Class RelyingParty.RelyingPartyBuilder
- java.lang.Object
-
- com.yubico.webauthn.RelyingParty.RelyingPartyBuilder
-
- Enclosing class:
- RelyingParty
public static class RelyingParty.RelyingPartyBuilder extends java.lang.Object
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classRelyingParty.RelyingPartyBuilder.MandatoryStages
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description RelyingParty.RelyingPartyBuilderallowOriginPort(boolean allowOriginPort)Iftrue, the origin matching rule is relaxed to allow any port number.RelyingParty.RelyingPartyBuilderallowOriginSubdomain(boolean allowOriginSubdomain)Iftrue, the origin matching rule is relaxed to allow any subdomain, of any depth, of the values oforigins.RelyingParty.RelyingPartyBuilderallowUntrustedAttestation(boolean allowUntrustedAttestation)Iffalse,finishRegistrationwill only allow registrations where the attestation signature can be linked to a trusted attestation root.RelyingParty.RelyingPartyBuilderappId(@NonNull AppId appId)The extension input to set for theappidandappidExcludeextensions.RelyingParty.RelyingPartyBuilderappId(@NonNull java.util.Optional<AppId> appId)The extension input to set for theappidandappidExcludeextensions.RelyingParty.RelyingPartyBuilderattestationConveyancePreference(@NonNull AttestationConveyancePreference attestationConveyancePreference)The argument for theattestationparameter in registration operations.RelyingParty.RelyingPartyBuilderattestationConveyancePreference(@NonNull java.util.Optional<AttestationConveyancePreference> attestationConveyancePreference)The argument for theattestationparameter in registration operations.RelyingParty.RelyingPartyBuilderattestationTrustSource(@NonNull AttestationTrustSource attestationTrustSource)AnAttestationTrustSourceinstance to use for looking up trust roots for authenticator attestation.RelyingParty.RelyingPartyBuilderattestationTrustSource(@NonNull java.util.Optional<AttestationTrustSource> attestationTrustSource)AnAttestationTrustSourceinstance to use for looking up trust roots for authenticator attestation.RelyingPartybuild()RelyingParty.RelyingPartyBuilderclock(@NonNull java.time.Clock clock)AClockwhich will be used to tell the current time while verifying attestation certificate chains.RelyingParty.RelyingPartyBuildercredentialRepository(@NonNull CredentialRepository credentialRepository)An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs.RelyingParty.RelyingPartyBuilderidentity(@NonNull RelyingPartyIdentity identity)TheRelyingPartyIdentitythat will be set as therpparameter when initiating registration operations, and whichAuthenticatorData.getRpIdHash()will be compared against.RelyingParty.RelyingPartyBuilderorigins(@NonNull java.util.Set<java.lang.String> origins)The allowed origins that returned authenticator responses will be compared against.RelyingParty.RelyingPartyBuilderpreferredPubkeyParams(@NonNull java.util.List<PublicKeyCredentialParameters> preferredPubkeyParams)The argument for thepubKeyCredParamsparameter in registration operations.java.lang.StringtoString()RelyingParty.RelyingPartyBuildervalidateSignatureCounter(boolean validateSignatureCounter)Iftrue,finishAssertionwill succeed only if thesignature counter valuein the response is strictly greater than thestored signature counter value, or if both counters are exactly zero.
-
-
-
Method Detail
-
appId
public RelyingParty.RelyingPartyBuilder appId(@NonNull @NonNull java.util.Optional<AppId> appId)
The extension input to set for theappidandappidExcludeextensions.You do not need this extension if you have not previously supported U2F. Its purpose is to make already-registered U2F credentials forward-compatible with the WebAuthn API. It is not needed for new registrations, even of U2F authenticators.
If this member is set,
startAssertionwill automatically set theappidextension input, andfinishAssertionwill adjust its verification logic to also accept this AppID as an alternative to the RP ID. Likewise,RelyingParty.startRegistration(StartRegistrationOptions)startRegistration} will automatically set theappidExcludeextension input.By default, this is not set.
-
appId
public RelyingParty.RelyingPartyBuilder appId(@NonNull @NonNull AppId appId)
The extension input to set for theappidandappidExcludeextensions.You do not need this extension if you have not previously supported U2F. Its purpose is to make already-registered U2F credentials forward-compatible with the WebAuthn API. It is not needed for new registrations, even of U2F authenticators.
If this member is set,
startAssertionwill automatically set theappidextension input, andfinishAssertionwill adjust its verification logic to also accept this AppID as an alternative to the RP ID. Likewise,RelyingParty.startRegistration(StartRegistrationOptions)startRegistration} will automatically set theappidExcludeextension input.By default, this is not set.
-
attestationConveyancePreference
public RelyingParty.RelyingPartyBuilder attestationConveyancePreference(@NonNull @NonNull java.util.Optional<AttestationConveyancePreference> attestationConveyancePreference)
The argument for theattestationparameter in registration operations.Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.
If you set this, you may want to explicitly set
allowUntrustedAttestationandattestationTrustSourcetoo.By default, this is not set.
-
attestationConveyancePreference
public RelyingParty.RelyingPartyBuilder attestationConveyancePreference(@NonNull @NonNull AttestationConveyancePreference attestationConveyancePreference)
The argument for theattestationparameter in registration operations.Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.
If you set this, you may want to explicitly set
allowUntrustedAttestationandattestationTrustSourcetoo.By default, this is not set.
-
attestationTrustSource
public RelyingParty.RelyingPartyBuilder attestationTrustSource(@NonNull @NonNull java.util.Optional<AttestationTrustSource> attestationTrustSource)
AnAttestationTrustSourceinstance to use for looking up trust roots for authenticator attestation. This matters only ifRelyingParty.getAttestationConveyancePreference()is non-empty and not set toAttestationConveyancePreference.NONE.By default, this is not set.
-
attestationTrustSource
public RelyingParty.RelyingPartyBuilder attestationTrustSource(@NonNull @NonNull AttestationTrustSource attestationTrustSource)
AnAttestationTrustSourceinstance to use for looking up trust roots for authenticator attestation. This matters only ifRelyingParty.getAttestationConveyancePreference()is non-empty and not set toAttestationConveyancePreference.NONE.By default, this is not set.
-
identity
public RelyingParty.RelyingPartyBuilder identity(@NonNull @NonNull RelyingPartyIdentity identity)
TheRelyingPartyIdentitythat will be set as therpparameter when initiating registration operations, and whichAuthenticatorData.getRpIdHash()will be compared against. This is a required parameter.A successful registration or authentication operation requires
AuthenticatorData.getRpIdHash()to exactly equal the SHA-256 hash of this member'sidmember. Alternatively, it may instead equal the SHA-256 hash ofappIdif the latter is present.- Returns:
this.- See Also:
RelyingParty.startRegistration(StartRegistrationOptions),PublicKeyCredentialCreationOptions
-
origins
public RelyingParty.RelyingPartyBuilder origins(@NonNull @NonNull java.util.Set<java.lang.String> origins)
The allowed origins that returned authenticator responses will be compared against.The default is the set containing only the string
"https://" +.RelyingParty.getIdentity().getId()If
allowOriginPortandallowOriginSubdomainare bothfalse(the default), then a successful registration or authentication operation requiresCollectedClientData.getOrigin()to exactly equal one of these values.If
allowOriginPortistrue, then the above rule is relaxed to allow any port number inCollectedClientData.getOrigin(), regardless of any port specified.If
allowOriginSubdomainistrue, then the above rule is relaxed to allow any subdomain, of any depth, of any of these values.For either of the above relaxations to take effect, both the allowed origin and the client data origin must be valid URLs. Origins that are not valid URLs are matched only by exact string equality.
- Returns:
this.- See Also:
RelyingParty.getIdentity()
-
credentialRepository
public RelyingParty.RelyingPartyBuilder credentialRepository(@NonNull @NonNull CredentialRepository credentialRepository)
An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs. This is a required parameter.This is used to look up:
- the user handle for a user logging in via user name
- the user name for a user logging in via user handle
- the credential IDs to include in
PublicKeyCredentialCreationOptions.getExcludeCredentials() - the credential IDs to include in
PublicKeyCredentialRequestOptions.getAllowCredentials() - that the correct user owns the credential when verifying an assertion
- the public key to use to verify an assertion
- the stored signature counter when verifying an assertion
- Returns:
this.
-
preferredPubkeyParams
public RelyingParty.RelyingPartyBuilder preferredPubkeyParams(@NonNull @NonNull java.util.List<PublicKeyCredentialParameters> preferredPubkeyParams)
The argument for thepubKeyCredParamsparameter in registration operations.This is a list of acceptable public key algorithms and their parameters, ordered from most to least preferred.
The default is the following list:
- Returns:
this.- See Also:
PublicKeyCredentialCreationOptions.getAttestation(), §6.4. Attestation
-
allowOriginPort
public RelyingParty.RelyingPartyBuilder allowOriginPort(boolean allowOriginPort)
Iftrue, the origin matching rule is relaxed to allow any port number.The default is
false.Examples with
origins: ["https://example.org", "https://accounts.example.org", "https://acme.com:8443"]-
allowOriginPort: falseAccepted:
https://example.orghttps://accounts.example.orghttps://acme.com:8443
Rejected:
https://example.org:8443https://shop.example.orghttps://acme.comhttps://acme.com:9000
-
allowOriginPort: trueAccepted:
https://example.orghttps://example.org:8443https://accounts.example.orghttps://acme.comhttps://acme.com:8443https://acme.com:9000
Rejected:
https://shop.example.org
- Returns:
this.
-
-
allowOriginSubdomain
public RelyingParty.RelyingPartyBuilder allowOriginSubdomain(boolean allowOriginSubdomain)
Iftrue, the origin matching rule is relaxed to allow any subdomain, of any depth, of the values oforigins.The default is
false.Examples with
origins: ["https://example.org", "https://acme.com:8443"]-
allowOriginSubdomain: falseAccepted:
https://example.orghttps://acme.com:8443
Rejected:
https://example.org:8443https://accounts.example.orghttps://acme.comhttps://eu.shop.acme.com:8443
-
allowOriginSubdomain: trueAccepted:
https://example.orghttps://accounts.example.orghttps://acme.com:8443https://eu.shop.acme.com:8443
Rejected:
https://example.org:8443https://acme.com
- Returns:
this.
-
-
allowUntrustedAttestation
public RelyingParty.RelyingPartyBuilder allowUntrustedAttestation(boolean allowUntrustedAttestation)
Iffalse,finishRegistrationwill only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes none attestation, and self attestation unless the self attestation key is explicitly trusted.Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to
true.The default is
true.- Returns:
this.
-
validateSignatureCounter
public RelyingParty.RelyingPartyBuilder validateSignatureCounter(boolean validateSignatureCounter)
Iftrue,finishAssertionwill succeed only if thesignature counter valuein the response is strictly greater than thestored signature counter value, or if both counters are exactly zero.The default is
true.- Returns:
this.
-
clock
public RelyingParty.RelyingPartyBuilder clock(@NonNull @NonNull java.time.Clock clock)
AClockwhich will be used to tell the current time while verifying attestation certificate chains.This is intended primarily for testing, and relevant only if
attestationTrustSource(AttestationTrustSource)is set.The default is
Clock.systemUTC().- Returns:
this.
-
build
public RelyingParty build()
-
toString
public java.lang.String toString()
- Overrides:
toStringin classjava.lang.Object
-
-