fido2.client

Exceptions

`ClientError`	Base error raised by clients.
`PinRequiredError`	Raised when a call cannot be completed without providing PIN.

Classes

`AssertionSelection`	GetAssertion result holding one or more assertions.
`WebAuthnClient`	Base class for a WebAuthn client, supporting registration and authentication.
`UserInteraction`	Provides user interaction to the Client.
`Fido2Client`	WebAuthn-like client implementation.
`WindowsClient`	Fido2Client-like class using the Windows WebAuthn API.

Module Contents

exception fido2.client.ClientError(code, cause=None)[source]

Bases: Exception

Base error raised by clients.

class ERR[source]

Bases: enum.IntEnum

Error codes for ClientError.

OTHER_ERROR = 1

BAD_REQUEST = 2

CONFIGURATION_UNSUPPORTED = 3

DEVICE_INELIGIBLE = 4

TIMEOUT = 5

__call__(cause=None)[source]

code

cause

__repr__()[source]: Return repr(self).

exception fido2.client.PinRequiredError(code=ClientError.ERR.BAD_REQUEST, cause='PIN required but not provided')[source]

Bases: ClientError

Raised when a call cannot be completed without providing PIN.

class fido2.client.AssertionSelection(client_data, assertions, extension_results=None)[source]

GetAssertion result holding one or more assertions.

Since multiple assertions may be retured by Fido2Client.get_assertion, this result is returned which can be used to select a specific response to get.

Parameters:

client_data (fido2.webauthn.CollectedClientData)
assertions (Sequence[fido2.ctap2.AssertionResponse])

get_assertions()[source]

Get the raw AssertionResponses available to inspect before selecting one.

Return type:: Sequence[fido2.ctap2.AssertionResponse]

get_response(index)[source]

Get a single response.

Parameters:: index (int)
Return type:: fido2.webauthn.AuthenticatorAssertionResponse

class fido2.client.WebAuthnClient[source]

Bases: abc.ABC

Base class for a WebAuthn client, supporting registration and authentication.

abstract make_credential(options, event=None)[source]

Creates a credential.

Parameters:

options (fido2.webauthn.PublicKeyCredentialCreationOptions) – PublicKeyCredentialCreationOptions data.
event (threading.Event) – (optional) Signal to abort the operation.

Return type:

fido2.webauthn.AuthenticatorAttestationResponse

abstract get_assertion(options, event=None)[source]

Get an assertion.

Parameters:

options (fido2.webauthn.PublicKeyCredentialRequestOptions) – PublicKeyCredentialRequestOptions data.
event (threading.Event) – (optional) Signal to abort the operation.

Return type:

AssertionSelection

class fido2.client.UserInteraction[source]

Provides user interaction to the Client.

Users of Fido2Client should subclass this to implement asking the user to perform specific actions, such as entering a PIN or touching their

prompt_up()[source]

Called when the authenticator is awaiting a user presence check.

Return type:: None

request_pin(permissions, rp_id)[source]

Called when the client requires a PIN from the user.

Should return a PIN, or None/Empty to cancel.

Parameters:

permissions (fido2.ctap2.pin.ClientPin.PERMISSION)
rp_id (Optional[str])

Return type:

Optional[str]

request_uv(permissions, rp_id)[source]

Called when the client is about to request UV from the user.

Should return True if allowed, or False to cancel.

Parameters:

permissions (fido2.ctap2.pin.ClientPin.PERMISSION)
rp_id (Optional[str])

Return type:

bool

class fido2.client.Fido2Client(device, origin, verify=verify_rp_id, extension_types=_default_extensions(), user_interaction=UserInteraction(), extensions=[])[source]

Bases: WebAuthnClient, _BaseClient

WebAuthn-like client implementation.

The client allows registration and authentication of WebAuthn credentials against an Authenticator using CTAP (1 or 2).

Parameters:

device (fido2.ctap.CtapDevice) – CtapDevice to use.
origin (str) – The origin to use.
verify (Callable[[str, str], bool]) – Function to verify an RP ID for a given origin.
extension_types (Sequence[Type[fido2.ctap2.extensions.Ctap2Extension]])
user_interaction (UserInteraction)
extensions (Sequence[fido2.ctap2.extensions.Ctap2Extension])

property info: fido2.ctap2.Info

Return type:: fido2.ctap2.Info

selection(event=None)[source]

Parameters:: event (Optional[threading.Event])
Return type:: None

make_credential(options, event=None)[source]

Creates a credential.

Parameters:

options (fido2.webauthn.PublicKeyCredentialCreationOptions) – PublicKeyCredentialCreationOptions data.
event (threading.Event) – (optional) Signal to abort the operation.

Return type:

fido2.webauthn.AuthenticatorAttestationResponse

get_assertion(options, event=None)[source]

Get an assertion.

Parameters:

options (fido2.webauthn.PublicKeyCredentialRequestOptions) – PublicKeyCredentialRequestOptions data.
event (threading.Event) – (optional) Signal to abort the operation.

Return type:

AssertionSelection

class fido2.client.WindowsClient(origin, verify=verify_rp_id, handle=None, allow_hmac_secret=False)[source]

Bases: WebAuthnClient, _BaseClient

Fido2Client-like class using the Windows WebAuthn API.

Note: This class only works on Windows 10 19H1 or later. This is also when Windows started restricting access to FIDO devices, causing the standard client classes to require admin priveleges to run (unlike this one).

The make_credential and get_assertion methods are intended to work as a drop-in replacement for the Fido2Client methods of the same name.

Parameters:

origin (str) – The origin to use.
verify (Callable[[str, str], bool]) – Function to verify an RP ID for a given origin.
handle (ctypes.wintypes.HWND) – (optional) Window reference to use.

api

info

static is_available()[source]

Return type:: bool

make_credential(options, event=None)[source]

Create a credential using Windows WebAuthN APIs.

Parameters:

options – PublicKeyCredentialCreationOptions data.
event (threading.Event) – (optional) Signal to abort the operation.

get_assertion(options, event=None)[source]

Get assertion using Windows WebAuthN APIs.

Parameters:

options – PublicKeyCredentialRequestOptions data.
event (threading.Event) – (optional) Signal to abort the operation.