Create Params

To start

This section explain you how to create the json to send to the client browser.

First of all, you need to instantiate the client

<?php
use Svgta\WebAuthn\client;
$webauthn = new client();

To process

Relying Party

You must defined the Relying Party (your server). The exemple show all options :

$webauthn->rp->set(
    icon: 'data:image/png;base64,iVBORw0KGgoAAA...',
    name: 'My wonderful project',
    id: 'myproject.tld'
);

Explanation :

  • icon (optional) : must be an image base64 encoded

  • name (required) : the name of you app

  • id (optional) : hostname of you project. If not set, the library take the hostname of the server

You are maybe on an url like : https://reg.myproject.tld. You can set the id with theses values :

  • reg.myproject.tld

  • myproject.tld

Using myproject.tld for the id can be useful if the authentication process is on https://auth.myproject.tld

User

You have to defined the user who wants to create a registration.

Explanation :

  • name (required) : the name of the user. You may avoid to use the user email

  • id (optional) : the library will create an uuid for it if not set

  • displayName (optional) : if not set, the library use the name

  • icon (optional) : must be an image base64 encoded

The username can be composed of any displayable characters, including emojis. Username "😝🥰😔" is perfectly valid.

Developers should not add rules that prevent users from choosing the username they want.

For privacy reasons, it is not recommended using the e-mail as username.

pubKeyCredParams

You have to list the signg algorithms you want to use for your application.

You must give the list in your preference ordrer. Your device will then take the first one that it cans handle with. Example :

Then, the parameters are :

  • alg (required) : the algorithm you want to use (string or integer)

  • type (optional) : the type of key. By default public-key

To have the list of algorithms supported by the library, use pubKeyCredParams::getAlgList():

As result, you will have someting like this :

If no alg is given, the library use the default : ES256 and RS256.

authenticatorSelection

Now, you will defined how you will converse with the device. You have to set :

You don't have to defined the requireResidentKey ; the library does the job with your inputs.

userVerification

Three possible options :

  • required

  • discouraged

  • preferred

Default value : preferred

residentKey

Three possible options :

  • required

  • discouraged

  • preferred

Default value : preferred

authenticatorAttachment

Thee possible options :

  • all

  • cross_platform

  • platform

Default value : all

attestation

Four possible options :

  • none

  • indirect

  • direct

  • entreprise

Default value : none

excludeCredentials

You want to avoid some devices. For example, to not authorize a user to use the same devices he used to do a previous registration.

the method allow 3 arguments :

  • id (required) : the id of the key defined by the library as publicKeyCredentialId

  • type (optional): by default it's set to public-key

  • transports (optional) : it's an array. By default the array is empty

timeout

By default, the timeout is 300000. You can set another timeout like that :

If the timeout is to big or to low, you will get in your server logs a message like that :

Challenge

The challenge is generated by the library. Nothing to do for you.

To finish

Now, you just need to get the json to send to the client. For example :

The session store now all the informations to deal with the response of the client.

You may want the user informations without parsing this json to send to the client. You can get it by two ways, it will be seen in the next step of registration process.

Usable Examples

Use default values

code :

Result :

A more secure example

It's may be not what you want. It depends of the security level you need for your application.

Code :

Result :

PreviousIntroductionNextCallback

Last updated