Authenticator will then validate inputs (relying party, credential-id. On client-side, FIDO challenge will be triggered when client receives a customChallenge response in the authCallBack function, this will use the challenge and credential-id returned in custom challenge to call browser API which will ask the user to use the authenticator to sign-in. Authentication flows that utilize FIDO will be sent to Cognito as CUSTOM_AUTH flows, this will trigger Define Auth Challenge and process the authentication with custom challenge. sign-in with password only (for example to sign in with temp password for account recovery if authenticator device is lost), sign-in with FIDO only (this is the passwordless option) OR sign-in with password + FIDO (this is when using password as primary factor and using FIDO as second factor).īased on the selected option, signIn() will make a call to authentication the user with Cognito. This function will evaluate which sign-in option was chosen e.g. This demo application includes multiple scenarios for demonestration and education purposes.Īuthentication starts by calling signIn() function in webauthn-client.js. The dictionary structure of CreateCredentialOptions object could include parameters as below (note that not all parameters are required and this is an extension point that can be extended in the future to support additional parameters):Īfter creating credentials, createCredential function will parse response from authenticator to extract credential-id and public-key then it will call signUp function to start the signUp process with Cognito and will store the public-key and credential-id as custom attribute in cognito. In this demo, credentialOptions object is created server side using createCredRequest in libs/authn.js This function will construct credentials options object and use it to create credentials with an available authenticator.Ĭreating credentials will use browser API, this API takes createCredentialOptions object as input and this object contains parameters about the relying party, the user and some flags to indicate which authenticators are allowed and whether user verification is required or not. Registration starts by calling createCredential function in webauthn-client.js. Here is a quick demo of deploying and running this project in a fresh Cloud9 environment. if you deploy this app on your own workstation or on a separate VM, you need to configure SSL. In the demo recording below, I used AWS Cloud9 which gives you a quick way to deploy and test the app. This means you have to access the demo application via HTTPS. WebAuthn APIs will be exposed by the user-agent only if secure transport is established without errors.
0 kommentar(er)
