Class RelyingParty
- java.lang.Object
-
- com.yubico.webauthn.RelyingParty
-
public final class RelyingParty extends java.lang.Object
Encapsulates the four basic Web Authentication operations - start/finish registration, start/finish authentication - along with overall operational settings for them.This class has no mutable state. An instance of this class may therefore be thought of as a container for specialized versions (function closures) of these four operations rather than a stateful object.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
RelyingParty.RelyingPartyBuilder
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static RelyingParty.RelyingPartyBuilder.MandatoryStages
builder()
boolean
equals(java.lang.Object o)
AssertionResult
finishAssertion(FinishAssertionOptions finishAssertionOptions)
RegistrationResult
finishRegistration(FinishRegistrationOptions finishRegistrationOptions)
@NonNull java.util.Optional<AppId>
getAppId()
The extension input to set for theappid
andappidExclude
extensions.@NonNull java.util.Optional<AttestationConveyancePreference>
getAttestationConveyancePreference()
The argument for theattestation
parameter in registration operations.@NonNull java.util.Optional<AttestationTrustSource>
getAttestationTrustSource()
AnAttestationTrustSource
instance to use for looking up trust roots for authenticator attestation.@NonNull java.time.Clock
getClock()
AClock
which will be used to tell the current time while verifying attestation certificate chains.@NonNull CredentialRepository
getCredentialRepository()
An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs.@NonNull RelyingPartyIdentity
getIdentity()
TheRelyingPartyIdentity
that will be set as therp
parameter when initiating registration operations, and whichAuthenticatorData.getRpIdHash()
will be compared against.@NonNull java.util.Set<java.lang.String>
getOrigins()
The allowed origins that returned authenticator responses will be compared against.@NonNull java.util.List<PublicKeyCredentialParameters>
getPreferredPubkeyParams()
The argument for thepubKeyCredParams
parameter in registration operations.int
hashCode()
boolean
isAllowOriginPort()
Iftrue
, the origin matching rule is relaxed to allow any port number.boolean
isAllowOriginSubdomain()
Iftrue
, the origin matching rule is relaxed to allow any subdomain, of any depth, of the values oforigins
.boolean
isAllowUntrustedAttestation()
Iffalse
,finishRegistration
will only allow registrations where the attestation signature can be linked to a trusted attestation root.boolean
isValidateSignatureCounter()
Iftrue
,finishAssertion
will succeed only if thesignature counter value
in the response is strictly greater than thestored signature counter value
, or if both counters are exactly zero.AssertionRequest
startAssertion(StartAssertionOptions startAssertionOptions)
PublicKeyCredentialCreationOptions
startRegistration(StartRegistrationOptions startRegistrationOptions)
RelyingParty.RelyingPartyBuilder
toBuilder()
java.lang.String
toString()
-
-
-
Method Detail
-
startRegistration
public PublicKeyCredentialCreationOptions startRegistration(StartRegistrationOptions startRegistrationOptions)
-
finishRegistration
public RegistrationResult finishRegistration(FinishRegistrationOptions finishRegistrationOptions) throws RegistrationFailedException
- Throws:
RegistrationFailedException
-
startAssertion
public AssertionRequest startAssertion(StartAssertionOptions startAssertionOptions)
-
finishAssertion
public AssertionResult finishAssertion(FinishAssertionOptions finishAssertionOptions) throws AssertionFailedException
- Throws:
InvalidSignatureCountException
- ifvalidateSignatureCounter
istrue
, thesignature count
in the response is less than or equal to thestored signature count
, and at least one of the signature count values is nonzero.AssertionFailedException
- if validation fails for any other reason.
-
builder
public static RelyingParty.RelyingPartyBuilder.MandatoryStages builder()
-
toBuilder
public RelyingParty.RelyingPartyBuilder toBuilder()
-
getIdentity
@NonNull public @NonNull RelyingPartyIdentity getIdentity()
TheRelyingPartyIdentity
that will be set as therp
parameter when initiating registration operations, and whichAuthenticatorData.getRpIdHash()
will be compared against. This is a required parameter.A successful registration or authentication operation requires
AuthenticatorData.getRpIdHash()
to exactly equal the SHA-256 hash of this member'sid
member. Alternatively, it may instead equal the SHA-256 hash ofappId
if the latter is present.
-
getOrigins
@NonNull public @NonNull java.util.Set<java.lang.String> getOrigins()
The allowed origins that returned authenticator responses will be compared against.The default is the set containing only the string
"https://" +
.getIdentity()
.getId()If
allowOriginPort
andallowOriginSubdomain
are bothfalse
(the default), then a successful registration or authentication operation requiresCollectedClientData.getOrigin()
to exactly equal one of these values.If
allowOriginPort
istrue
, then the above rule is relaxed to allow any port number inCollectedClientData.getOrigin()
, regardless of any port specified.If
allowOriginSubdomain
istrue
, then the above rule is relaxed to allow any subdomain, of any depth, of any of these values.For either of the above relaxations to take effect, both the allowed origin and the client data origin must be valid URLs. Origins that are not valid URLs are matched only by exact string equality.
- See Also:
getIdentity()
-
getCredentialRepository
@NonNull public @NonNull CredentialRepository getCredentialRepository()
An abstract database which can look up credentials, usernames and user handles from usernames, user handles and credential IDs. This is a required parameter.This is used to look up:
- the user handle for a user logging in via user name
- the user name for a user logging in via user handle
- the credential IDs to include in
PublicKeyCredentialCreationOptions.getExcludeCredentials()
- the credential IDs to include in
PublicKeyCredentialRequestOptions.getAllowCredentials()
- that the correct user owns the credential when verifying an assertion
- the public key to use to verify an assertion
- the stored signature counter when verifying an assertion
-
getAppId
@NonNull public @NonNull java.util.Optional<AppId> getAppId()
The extension input to set for theappid
andappidExclude
extensions.You do not need this extension if you have not previously supported U2F. Its purpose is to make already-registered U2F credentials forward-compatible with the WebAuthn API. It is not needed for new registrations, even of U2F authenticators.
If this member is set,
startAssertion
will automatically set theappid
extension input, andfinishAssertion
will adjust its verification logic to also accept this AppID as an alternative to the RP ID. Likewise,startRegistration(StartRegistrationOptions)
startRegistration} will automatically set theappidExclude
extension input.By default, this is not set.
-
getAttestationConveyancePreference
@NonNull public @NonNull java.util.Optional<AttestationConveyancePreference> getAttestationConveyancePreference()
The argument for theattestation
parameter in registration operations.Unless your application has a concrete policy for authenticator attestation, it is recommended to leave this parameter undefined.
If you set this, you may want to explicitly set
allowUntrustedAttestation
andattestationTrustSource
too.By default, this is not set.
-
getAttestationTrustSource
@NonNull public @NonNull java.util.Optional<AttestationTrustSource> getAttestationTrustSource()
AnAttestationTrustSource
instance to use for looking up trust roots for authenticator attestation. This matters only ifgetAttestationConveyancePreference()
is non-empty and not set toAttestationConveyancePreference.NONE
.By default, this is not set.
-
getPreferredPubkeyParams
@NonNull public @NonNull java.util.List<PublicKeyCredentialParameters> getPreferredPubkeyParams()
The argument for thepubKeyCredParams
parameter in registration operations.This is a list of acceptable public key algorithms and their parameters, ordered from most to least preferred.
The default is the following list, in order:
-
isAllowOriginPort
public boolean isAllowOriginPort()
Iftrue
, the origin matching rule is relaxed to allow any port number.The default is
false
.Examples with
origins: ["https://example.org", "https://accounts.example.org", "https://acme.com:8443"]
-
allowOriginPort: false
Accepted:
https://example.org
https://accounts.example.org
https://acme.com:8443
Rejected:
https://example.org:8443
https://shop.example.org
https://acme.com
https://acme.com:9000
-
allowOriginPort: true
Accepted:
https://example.org
https://example.org:8443
https://accounts.example.org
https://acme.com
https://acme.com:8443
https://acme.com:9000
Rejected:
https://shop.example.org
-
-
isAllowOriginSubdomain
public boolean isAllowOriginSubdomain()
Iftrue
, the origin matching rule is relaxed to allow any subdomain, of any depth, of the values oforigins
.The default is
false
.Examples with
origins: ["https://example.org", "https://acme.com:8443"]
-
allowOriginSubdomain: false
Accepted:
https://example.org
https://acme.com:8443
Rejected:
https://example.org:8443
https://accounts.example.org
https://acme.com
https://eu.shop.acme.com:8443
-
allowOriginSubdomain: true
Accepted:
https://example.org
https://accounts.example.org
https://acme.com:8443
https://eu.shop.acme.com:8443
Rejected:
https://example.org:8443
https://acme.com
-
-
isAllowUntrustedAttestation
public boolean isAllowUntrustedAttestation()
Iffalse
,finishRegistration
will only allow registrations where the attestation signature can be linked to a trusted attestation root. This excludes none attestation, and self attestation unless the self attestation key is explicitly trusted.Regardless of the value of this option, invalid attestation statements of supported formats will always be rejected. For example, a "packed" attestation statement with an invalid signature will be rejected even if this option is set to
true
.The default is
true
.
-
isValidateSignatureCounter
public boolean isValidateSignatureCounter()
Iftrue
,finishAssertion
will succeed only if thesignature counter value
in the response is strictly greater than thestored signature counter value
, or if both counters are exactly zero.The default is
true
.
-
getClock
@NonNull public @NonNull java.time.Clock getClock()
AClock
which will be used to tell the current time while verifying attestation certificate chains.This is intended primarily for testing, and relevant only if
RelyingParty.RelyingPartyBuilder.attestationTrustSource(AttestationTrustSource)
is set.The default is
Clock.systemUTC()
.
-
equals
public boolean equals(java.lang.Object o)
- Overrides:
equals
in classjava.lang.Object
-
hashCode
public int hashCode()
- Overrides:
hashCode
in classjava.lang.Object
-
toString
public java.lang.String toString()
- Overrides:
toString
in classjava.lang.Object
-
-