Add WebAuthn authentication credential registration endpoints and schemas #838
Conversation
KaveeshaPiumini
added
skip-changelog
There was a problem hiding this comment.
Pull request overview
This pull request adds WebAuthn (Passkey) credential registration endpoints to the WIP Authentication API specification. The changes introduce a two-step registration flow (start/finish) following the WebAuthn standard, enabling clients to register public-key credentials for passwordless authentication.
Key Changes
- Added
/auth/webauthn/register/startand/auth/webauthn/register/finishendpoints for the credential registration ceremony - Introduced comprehensive request/response schemas that align with the WebAuthn W3C specification
- Defined detailed error responses covering validation failures and attestation verification issues
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #838 +/- ##
==========================================
+ Coverage 86.21% 87.22% +1.00%
==========================================
Files 221 302 +81
Lines 21414 24052 +2638
Branches 0 606 +606
==========================================
+ Hits 18463 20979 +2516
+ Misses 1924 1891 -33
- Partials 1027 1182 +155
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Shall we move this to a separate spec file? Registration shouldn't be in authentication spec |
api/WIP/authentication.yaml
Outdated
| default: "8090" | ||
|
|
||
| paths: | ||
| /auth/webauthn/register/start: |
There was a problem hiding this comment.
| /auth/webauthn/register/start: | |
| /register/webauthn/start: |
@darshanasbg WDYT about the API path?
api/WIP/authentication.yaml
Outdated
| schema: | ||
| $ref: '#/components/schemas/ServerErrorResponse' | ||
|
|
||
| /auth/webauthn/register/finish: |
There was a problem hiding this comment.
| /auth/webauthn/register/finish: | |
| /register/webauthn/finish: |
api/WIP/authentication.yaml
Outdated
| description: "JWT assertion token for the authenticated user" | ||
| example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." | ||
|
|
||
| WebAuthnRegisterStartRequest: |
There was a problem hiding this comment.
| WebAuthnRegisterStartRequest: | |
| WebAuthnRegistrationStartRequest: |
api/WIP/authentication.yaml
Outdated
| - user_id | ||
| - relying_party_id | ||
|
|
||
| WebAuthnRegisterStartResponse: |
There was a problem hiding this comment.
| WebAuthnRegisterStartResponse: | |
| WebAuthnRegistrationStartResponse: |
api/WIP/authentication.yaml
Outdated
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: '#/components/schemas/ServerErrorResponse' |
There was a problem hiding this comment.
Let's stick to the system wide server error (SSE-5000). Keep in mind for the implementation as well.
api/WIP/authentication.yaml
Outdated
| - publicKeyCredentialCreationOptions | ||
| - session_token | ||
|
|
||
| WebAuthnRegisterFinishRequest: |
There was a problem hiding this comment.
| WebAuthnRegisterFinishRequest: | |
| WebAuthnRegistrationFinishRequest: |
api/WIP/authentication.yaml
Outdated
| - publicKeyCredential | ||
| - session_token | ||
|
|
||
| WebAuthnRegisterFinishResponse: |
There was a problem hiding this comment.
| WebAuthnRegisterFinishResponse: | |
| WebAuthnRegistrationFinishResponse: |
api/WIP/authentication.yaml
Outdated
| WebAuthnRegisterStartResponse: | ||
| type: object | ||
| properties: | ||
| publicKeyCredentialCreationOptions: |
There was a problem hiding this comment.
We're using both camel case and snake case in the payloads. Is it due to how these fields are returned from the browser APIs? If not, better to stick to a single format.
Applicable to other places as well
There was a problem hiding this comment.
publicKeyCredentialCreationOptions and publicKeyCredential are in camel case because the browser's native function navigator.credentials.create(options) expects a JavaScript object with exact property names defined by the W3C specification.
KaveeshaPiumini
force-pushed
the
passkey
branch
from
8701d2e to
6c27f56
Compare
2 participants
This pull request adds support for WebAuthn (Passkey) credential registration to the Authentication API specification. It introduces new endpoints for starting and finishing WebAuthn registration, along with the necessary request and response schemas. These changes enable clients to register public-key credentials for passwordless authentication flows.
API endpoint additions:
/auth/webauthn/register/startendpoint to initiate WebAuthn/Passkey credential creation for a user, including request/response models and detailed client and server error handling (e.g., empty user ID, user not found)./auth/webauthn/register/finishendpoint to complete WebAuthn/Passkey credential creation using the attestation response from the authenticator, with granular error responses for invalid or missing fields (credential ID, credential type, attestation response, session token), attestation verification failures, and user-not-found conditions.Schema additions for WebAuthn:
Introduced
WebAuthnRegisterStartRequestandWebAuthnRegisterStartResponseto model the initiation of the registration ceremony, including relying party metadata, authenticator selection criteria, andpublicKeyCredentialCreationOptionsas per the WebAuthn specification, along with asession_tokento bind the registration flow.Added
WebAuthnRegisterFinishRequestto capture thePublicKeyCredentialattestation payload (credential IDs, attestation object, clientDataJSON, transports, and authenticator attachment) together with the registrationsession_tokenand an optional user-friendlycredential_name.Defined
WebAuthnRegisterFinishResponseto return information about the successfully registered credential, including itscredential_id,credential_name, andcreated_attimestamp.Related Issue