fido2.server

Attributes

VerifyAttestation

VerifyOrigin

Classes

Fido2Server

FIDO2 server.

Functions

to_descriptor(credential[, transports])

Converts an AttestedCredentialData to a PublicKeyCredentialDescriptor.

Module Contents

fido2.server.VerifyAttestation
fido2.server.VerifyOrigin
fido2.server.to_descriptor(credential, transports=None)[source]

Converts an AttestedCredentialData to a PublicKeyCredentialDescriptor.

Parameters:

  • credential (fido2.webauthn.AttestedCredentialData) – AttestedCredentialData containing the credential ID to use.

  • transports – Optional list of AuthenticatorTransport strings to add to the descriptor.

Returns:

A descriptor of the credential, for use with register_begin or authenticate_begin.

Return type:

PublicKeyCredentialDescriptor

class fido2.server.Fido2Server(rp, attestation=None, verify_origin=None, verify_attestation=None)[source]

FIDO2 server.

Parameters:

  • rp (fido2.webauthn.PublicKeyCredentialRpEntity) – Relying party data as PublicKeyCredentialRpEntity instance.

  • attestation (fido2.webauthn.AttestationConveyancePreference | None) – (optional) Requirement on authenticator attestation.

  • verify_origin (VerifyOrigin | None) – (optional) Alternative function to validate an origin.

  • verify_attestation (VerifyAttestation | None) – (optional) function to validate attestation, which is invoked with attestation_object and client_data_hash. It should return nothing and raise an exception on failure. By default, attestation is ignored. Attestation is also ignored if attestation is set to none.

rp = None
timeout = None
attestation
allowed_algorithms
register_begin(user, credentials=None, resident_key_requirement=None, user_verification=None, authenticator_attachment=None, challenge=None, extensions=None)[source]

Return a PublicKeyCredentialCreationOptions registration object and the internal state dictionary that needs to be passed as is to the corresponding register_complete call.

Parameters:
Returns:

Registration data, internal state.

Return type:

tuple[fido2.webauthn.CredentialCreationOptions, Any]

register_complete(state, response)[source]

Verify the correctness of the registration data received from the client.

Parameters:
Returns:

The authenticator data

Return type:

fido2.webauthn.AuthenticatorData

authenticate_begin(credentials=None, user_verification=None, challenge=None, extensions=None)[source]

Return a PublicKeyCredentialRequestOptions assertion object and the internal state dictionary that needs to be passed as is to the corresponding authenticate_complete call.

Parameters:
Returns:

Assertion data, internal state.

Return type:

tuple[fido2.webauthn.CredentialRequestOptions, Any]

authenticate_complete(state, credentials, response)[source]

Verify the correctness of the assertion data received from the client.

Parameters:

  • state – The state data returned by the corresponding register_begin.

  • credentials (Sequence[fido2.webauthn.AttestedCredentialData]) – The list of previously registered credentials.

  • credential_id – The credential id from the client response.

  • client_data – The client data.

  • auth_data – The authenticator data.

  • signature – The signature provided by the client.

  • response (fido2.webauthn.AuthenticationResponse | Mapping[str, Any])

Return type:

fido2.webauthn.AttestedCredentialData