Skip to content

Commit

Permalink
Add the initial webauthn docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@bcbogdan
bcbogdan committed Jan 8, 2025
1 parent 5cb3237 commit a8a132c
Show file tree
Hide file tree
Showing 5 changed files with 577 additions and 0 deletions.
4 changes: 4 additions & 0 deletions v3/docs/authentication/webauthn/_category_.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"label": "Passkey Authentication",
"position": 7
}
44 changes: 44 additions & 0 deletions v3/docs/authentication/webauthn/_structure.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
---
title: Structure
hide_title: true
sidebar_position: 1
---

# Introduction
## Overview
## Why to use WebAuthn
## What are Passkeys?
## Terminology
## Feature Overview
## Integration Options
## Getting Started

# Quick Start
## Overview
## Before you start
### Terminology
## Steps (Custom UI)
### Initialize the Frontend SDK
### Add the UI
### Add the Signup Form
### Add the Login Form
### Initialize the Backend SDK
## Steps (Prebuilt UI)
### Initialize the Frontend SDK
### Initialize the Backend SDK
## Next Steps


# Account Recovery
## Overview

# Customise Passkey Validation
## Overview
## Available options

# Configuring the Relying Party and Multitenancy
## Overview
## Configuring the Relying Party



185 changes: 185 additions & 0 deletions v3/docs/authentication/webauthn/customise-credential-validation.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
---
title: Customise Credential Validation
hide_title: true
sidebar_position: 3
---

# Customise Credential Validation

## Overview

The WebAuthN flow allows the user to customise the way credentials are generated and validated. The reason for this is that certain use-cases require the user to have a lot of control over the credential generation and validation process.

For example, in the case of a banking app, the user may want to use a YubiKey to generate and validate credentials. In this case, the user may want to use a required PIN or a biometric factor to validate the credential.

TODO: Add correct link
Most of the customisation is done through function overrides. You can find more details about how they work here: [Overrides](https://deploy-preview-869--starlit-elf-06ee1a.netlify.app/docs/references/sdks/functions-overrides/backend-functions-override).

## Recipe Configuration

TODO: Add correct link
The recipe configuration is done by the `init` function. You can find more details about the recipe configuration here: [Recipe Configuration](#).

When configuring the recipe, you can pass the following options:
- **Relying Party**: Details about the entity for which the credential is being generated. This includes the domain name (Relying Party ID) and display name (Relying Party Name) of your application that will be shown to the user during authentication. The Relying Party ID defaults to the API domain (`apiBasePath`) and the Relying Parth Name defaults to the application name (`appName`).
- **Origin**: The origin URL that the credential is generated on. Defaults to the origin of the request.

```ts
import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
import WebAuthn from "supertokens-node/recipe/webauthn";

supertokens.init({
framework: "express",
supertokens: {
// https://try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core.
connectionURI: "https://try.supertokens.com",
// apiKey: <API_KEY(if configured)>,
},
appInfo: {
// learn more about this on https://supertokens.com/docs/session/appinfo
appName: "<YOUR_APP_NAME>",
apiDomain: "<YOUR_API_DOMAIN>",
websiteDomain: "<YOUR_WEBSITE_DOMAIN>",
apiBasePath: "/auth",
websiteBasePath: "/auth"
},
recipeList: [
WebAuthn.init({
getOrigin: () => {
return "https://example.com";
},
getRelyingPartyId: () => {
return "example.com";
},
getRelyingPartyName: () => {
return "example";
},
}),
Session.init() // initializes session features
]
});
```

## Customising Credential Generation

The credentials are generated by the client (if it supports it). You can find more details about the way the browser handles credential generation here: [Credential Management API](https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API).

The credential is generated based on a set of options that you can pass to the `navigator.credentials.create` function. In our case these options are generated on the server through the SDK.

The possible configurable options are:

- **Relying Party**: Details about the entity for which the credential is being generated. This includes the domain name (Relying Party ID) and display name (Relying Party Name) of your application that will be shown to the user during authentication. The Relying Party ID defaults to the API domain (`apiBasePath`) and the Relying Parth Name defaults to the application name (`appName`).
- **Origin**: The origin URL that the credential is generated on. Defaults to the origin of the request.
- **Timeout**: The time in milliseconds that the user has to complete the credential generation process. Defaults to `6000`.
- **Attestation**: Controls how much information about the authenticator is included in the attestation statement. This controls what authenticators are supported. Defaults to `none`.
- **Supported Algorithms**: The cryptographic algorithms that can be used for generating credentials. Different authenticators support different algorithms. Defaults to `[-8, -7, -257]`.
- **Resident Key**: Whether the credential should be stored on the authenticator device. Defaults to `required`.
- **User Verification**: Controls whether user verification (like PIN or biometrics) is required. Defaults to `preferred`.
- **User Display Name**: The display name of the user. Defaults to the `email` field.

Below is an example of how you can customise the credential generation options.

```ts
import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
import WebAuthn from "supertokens-node/recipe/webauthn";

supertokens.init({
framework: "express",
supertokens: {
// https://try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core.
connectionURI: "https://try.supertokens.com",
// apiKey: <API_KEY(if configured)>,
},
appInfo: {
// learn more about this on https://supertokens.com/docs/session/appinfo
appName: "<YOUR_APP_NAME>",
apiDomain: "<YOUR_API_DOMAIN>",
websiteDomain: "<YOUR_WEBSITE_DOMAIN>",
apiBasePath: "/auth",
websiteBasePath: "/auth"
},
recipeList: [
WebAuthn.init({
override: {
functions: (originalImplementation) => {
return {
...originalImplementation,
registerOptions: (input) => {
return originalImplementation.registerOptions({
...input,
attestation: "direct",
residentKey: "required",
timeout: 10 * 1000,
userVerification: "required",
displayName: "John Doe",
supportedAlgorithms: [-257],
relyingPartyId: 'example.com',
relyingPartyName: 'example',
origin: 'https://example.com',
});
},
};
},
},
}),
Session.init() // initializes session features
]
});
```

## Customising Credential Validation

When a user attempts to login using a WebAuthN credential, the credential is used for signing a challenge through the client using `navigator.credentials.get` function. The options for signing the challenge are generated on the server through the SDK and defined how the authentication will take place:

- **Relying Party ID**: The domain name (Relying Party ID) of your application that will be used for validating the credential.
- **Origin**: The origin URL that the credential is generated on. Defaults to the origin of the request.
- **Timeout**: The time in milliseconds that the user has to complete the credential validation process. Defaults to `6000`.
- **User Verification**: Controls whether user verification (like PIN or biometrics) is required. Defaults to `preferred`.

Below is an example of how you can customise the credential generation options.

```ts
import supertokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
import WebAuthn from "supertokens-node/recipe/webauthn";

supertokens.init({
framework: "express",
supertokens: {
// https://try.supertokens.com is for demo purposes. Replace this with the address of your core instance (sign up on supertokens.com), or self host a core.
connectionURI: "https://try.supertokens.com",
// apiKey: <API_KEY(if configured)>,
},
appInfo: {
// learn more about this on https://supertokens.com/docs/session/appinfo
appName: "<YOUR_APP_NAME>",
apiDomain: "<YOUR_API_DOMAIN>",
websiteDomain: "<YOUR_WEBSITE_DOMAIN>",
apiBasePath: "/auth",
websiteBasePath: "/auth"
},
recipeList: [
WebAuthn.init({
override: {
functions: (originalImplementation) => {
return {
...originalImplementation,
signInOptions: (input) => {
return originalImplementation.signInOptions({
...input,
timeout: 10 * 1000,
userVerification: "required",
relyingPartyId: 'example.com',
origin: 'https://example.com',
});
},
};
},
},
}),
Session.init() // initializes session features
]
});
```
Loading

0 comments on commit a8a132c

Please sign in to comment.