fido2.webauthn

Classes

`Aaguid`	bytes(iterable_of_ints) -> bytes
`AttestedCredentialData`	bytes(iterable_of_ints) -> bytes
`AuthenticatorData`	Binary encoding of the authenticator data.
`AttestationObject`	Binary CBOR encoded attestation object.
`CollectedClientData`	bytes(iterable_of_ints) -> bytes
`AttestationConveyancePreference`	Enum of strings for WebAuthn types.
`UserVerificationRequirement`	Enum of strings for WebAuthn types.
`ResidentKeyRequirement`	Enum of strings for WebAuthn types.
`AuthenticatorAttachment`	Enum of strings for WebAuthn types.
`AuthenticatorTransport`	Enum of strings for WebAuthn types.
`PublicKeyCredentialType`	Enum of strings for WebAuthn types.
`PublicKeyCredentialRpEntity`	A data class with members also accessible as a JSON-serializable Mapping.
`PublicKeyCredentialUserEntity`	A data class with members also accessible as a JSON-serializable Mapping.
`PublicKeyCredentialParameters`	A data class with members also accessible as a JSON-serializable Mapping.
`PublicKeyCredentialDescriptor`	A data class with members also accessible as a JSON-serializable Mapping.
`AuthenticatorSelectionCriteria`	A data class with members also accessible as a JSON-serializable Mapping.
`PublicKeyCredentialCreationOptions`	A data class with members also accessible as a JSON-serializable Mapping.
`PublicKeyCredentialRequestOptions`	A data class with members also accessible as a JSON-serializable Mapping.
`AuthenticatorAttestationResponse`	A data class with members also accessible as a JSON-serializable Mapping.
`AuthenticatorAssertionResponse`	A data class with members also accessible as a JSON-serializable Mapping.
`RegistrationResponse`	A data class with members also accessible as a JSON-serializable Mapping.
`AuthenticationResponse`	A data class with members also accessible as a JSON-serializable Mapping.
`CredentialCreationOptions`	A data class with members also accessible as a JSON-serializable Mapping.
`CredentialRequestOptions`	A data class with members also accessible as a JSON-serializable Mapping.
`AuthenticationExtensionsClientOutputs`	Holds extension output from a call to MakeCredential or GetAssertion.

Module Contents

class fido2.webauthn.Aaguid(data)[source]

Bases: bytes

bytes(iterable_of_ints) -> bytes bytes(string, encoding[, errors]) -> bytes bytes(bytes_or_buffer) -> immutable copy of bytes_or_buffer bytes(int) -> bytes object of size given by the parameter initialized with null bytes bytes() -> empty bytes object

Construct an immutable array of bytes from:

an iterable yielding integers in range(256)
a text string encoded using the specified encoding
any object implementing the buffer API.
an integer

Parameters:: data (bytes)

__bool__()[source]

__str__()[source]: Return str(self).

__repr__()[source]: Return repr(self).

classmethod parse(value)[source]

Parameters:: value (str)
Return type:: Aaguid

NONE: Aaguid

class fido2.webauthn.AttestedCredentialData(_)[source]

Bases: bytes

bytes(iterable_of_ints) -> bytes bytes(string, encoding[, errors]) -> bytes bytes(bytes_or_buffer) -> immutable copy of bytes_or_buffer bytes(int) -> bytes object of size given by the parameter initialized with null bytes bytes() -> empty bytes object

Construct an immutable array of bytes from:

an iterable yielding integers in range(256)
a text string encoded using the specified encoding
any object implementing the buffer API.
an integer

Parameters:: _ (bytes)

aaguid: Aaguid

credential_id: bytes

public_key: fido2.cose.CoseKey

__str__()[source]: Return str(self).

classmethod create(aaguid, credential_id, public_key)[source]

Create an AttestedCredentialData by providing its components.

Parameters:

aaguid (bytes) – The AAGUID of the authenticator.
credential_id (bytes) – The binary ID of the credential.
public_key (fido2.cose.CoseKey) – A COSE formatted public key.

Returns:

The attested credential data.

Return type:

AttestedCredentialData

classmethod unpack_from(data)[source]

Unpack an AttestedCredentialData from a byte string, returning it and any remaining data.

Parameters:: data (bytes) – A binary string containing an attested credential data.
Returns:: The parsed AttestedCredentialData, and any remaining data from the input.
Return type:: Tuple[AttestedCredentialData, bytes]

classmethod from_ctap1(key_handle, public_key)[source]

Create an AttestatedCredentialData from a CTAP1 RegistrationData instance.

Parameters:

key_handle (bytes) – The CTAP1 credential key_handle.
public_key (bytes) – The CTAP1 65 byte public key.

Returns:

The credential data, using an all-zero AAGUID.

Return type:

AttestedCredentialData

class fido2.webauthn.AuthenticatorData(_)[source]

Bases: bytes

Binary encoding of the authenticator data.

Parameters:

_ (bytes) – The binary representation of the authenticator data.

Variables:

rp_id_hash – SHA256 hash of the RP ID.
flags – The flags of the authenticator data, see AuthenticatorData.FLAG.
counter – The signature counter of the authenticator.
credential_data – Attested credential data, if available.
extensions – Authenticator extensions, if available.

class FLAG[source]

Bases: enum.IntFlag

Authenticator data flags

See https://www.w3.org/TR/webauthn/#sec-authenticator-data for details

UP = 1

UV = 4

BE = 8

BS = 16

AT = 64

ED = 128

USER_PRESENT = 1

USER_VERIFIED = 4

BACKUP_ELIGIBILITY = 8

BACKUP_STATE = 16

ATTESTED = 64

EXTENSION_DATA = 128

rp_id_hash: bytes

flags: AuthenticatorData

counter: int

credential_data: AttestedCredentialData | None

extensions: Mapping | None

__str__()[source]: Return str(self).

classmethod create(rp_id_hash, flags, counter, credential_data=b'', extensions=None)[source]

Create an AuthenticatorData instance.

Parameters:

rp_id_hash (bytes) – SHA256 hash of the RP ID.
flags (AuthenticatorData) – Flags of the AuthenticatorData.
counter (int) – Signature counter of the authenticator data.
credential_data (bytes) – Authenticated credential data (only if attested credential data flag is set).
extensions (Optional[Mapping]) – Authenticator extensions (only if ED flag is set).

Returns:

The authenticator data.

is_user_present()[source]

Return true if the User Present flag is set.

Return type:: bool

is_user_verified()[source]

Return true if the User Verified flag is set.

Return type:: bool

is_backup_eligible()[source]

Return true if the Backup Eligibility flag is set.

Return type:: bool

is_backed_up()[source]

Return true if the Backup State flag is set.

Return type:: bool

is_attested()[source]

Return true if the Attested credential data flag is set.

Return type:: bool

has_extension_data()[source]

Return true if the Extenstion data flag is set.

Return type:: bool

class fido2.webauthn.AttestationObject(_)[source]

Bases: bytes

Binary CBOR encoded attestation object.

Parameters:

_ (bytes) – The binary representation of the attestation object.

Variables:

fmt – The type of attestation used.
auth_data – The attested authenticator data.
att_statement – The attestation statement.

fmt: str

auth_data: AuthenticatorData

att_stmt: Mapping[str, Any]

__str__()[source]: Return str(self).

classmethod create(fmt, auth_data, att_stmt)[source]

Parameters:

fmt (str)
auth_data (AuthenticatorData)
att_stmt (Mapping[str, Any])

Return type:

AttestationObject

classmethod from_ctap1(app_param, registration)[source]

Create an AttestationObject from a CTAP1 RegistrationData instance.

Parameters:

app_param (bytes) – SHA256 hash of the RP ID used for the CTAP1 request.
registration (RegistrationData) – The CTAP1 registration data.

Returns:

The attestation object, using the “fido-u2f” format.

Return type:

AttestationObject

class fido2.webauthn.CollectedClientData(_)[source]

Bases: bytes

bytes(iterable_of_ints) -> bytes bytes(string, encoding[, errors]) -> bytes bytes(bytes_or_buffer) -> immutable copy of bytes_or_buffer bytes(int) -> bytes object of size given by the parameter initialized with null bytes bytes() -> empty bytes object

Construct an immutable array of bytes from:

an iterable yielding integers in range(256)
a text string encoded using the specified encoding
any object implementing the buffer API.
an integer

Parameters:: _ (bytes)

class TYPE[source]

Bases: str, enum.Enum

str(object=’’) -> str str(bytes_or_buffer[, encoding[, errors]]) -> str

Create a new string object from the given object. If encoding or errors is specified, then the object must expose a data buffer that will be decoded using the given encoding and error handler. Otherwise, returns the result of object.__str__() (if defined) or repr(object). encoding defaults to sys.getdefaultencoding(). errors defaults to ‘strict’.

CREATE = 'webauthn.create'

GET = 'webauthn.get'

type: str

challenge: bytes

origin: str

cross_origin: bool = False

classmethod create(type, challenge, origin, cross_origin=False, **kwargs)[source]

Parameters:

type (str)
challenge (Union[bytes, str])
origin (str)
cross_origin (bool)

Return type:

CollectedClientData

__str__()[source]: Return str(self).

property b64: str

Return type:: str

property hash: bytes

Return type:: bytes

class fido2.webauthn.AttestationConveyancePreference[source]

Bases: _StringEnum

Enum of strings for WebAuthn types.

Unrecognized values are treated as missing.

NONE = 'none'

INDIRECT = 'indirect'

DIRECT = 'direct'

ENTERPRISE = 'enterprise'

class fido2.webauthn.UserVerificationRequirement[source]

Bases: _StringEnum

Enum of strings for WebAuthn types.

Unrecognized values are treated as missing.

REQUIRED = 'required'

PREFERRED = 'preferred'

DISCOURAGED = 'discouraged'

class fido2.webauthn.ResidentKeyRequirement[source]

Bases: _StringEnum

Enum of strings for WebAuthn types.

Unrecognized values are treated as missing.

REQUIRED = 'required'

PREFERRED = 'preferred'

DISCOURAGED = 'discouraged'

class fido2.webauthn.AuthenticatorAttachment[source]

Bases: _StringEnum

Enum of strings for WebAuthn types.

Unrecognized values are treated as missing.

PLATFORM = 'platform'

CROSS_PLATFORM = 'cross-platform'

class fido2.webauthn.AuthenticatorTransport[source]

Bases: _StringEnum

Enum of strings for WebAuthn types.

Unrecognized values are treated as missing.

USB = 'usb'

NFC = 'nfc'

BLE = 'ble'

HYBRID = 'hybrid'

INTERNAL = 'internal'

class fido2.webauthn.PublicKeyCredentialType[source]

Bases: _StringEnum

Enum of strings for WebAuthn types.

Unrecognized values are treated as missing.

PUBLIC_KEY = 'public-key'

class fido2.webauthn.PublicKeyCredentialRpEntity[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

name: str

id: str | None = None

property id_hash: bytes | None

Return SHA256 hash of the identifier.

Return type:: Optional[bytes]

class fido2.webauthn.PublicKeyCredentialUserEntity[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

name: str

id: bytes

display_name: str | None = None

class fido2.webauthn.PublicKeyCredentialParameters[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

type: PublicKeyCredentialType

alg: int

class fido2.webauthn.PublicKeyCredentialDescriptor[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

type: PublicKeyCredentialType

id: bytes

transports: Sequence[AuthenticatorTransport] | None = None

class fido2.webauthn.AuthenticatorSelectionCriteria[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

authenticator_attachment: AuthenticatorAttachment | None = None

resident_key: ResidentKeyRequirement | None = None

user_verification: UserVerificationRequirement | None = None

require_resident_key: bool | None = False

__post_init__()[source]

class fido2.webauthn.PublicKeyCredentialCreationOptions[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

rp: PublicKeyCredentialRpEntity

user: PublicKeyCredentialUserEntity

challenge: bytes

pub_key_cred_params: Sequence[PublicKeyCredentialParameters]

timeout: int | None = None

exclude_credentials: Sequence[PublicKeyCredentialDescriptor] | None = None

authenticator_selection: AuthenticatorSelectionCriteria | None = None

attestation: AttestationConveyancePreference | None = None

extensions: Mapping[str, Any] | None = None

class fido2.webauthn.PublicKeyCredentialRequestOptions[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

challenge: bytes

timeout: int | None = None

rp_id: str | None = None

allow_credentials: Sequence[PublicKeyCredentialDescriptor] | None = None

user_verification: UserVerificationRequirement | None = None

extensions: Mapping[str, Any] | None = None

class fido2.webauthn.AuthenticatorAttestationResponse[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

client_data: CollectedClientData

attestation_object: AttestationObject

extension_results: Mapping[str, Any] | None = None

__getitem__(key)[source]

classmethod from_dict(data)[source]

class fido2.webauthn.AuthenticatorAssertionResponse[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

client_data: CollectedClientData

authenticator_data: AuthenticatorData

signature: bytes

user_handle: bytes | None = None

credential_id: bytes | None = None

extension_results: Mapping[str, Any] | None = None

__getitem__(key)[source]

classmethod from_dict(data)[source]

class fido2.webauthn.RegistrationResponse[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

id: bytes

response: AuthenticatorAttestationResponse

authenticator_attachment: AuthenticatorAttachment | None = None

client_extension_results: AuthenticationExtensionsClientOutputs | None = None

type: PublicKeyCredentialType | None = None

__post_init__()[source]

class fido2.webauthn.AuthenticationResponse[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

id: bytes

response: AuthenticatorAssertionResponse

authenticator_attachment: AuthenticatorAttachment | None = None

client_extension_results: AuthenticationExtensionsClientOutputs | None = None

type: PublicKeyCredentialType | None = None

__post_init__()[source]

class fido2.webauthn.CredentialCreationOptions[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

public_key: PublicKeyCredentialCreationOptions

class fido2.webauthn.CredentialRequestOptions[source]

Bases: _WebAuthnDataObject

A data class with members also accessible as a JSON-serializable Mapping.

public_key: PublicKeyCredentialRequestOptions

class fido2.webauthn.AuthenticationExtensionsClientOutputs(outputs)[source]

Bases: Mapping[str, Any]

Holds extension output from a call to MakeCredential or GetAssertion.

When accessed as a dict, all bytes values will be serialized to base64url encoding, capable of being serialized to JSON.

When accessed using attributes, richer types will instead be returned.

Parameters:: outputs (Mapping[str, Any])

__iter__()[source]

__len__()[source]

__getitem__(key)[source]

__getattr__(key)[source]

__repr__()[source]