fido2.ctap2.extensions

Classes

ExtensionProcessor

Base class for CTAP2 extension processing.

RegistrationExtensionProcessor

Processing state for a CTAP2 extension, for single use.

AuthenticationExtensionProcessor

Processing state for a CTAP2 extension, for single use.

Ctap2Extension

Base class for CTAP2 extensions.

HMACGetSecretInput

Client inputs for hmac-secret.

HMACGetSecretOutput

Client outputs for hmac-secret.

AuthenticatorExtensionsPRFValues

Salt values for use with prf.

AuthenticatorExtensionsPRFInputs

Client inputs for prf.

AuthenticatorExtensionsPRFOutputs

Client outputs for prf.

HmacSecretExtension

Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions.

AuthenticatorExtensionsLargeBlobInputs

Client inputs for largeBlob.

AuthenticatorExtensionsLargeBlobOutputs

Client outputs for largeBlob.

LargeBlobExtension

Implements the Large Blob storage (largeBlob) WebAuthn extension.

CredBlobExtension

Implements the Credential Blob (credBlob) CTAP2 extension.

CredProtectExtension

Implements the Credential Protection CTAP2 extension.

MinPinLengthExtension

Implements the Minimum PIN Length (minPinLength) CTAP2 extension.

CredentialPropertiesOutput

Client outputs for credProps.

CredPropsExtension

Implements the Credential Properties (credProps) WebAuthn extension.

PaymentCurrencyAmount

A data class with members also accessible as a JSON-serializable Mapping.

PaymentCredentialInstrument

A data class with members also accessible as a JSON-serializable Mapping.

AuthenticationExtensionsPaymentInputs

Client inputs for payment.

ThirdPartyPaymentExtension

Implements the Third Party Payment (thirdPartyPayment) CTAP2.2 extension.

Module Contents

class fido2.ctap2.extensions.ExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]

Bases: abc.ABC

Base class for CTAP2 extension processing.

See: RegistrationExtensionProcessor and AuthenticationExtensionProcessor.

Parameters:
permissions
class fido2.ctap2.extensions.RegistrationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]

Bases: ExtensionProcessor

Processing state for a CTAP2 extension, for single use.

The ExtensionProcessor holds state and logic for client processing of an extension, for a registration (MakeCredential) call.

Parameters:
  • permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.

  • inputs (dict[str, Any] | None) – Default authenticator inputs, if prepare_inputs is not overridden.

  • outputs (dict[str, Any] | None) – Default client outputs, if prepare_outputs is not overridden.

prepare_inputs(pin_token)[source]

Prepare authenticator extension inputs, to be passed to the Authenenticator.

Parameters:

pin_token (bytes | None)

Return type:

dict[str, Any] | None

prepare_outputs(response, pin_token)[source]

Prepare client extension outputs, to be returned to the caller.

Parameters:
Return type:

dict[str, Any] | None

class fido2.ctap2.extensions.AuthenticationExtensionProcessor(permissions=ClientPin.PERMISSION(0), inputs=None, outputs=None)[source]

Bases: ExtensionProcessor

Processing state for a CTAP2 extension, for single use.

The ExtensionProcessor holds state and logic for client processing of an extension, for an authentication (GetAssertion) call.

Parameters:
  • permissions (fido2.ctap2.pin.ClientPin.PERMISSION) – PinUvAuthToken permissions required by the extension.

  • inputs (dict[str, Any] | None) – Default authenticator inputs, if prepare_inputs is not overridden.

  • outputs (dict[str, Any] | None) – Default client outputs, if prepare_outputs is not overridden.

prepare_inputs(selected, pin_token)[source]

Prepare authenticator extension inputs, to be passed to the Authenenticator.

Parameters:
Return type:

dict[str, Any] | None

prepare_outputs(response, pin_token)[source]

Prepare client extension outputs, to be returned to the caller.

Parameters:
Return type:

dict[str, Any] | None

class fido2.ctap2.extensions.Ctap2Extension[source]

Bases: abc.ABC

Base class for CTAP2 extensions.

As of python-fido2 1.2 these instances can be used for multiple requests and should be invoked via the make_credential and get_assertion methods. Subclasses are instantiated for a single request, if the Authenticator supports the extension.

abstractmethod is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

Parameters:

ctap (fido2.ctap2.base.Ctap2)

Return type:

bool

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

Parameters:
Return type:

RegistrationExtensionProcessor | None

get_assertion(ctap, options, pin_protocol)[source]

Start client extension processing for authentication.

Parameters:
Return type:

AuthenticationExtensionProcessor | None

class fido2.ctap2.extensions.HMACGetSecretInput[source]

Bases: fido2.utils._JsonDataObject

Client inputs for hmac-secret.

salt1: bytes
salt2: bytes | None = None
class fido2.ctap2.extensions.HMACGetSecretOutput[source]

Bases: fido2.utils._JsonDataObject

Client outputs for hmac-secret.

output1: bytes
output2: bytes | None = None
class fido2.ctap2.extensions.AuthenticatorExtensionsPRFValues[source]

Bases: fido2.utils._JsonDataObject

Salt values for use with prf.

first: bytes
second: bytes | None = None
class fido2.ctap2.extensions.AuthenticatorExtensionsPRFInputs[source]

Bases: fido2.utils._JsonDataObject

Client inputs for prf.

eval: AuthenticatorExtensionsPRFValues | None = None
eval_by_credential: Mapping[str, AuthenticatorExtensionsPRFValues] | None = None
class fido2.ctap2.extensions.AuthenticatorExtensionsPRFOutputs[source]

Bases: fido2.utils._JsonDataObject

Client outputs for prf.

enabled: bool | None = None
results: AuthenticatorExtensionsPRFValues | None = None
class fido2.ctap2.extensions.HmacSecretExtension(allow_hmac_secret=False)[source]

Bases: Ctap2Extension

Implements the Pseudo-random function (prf) and the hmac-secret CTAP2 extensions.

The hmac-secret extension is not directly available to clients by default, instead the prf extension is used.

https://www.w3.org/TR/webauthn-3/#prf-extension

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-hmac-secret-extension

Parameters:

allow_hmac_secret – Set to True to allow hmac-secret, in addition to prf.

NAME = 'hmac-secret'
MC_NAME = 'hmac-secret-mc'
SALT_LEN = 32
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]

Start client extension processing for authentication.

class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobInputs[source]

Bases: fido2.utils._JsonDataObject

Client inputs for largeBlob.

support: str | None = None
read: bool | None = None
write: bytes | None = None
class fido2.ctap2.extensions.AuthenticatorExtensionsLargeBlobOutputs[source]

Bases: fido2.utils._JsonDataObject

Client outputs for largeBlob.

supported: bool | None = None
blob: bytes | None = None
written: bool | None = None
class fido2.ctap2.extensions.LargeBlobExtension[source]

Bases: Ctap2Extension

Implements the Large Blob storage (largeBlob) WebAuthn extension.

https://www.w3.org/TR/webauthn-3/#sctn-large-blob-extension

NAME = 'largeBlobKey'
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]

Start client extension processing for authentication.

class fido2.ctap2.extensions.CredBlobExtension[source]

Bases: Ctap2Extension

Implements the Credential Blob (credBlob) CTAP2 extension.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credBlob-extension

NAME = 'credBlob'
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]

Start client extension processing for authentication.

class fido2.ctap2.extensions.CredProtectExtension[source]

Bases: Ctap2Extension

Implements the Credential Protection CTAP2 extension.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-credProtect-extension

class POLICY(*args, **kwds)[source]

Bases: enum.Enum

Create a collection of name/value pairs.

Example enumeration:

>>> class Color(Enum):
...     RED = 1
...     BLUE = 2
...     GREEN = 3

Access them by:

  • attribute access:

    >>> Color.RED
    <Color.RED: 1>
    
  • value lookup:

    >>> Color(1)
    <Color.RED: 1>
    
  • name lookup:

    >>> Color['RED']
    <Color.RED: 1>
    

Enumerations can be iterated over, and know how many members they have:

>>> len(Color)
3
>>> list(Color)
[<Color.RED: 1>, <Color.BLUE: 2>, <Color.GREEN: 3>]

Methods can be added to enumerations, and members can have their own attributes – see the documentation for details.

OPTIONAL = 'userVerificationOptional'
OPTIONAL_WITH_LIST = 'userVerificationOptionalWithCredentialIDList'
REQUIRED = 'userVerificationRequired'
NAME = 'credProtect'
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

class fido2.ctap2.extensions.MinPinLengthExtension[source]

Bases: Ctap2Extension

Implements the Minimum PIN Length (minPinLength) CTAP2 extension.

https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#sctn-minpinlength-extension

NAME = 'minPinLength'
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

class fido2.ctap2.extensions.CredentialPropertiesOutput[source]

Bases: fido2.utils._JsonDataObject

Client outputs for credProps.

rk: bool | None = None
class fido2.ctap2.extensions.CredPropsExtension[source]

Bases: Ctap2Extension

Implements the Credential Properties (credProps) WebAuthn extension.

https://www.w3.org/TR/webauthn-3/#sctn-authenticator-credential-properties-extension

NAME = 'credProps'
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

class fido2.ctap2.extensions.PaymentCurrencyAmount[source]

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

currency: str
value: str
class fido2.ctap2.extensions.PaymentCredentialInstrument[source]

Bases: fido2.utils._JsonDataObject

A data class with members also accessible as a JSON-serializable Mapping.

display_name: str
icon: str
icon_must_be_shown: bool = True
class fido2.ctap2.extensions.AuthenticationExtensionsPaymentInputs[source]

Bases: fido2.utils._JsonDataObject

Client inputs for payment.

is_payment: bool | None = None
rp_id: str | None = None
top_origin: str | None = None
payee_name: str | None = None
payee_origin: str | None = None
total: PaymentCurrencyAmount | None = None
instrument: PaymentCredentialInstrument | None = None
class fido2.ctap2.extensions.ThirdPartyPaymentExtension[source]

Bases: Ctap2Extension

Implements the Third Party Payment (thirdPartyPayment) CTAP2.2 extension.

https://fidoalliance.org/specs/fido-v2.2-ps-20250228/fido-client-to-authenticator-protocol-v2.2-ps-20250228.html#sctn-thirdPartyPayment-extension

Note that most of the processing for the WebAuthn extension needs to be done by the client, see: https://www.w3.org/TR/secure-payment-confirmation/#sctn-collectedclientpaymentdata-dictionary

As such, this extension is not included in the default extensions list, and should not be used without a client that supports the WebAuthn payment extension.

NAME = 'thirdPartyPayment'
is_supported(ctap)[source]

Whether or not the extension is supported by the authenticator.

make_credential(ctap, options, pin_protocol)[source]

Start client extension processing for registration.

get_assertion(ctap, options, pin_protocol)[source]

Start client extension processing for authentication.