
// Specification: §10.2. FIDO AppID Exclusion Extension (https://www.w3.org/TR/webauthn/#sctn-appid-exclude-extension)
type AppIDExcludeExtensionsClientInputs struct {
	AppID string `json:"appidExclude,omitempty"`
}

// AppIDExcludeExtensionsClientOutputs is the output parameters for the appidExclude extension.
//
// This registration extension allows WebAuthn Relying Parties to exclude authenticators that contain specified
// credentials that were created with the legacy FIDO U2F JavaScript API FIDOU2FJavaScriptAPI.
//
// Stages: Registration
//
// Specification: §10.2. FIDO AppID Exclusion Extension (https://www.w3.org/TR/webauthn/#sctn-appid-exclude-extension)
type AppIDExcludeExtensionsClientOutputs struct {
	AppID bool `json:"appidExclude"`
}

// UVMClientInputs is the input parameters for the uvm extension.
//
// This extension enables use of a user verification method.
//
// Stages: Registration, Authentication
//
// Specification: §10.3. User Verification Method Extension (https://www.w3.org/TR/webauthn/#sctn-uvm-extension)
type UVMClientInputs struct {
	UVM bool `json:"uvm"`
}

// UVMClientOutputs is the input parameters for the uvm extension.
//
// This extension enables use of a user verification method.
//
// TODO: Investigation of the CBOR structure.
//
// Stages: Registration, Authentication
//
// Specification: §10.3. User Verification Method Extension (https://www.w3.org/TR/webauthn/#sctn-uvm-extension)
type UVMClientOutputs struct {
	UVM [][]uint `json:"uvm"`
}

// CredentialPropertiesClientInputs is the input parameters for the credProps extension.
//
// This client registration extension facilitates reporting certain credential properties known by the client to the
// requesting WebAuthn Relying Party upon creation of a public key credential source as a result of a registration
// ceremony.
//
// Stages: Registration
//
// Specification: §10.4. Credential Properties Extension (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension)
type CredentialPropertiesClientInputs struct {
	CredentialProperties bool `json:"credProps"`
}

// CredentialPropertiesClientOutputs is the output parameters for the credProps extension.
//
// This client registration extension facilitates reporting certain credential properties known by the client to the
// requesting WebAuthn Relying Party upon creation of a public key credential source as a result of a registration
// ceremony.
//
// Stages: Registration
//
// Specification: §10.4. Credential Properties Extension (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension)
type CredentialPropertiesClientOutputs struct {
	ClientSideDiscoverableCredential bool `json:"rk"`
}

// LargeBlobSupport represents the IDL of the same name.
//
// Specification: §10.5. Large blob storage extension (https://www.w3.org/TR/webauthn/#enumdef-largeblobsupport)
type LargeBlobSupport string

const (
	LargeBlobSupportRequired  LargeBlobSupport = "required"
	LargeBlobSupportPreferred LargeBlobSupport = "preferred"
)

// LargeBlobStorageClientRegistrationInputs is the input parameters for the largeBlob extension.
//
// This client registration extension and authentication extension allows a Relying Party to store opaque data
// associated with a credential. Since authenticators can only store small amounts of data, and most Relying Parties are
// online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For
// example, the Relying Party might wish to issue certificates rather than run a centralised authentication service.
//
// Stages: Registration, Authentication
//
// Specification: §10.5. Large blob storage extension (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension)
type LargeBlobStorageClientRegistrationInputs struct {
	LargeBlob RegistrationExtensionsLargeBlobInputs `json:"largeBlob"`
}

// LargeBlobStorageClientAuthenticationInputs is the input parameters for the largeBlob extension.
//
// This client registration extension and authentication extension allows a Relying Party to store opaque data
// associated with a credential. Since authenticators can only store small amounts of data, and most Relying Parties are
// online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For
// example, the Relying Party might wish to issue certificates rather than run a centralised authentication service.
//
// Stages: Authentication
//
// Specification: §10.5. Large blob storage extension (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension)
type LargeBlobStorageClientAuthenticationInputs struct {
	LargeBlob AuthenticationExtensionsLargeBlobInputs `json:"largeBlob"`
}

type RegistrationExtensionsLargeBlobInputs struct {
	Support LargeBlobSupport `json:"support"`
}

type AuthenticationExtensionsLargeBlobInputs struct {
	Read bool             `json:"read"`
	Data URLEncodedBase64 `json:"write,omitempty"`
}

// LargeBlobStorageClientRegistrationOutputs is the output parameters for the largeBlob extension.
//
// This client registration extension and authentication extension allows a Relying Party to store opaque data
// associated with a credential. Since authenticators can only store small amounts of data, and most Relying Parties are
// online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For
// example, the Relying Party might wish to issue certificates rather than run a centralised authentication service.
//
// Stages: Registration
//
// Specification: §10.5. Large blob storage extension (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension)
type LargeBlobStorageClientRegistrationOutputs struct {
	LargeBlob RegistrationExtensionsLargeBlobOutputs `json:"largeBlob"`
}

// LargeBlobStorageClientAuthenticationOutputs is the output parameters for the largeBlob extension.
//
// This client registration extension and authentication extension allows a Relying Party to store opaque data
// associated with a credential. Since authenticators can only store small amounts of data, and most Relying Parties are
// online services that can store arbitrary amounts of state for a user, this is only useful in specific cases. For
// example, the Relying Party might wish to issue certificates rather than run a centralised authentication service.
//
// Stages: Registration, Authentication
//
// Specification: §10.5. Large blob storage extension (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension)
type LargeBlobStorageClientAuthenticationOutputs struct {
	LargeBlob AuthenticationExtensionsLargeBlobOutputs `json:"largeBlob"`
}

type RegistrationExtensionsLargeBlobOutputs struct {
	Support bool `json:"supported"`
}

type AuthenticationExtensionsLargeBlobOutputs struct {
	Written bool             `json:"written"`
	Data    URLEncodedBase64 `json:"blob,omitempty"`
}

[mitar]

It would be great to also support credProtect extension: https://fidoalliance.org/specs/fido-v2.1-rd-20191217/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#sctn-credProtect-extension

[james-d-elliott]

Thanks I'll add it to the list.

[jameshartig]

@james-d-elliott authenticatorDisplayName should be added to CredentialPropertiesClientOutputs