com.yubico.webauthn

Class RelyingParty

java.lang.Object

com.yubico.webauthn.RelyingParty

public final class RelyingParty
extends java.lang.Object

Encapsulates the four basic Web Authentication operations - start/finish registration, start/finish authentication - along with overall operational settings for them.

This class has no mutable state. An instance of this class may therefore be thought of as a container for specialized versions (function closures) of these four operations rather than a stateful object.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	RelyingParty.RelyingPartyBuilder

Method Summary

Modifier and Type	Method and Description
static RelyingParty.RelyingPartyBuilder.MandatoryStages	builder()
boolean	equals(java.lang.Object o)
AssertionResult	finishAssertion(FinishAssertionOptions finishAssertionOptions)
RegistrationResult	finishRegistration(FinishRegistrationOptions finishRegistrationOptions)
@NonNull java.util.Optional<AppId>	getAppId() The extension input to set for the appid extension when initiating authentication operations.
@NonNull java.util.Optional<AttestationConveyancePreference>	getAttestationConveyancePreference() The argument for the attestation parameter in registration operations.
@NonNull CredentialRepository	getCredentialRepository() An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs.
@NonNull RelyingPartyIdentity	getIdentity() The RelyingPartyIdentity that will be set as the rp parameter when initiating registration operations, and which AuthenticatorData.getRpIdHash() will be compared against.
@NonNull java.util.Optional<MetadataService>	getMetadataService() A MetadataService instance to use for looking up device attestation metadata.
@NonNull java.util.Set<java.lang.String>	getOrigins() The allowed origins that returned authenticator responses will be compared against.
@NonNull java.util.List<PublicKeyCredentialParameters>	getPreferredPubkeyParams() The argument for the pubKeyCredParams parameter in registration operations.
int	hashCode()
boolean	isAllowUnrequestedExtensions() If true, finishRegistration and finishAssertion will accept responses containing extension outputs for which there was no extension input.
boolean	isAllowUntrustedAttestation() If true, finishRegistration will only allow registrations where the attestation signature can be linked to a trusted attestation root.
boolean	isValidateSignatureCounter() If true, finishAssertion will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.
AssertionRequest	startAssertion(StartAssertionOptions startAssertionOptions)
PublicKeyCredentialCreationOptions	startRegistration(StartRegistrationOptions startRegistrationOptions)
RelyingParty.RelyingPartyBuilder	toBuilder()
java.lang.String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Detail

startRegistration

public PublicKeyCredentialCreationOptions startRegistration(StartRegistrationOptions startRegistrationOptions)

finishRegistration

public RegistrationResult finishRegistration(FinishRegistrationOptions finishRegistrationOptions)
                                      throws RegistrationFailedException

Throws:

RegistrationFailedException

startAssertion

public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptions)

finishAssertion

public AssertionResult finishAssertion(FinishAssertionOptions finishAssertionOptions)
                                throws AssertionFailedException

Throws:

InvalidSignatureCountException - if validateSignatureCounter is true, the signature count in the response is less than or equal to the stored signature count, and at least one of the signature count values is nonzero.

AssertionFailedException - if validation fails for any other reason.

builder

public static RelyingParty.RelyingPartyBuilder.MandatoryStages builder()

toBuilder

public RelyingParty.RelyingPartyBuilder toBuilder()

getIdentity

@NonNull
public @NonNull RelyingPartyIdentity getIdentity()

The RelyingPartyIdentity that will be set as the rp parameter when initiating registration operations, and which AuthenticatorData.getRpIdHash() will be compared against. This is a required parameter.

A successful registration or authentication operation requires AuthenticatorData.getRpIdHash() to exactly equal the SHA-256 hash of this member's id member. Alternatively, it may instead equal the SHA-256 hash of appId if the latter is present.

See Also:

startRegistration(StartRegistrationOptions), PublicKeyCredentialCreationOptions

getOrigins

@NonNull
public @NonNull java.util.Set<java.lang.String> getOrigins()

The allowed origins that returned authenticator responses will be compared against.

The default is the set containing only the string "https://" + getIdentity().getId().

A successful registration or authentication operation requires CollectedClientData.getOrigin() to exactly equal one of these values.

See Also:

getIdentity()

getCredentialRepository

@NonNull
public @NonNull CredentialRepository getCredentialRepository()

An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs. This is a required parameter.

This is used to look up:

• the user handle for a user logging in via user name
• the user name for a user logging in via user handle
• the credential IDs to include in PublicKeyCredentialCreationOptions.getExcludeCredentials()
• the credential IDs to include in PublicKeyCredentialRequestOptions.getAllowCredentials()
• that the correct user owns the credential when verifying an assertion
• the public key to use to verify an assertion
• the stored signature counter when verifying an assertion

getAppId

@NonNull
public @NonNull java.util.Optional<AppId> getAppId()

The extension input to set for the appid extension when initiating authentication operations.

If this member is set, startAssertion will automatically set the appid extension input, and finishAssertion will adjust its verification logic to also accept this AppID as an alternative to the RP ID.

By default, this is not set.

See Also:

AssertionExtensionInputs.getAppid(), §10.1. FIDO AppID Extension (appid)

getAttestationConveyancePreference

@NonNull
public @NonNull java.util.Optional<AttestationConveyancePreference> getAttestationConveyancePreference()

The argument for the attestation parameter in registration operations.

Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.

By default, this is not set.

See Also:

PublicKeyCredentialCreationOptions.getAttestation(), §6.4. Attestation

getMetadataService

@NonNull
public @NonNull java.util.Optional<MetadataService> getMetadataService()

A MetadataService instance to use for looking up device attestation metadata. This matters only if getAttestationConveyancePreference() is non-empty and not set to AttestationConveyancePreference.NONE.

By default, this is not set.

See Also:

PublicKeyCredentialCreationOptions.getAttestation(), §6.4. Attestation

getPreferredPubkeyParams

@NonNull
public @NonNull java.util.List<PublicKeyCredentialParameters> getPreferredPubkeyParams()

The argument for the pubKeyCredParams parameter in registration operations.

This is a list of acceptable public key algorithms and their parameters, ordered from most to least preferred.

The default is the following list:

1. ES256
2. RS256

See Also:

PublicKeyCredentialCreationOptions.getAttestation(), §6.4. Attestation

isAllowUnrequestedExtensions

public boolean isAllowUnrequestedExtensions()

If true, finishRegistration and finishAssertion will accept responses containing extension outputs for which there was no extension input.

The default is false.

See Also:

§9. WebAuthn Extensions

isAllowUntrustedAttestation

public boolean isAllowUntrustedAttestation()

If true, finishRegistration will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes self attestation and none attestation.

Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to true.

The default is true.

isValidateSignatureCounter

public boolean isValidateSignatureCounter()

If true, finishAssertion will fail if the signature counter value in the response is not strictly greater than the stored signature counter value.

The default is true.

equals

public boolean equals(java.lang.Object o)

Overrides:

equals in class java.lang.Object

hashCode

public int hashCode()

Overrides:

hashCode in class java.lang.Object

toString

public java.lang.String toString()

Overrides:

toString in class java.lang.Object