fido2.server
Attributes
Classes
FIDO2 server. |
|
Fido2Server which can be used with existing U2F credentials. |
Functions
|
Converts an AttestedCredentialData to a PublicKeyCredentialDescriptor. |
|
Checks if a FIDO U2F App ID is usable for a given origin. |
Module Contents
- fido2.server.VerifyAttestation
- fido2.server.VerifyOrigin
- fido2.server.to_descriptor(credential, transports=None)[source]
Converts an AttestedCredentialData to a PublicKeyCredentialDescriptor.
- Parameters:
credential (fido2.webauthn.AttestedCredentialData) – AttestedCredentialData containing the credential ID to use.
transports – Optional list of AuthenticatorTransport strings to add to the descriptor.
- Returns:
A descriptor of the credential, for use with register_begin or authenticate_begin.
- Return type:
- class fido2.server.Fido2Server(rp, attestation=None, verify_origin=None, verify_attestation=None)[source]
FIDO2 server.
- Parameters:
rp (fido2.webauthn.PublicKeyCredentialRpEntity) – Relying party data as PublicKeyCredentialRpEntity instance.
attestation (Optional[fido2.webauthn.AttestationConveyancePreference]) – (optional) Requirement on authenticator attestation.
verify_origin (Optional[VerifyOrigin]) – (optional) Alternative function to validate an origin.
verify_attestation (Optional[VerifyAttestation]) – (optional) function to validate attestation, which is invoked with attestation_object and client_data_hash. It should return nothing and raise an exception on failure. By default, attestation is ignored. Attestation is also ignored if attestation is set to none.
- rp
- timeout = None
- attestation
- allowed_algorithms
- register_begin(user, credentials=None, resident_key_requirement=None, user_verification=None, authenticator_attachment=None, challenge=None, extensions=None)[source]
Return a PublicKeyCredentialCreationOptions registration object and the internal state dictionary that needs to be passed as is to the corresponding register_complete call.
- Parameters:
user (fido2.webauthn.PublicKeyCredentialUserEntity) – The dict containing the user data.
credentials (Optional[Sequence[Union[fido2.webauthn.AttestedCredentialData, fido2.webauthn.PublicKeyCredentialDescriptor]]]) – The list of previously registered credentials, these can be of type AttestedCredentialData, or PublicKeyCredentialDescriptor.
resident_key_requirement (Optional[fido2.webauthn.ResidentKeyRequirement]) – The desired RESIDENT_KEY_REQUIREMENT level.
user_verification (Optional[fido2.webauthn.UserVerificationRequirement]) – The desired USER_VERIFICATION level.
authenticator_attachment (Optional[fido2.webauthn.AuthenticatorAttachment]) – The desired AUTHENTICATOR_ATTACHMENT or None to not provide a preference (and get both types).
challenge (Optional[bytes]) – A custom challenge to sign and verify or None to use OS-specific random bytes.
- Returns:
Registration data, internal state.
- Return type:
Tuple[fido2.webauthn.CredentialCreationOptions, Any]
- register_complete(state, response: fido2.webauthn.RegistrationResponse | Mapping[str, Any]) fido2.webauthn.AuthenticatorData[source]
- register_complete(state, client_data: fido2.webauthn.CollectedClientData, attestation_object: fido2.webauthn.AttestationObject) fido2.webauthn.AuthenticatorData
Verify the correctness of the registration data received from the client.
- Parameters:
state – The state data returned by the corresponding register_begin.
client_data – The client data.
attestation_object – The attestation object.
- Returns:
The authenticator data
- authenticate_begin(credentials=None, user_verification=None, challenge=None, extensions=None)[source]
Return a PublicKeyCredentialRequestOptions assertion object and the internal state dictionary that needs to be passed as is to the corresponding authenticate_complete call.
- Parameters:
credentials (Optional[Sequence[Union[fido2.webauthn.AttestedCredentialData, fido2.webauthn.PublicKeyCredentialDescriptor]]]) – The list of previously registered credentials, these can be of type AttestedCredentialData, or PublicKeyCredentialDescriptor.
user_verification (Optional[fido2.webauthn.UserVerificationRequirement]) – The desired USER_VERIFICATION level.
challenge (Optional[bytes]) – A custom challenge to sign and verify or None to use OS-specific random bytes.
- Returns:
Assertion data, internal state.
- Return type:
Tuple[fido2.webauthn.CredentialRequestOptions, Any]
- authenticate_complete(state, credentials: Sequence[fido2.webauthn.AttestedCredentialData], response: fido2.webauthn.AuthenticationResponse | Mapping[str, Any]) fido2.webauthn.AttestedCredentialData[source]
- authenticate_complete(state, credentials: Sequence[fido2.webauthn.AttestedCredentialData], credential_id: bytes, client_data: fido2.webauthn.CollectedClientData, auth_data: fido2.webauthn.AuthenticatorData, signature: bytes) fido2.webauthn.AttestedCredentialData
Verify the correctness of the assertion data received from the client.
- Parameters:
state – The state data returned by the corresponding register_begin.
credentials – The list of previously registered credentials.
credential_id – The credential id from the client response.
client_data – The client data.
auth_data – The authenticator data.
signature – The signature provided by the client.
- fido2.server.verify_app_id(app_id, origin)[source]
Checks if a FIDO U2F App ID is usable for a given origin.
- Parameters:
- Returns:
True if the App ID is usable by the origin, False if not.
- Return type:
Deprecated since version 1.2.0: This will be removed in python-fido2 2.0.
- class fido2.server.U2FFido2Server(app_id, rp, verify_u2f_origin=None, *args, **kwargs)[source]
Bases:
Fido2ServerFido2Server which can be used with existing U2F credentials.
This Fido2Server can be used with existing U2F credentials by using the WebAuthn appid extension, as well as with new WebAuthn credentials. See https://www.w3.org/TR/webauthn/#sctn-appid-extension for details.
- Parameters:
app_id (str) – The appId which was used for U2F registration.
verify_u2f_origin (Optional[VerifyOrigin]) – (optional) Alternative function to validate an origin for U2F credentials.
For other parameters, see Fido2Server.
Deprecated since version 1.2.0: This will be removed in python-fido2 2.0.
- register_begin(*args, **kwargs)[source]
Return a PublicKeyCredentialCreationOptions registration object and the internal state dictionary that needs to be passed as is to the corresponding register_complete call.
- Parameters:
user – The dict containing the user data.
credentials – The list of previously registered credentials, these can be of type AttestedCredentialData, or PublicKeyCredentialDescriptor.
resident_key_requirement – The desired RESIDENT_KEY_REQUIREMENT level.
user_verification – The desired USER_VERIFICATION level.
authenticator_attachment – The desired AUTHENTICATOR_ATTACHMENT or None to not provide a preference (and get both types).
challenge – A custom challenge to sign and verify or None to use OS-specific random bytes.
- Returns:
Registration data, internal state.
- authenticate_begin(*args, **kwargs)[source]
Return a PublicKeyCredentialRequestOptions assertion object and the internal state dictionary that needs to be passed as is to the corresponding authenticate_complete call.
- Parameters:
credentials – The list of previously registered credentials, these can be of type AttestedCredentialData, or PublicKeyCredentialDescriptor.
user_verification – The desired USER_VERIFICATION level.
challenge – A custom challenge to sign and verify or None to use OS-specific random bytes.
- Returns:
Assertion data, internal state.
- authenticate_complete(*args, **kwargs)[source]
Verify the correctness of the assertion data received from the client.
- Parameters:
state – The state data returned by the corresponding register_begin.
credentials – The list of previously registered credentials.
credential_id – The credential id from the client response.
client_data – The client data.
auth_data – The authenticator data.
signature – The signature provided by the client.