Package com.yubico.yubikit.fido.client

Interface WebAuthnClient

All Superinterfaces:
AutoCloseable, Closeable
All Known Implementing Classes:
Ctap1Client, Ctap2Client
public interface WebAuthnClient extends Closeable
Protocol-agnostic interface for WebAuthn operations.

Implementations provide support for specific CTAP protocol versions (e.g., CTAP1/U2F, CTAP2/WebAuthn). Use create(YubiKeyDevice, List) or create(YubiKeyConnection, List, ScpKeyParams) to obtain the correct implementation for a given session.

See Also:

  • Method Details

    • create

      static WebAuthnClient create(com.yubico.yubikit.core.YubiKeyDevice device, @Nullable List<Extension> extensions) throws IOException, com.yubico.yubikit.core.application.CommandException
      Create a new WebAuthn client from a YubiKey device with specific extensions.

      Note: Extensions are only supported for CTAP2 sessions. For CTAP1 sessions, the extensions parameter is ignored.

      Parameters:
      device - The YubiKey device to use for the session
      extensions - List of extensions (only applicable for CTAP2), passing null will use default extension set
      Returns:
      A WebAuthnClient instance for the given device
      Throws:
      IOException - A communication error in the transport layer
      com.yubico.yubikit.core.application.CommandException - A communication error in the protocol layer (CTAP2 only)

    • create

      static WebAuthnClient create(com.yubico.yubikit.core.YubiKeyConnection connection, @Nullable List<Extension> extensions, @Nullable com.yubico.yubikit.core.smartcard.scp.ScpKeyParams scpKeyParams) throws IOException, com.yubico.yubikit.core.application.CommandException
      Create a new WebAuthn client from a YubiKey connection with specific extensions and optional SCP key parameters.

      Note: Extensions are only supported for CTAP2 sessions. For CTAP1 sessions, the extensions parameter is ignored.

      Parameters:
      connection - The YubiKey connection to use for the session
      extensions - List of extensions (only applicable for CTAP2), passing null will use default extension set
      scpKeyParams - Optional SCP key parameters for secure channel (may be null)
      Returns:
      A WebAuthnClient instance for the given connection
      Throws:
      IOException - A communication error in the transport layer
      com.yubico.yubikit.core.application.CommandException - A communication error in the protocol layer (CTAP2 only)

    • makeCredential

      PublicKeyCredential makeCredential(ClientDataProvider clientData, PublicKeyCredentialCreationOptions options, String effectiveDomain, char @Nullable [] pin, @Nullable Integer enterpriseAttestation, @Nullable com.yubico.yubikit.core.application.CommandState state) throws IOException, com.yubico.yubikit.core.application.CommandException, ClientError
      Create a new WebAuthn credential.

      For CTAP1: PIN and enterprise attestation parameters are ignored. For CTAP2: All parameters are supported.

      Parameters:
      clientData - The ClientDataProvider instance supplying client data for the request
      options - The options for creating the credential
      effectiveDomain - The effective domain for the request, used to validate the RP ID
      pin - If needed, the PIN to authorize the credential creation (CTAP2 only)
      enterpriseAttestation - Enterprise attestation parameter (CTAP2 only)
      state - If needed, the state to provide control over the ongoing operation
      Returns:
      A WebAuthn public key credential
      Throws:
      IOException - A communication error in the transport layer
      com.yubico.yubikit.core.application.CommandException - A communication error in the protocol layer
      ClientError - A higher level error

    • getAssertion

      PublicKeyCredential getAssertion(ClientDataProvider clientData, PublicKeyCredentialRequestOptions options, String effectiveDomain, char @Nullable [] pin, @Nullable com.yubico.yubikit.core.application.CommandState state) throws MultipleAssertionsAvailable, IOException, com.yubico.yubikit.core.application.CommandException, ClientError
      Authenticate an existing WebAuthn credential.

      For CTAP1: PIN parameter is ignored, allowCredentials list is required. For CTAP2: PIN is supported, allowCredentials list is optional for discoverable credentials.

      If multiple assertions are available (CTAP2 only), a MultipleAssertionsAvailable exception will be thrown which can be handled to select a specific assertion.

      Parameters:
      clientData - The ClientDataProvider instance supplying client data for the request
      options - The options for the authentication request
      effectiveDomain - The effective domain for the request, used to validate the RP ID
      pin - If needed, the PIN to authorize the assertion (CTAP2 only)
      state - If needed, the state to provide control over the ongoing operation
      Returns:
      A WebAuthn public key credential with assertion
      Throws:
      MultipleAssertionsAvailable - Multiple discoverable credentials found (CTAP2 only)
      IOException - A communication error in the transport layer
      com.yubico.yubikit.core.application.CommandException - A communication error in the protocol layer
      ClientError - A higher level error