16.2.1.15.9. Passkey Token

16.2.1.15.9.1. Implementation

class privacyidea.lib.tokens.passkeytoken.PasskeyTokenClass(db_token)[source]

Implements a token class for passkeys (fido2). This is very similar to the webauthn token class, but uses a lib for registration and authentication. It is less configurable, always requires resident key and uses excluded credentials by default. It shares the following policy configuration with the webauthn token class:

  • RP_ID

  • RP_NAME

  • USER_VERIFICATION_REQUIREMENT (default: PREFERRED)

  • PUBLIC_KEY_CREDENTIAL_ALGORITHMS (default: ECDSA_SHA_256, RSASSA_PKCS1_v1_5_SHA_256)

Create a new token object.

Parameters:

db_token (Token) – A database token object

Returns:

A TokenClass object

authenticate(passw, user=None, options=None)[source]

This is called from check_tokenlist. Suppress missing params here so “wrong otp value” is returned if no authentication could be made.

check_otp(otpval, counter=None, window=None, options=None)[source]
Parameters:

  • otpval (None) – Unused for this token type

  • counter (int) – Unused for this token type

  • window (None) – Unused for this token type

  • options (dict) – Contains the data from the client, along with policy configurations. For compatibility with the WebAuthnTokenClass, some keys can have multiple names. The following keys are required: - “challenge” - “authenticatorData” or “authenticatordata” - “clientDataJSON” or “clientdata” - “signature” or “signaturedata” - “userHandle” or “userhandle” - “HTTP_ORIGIN” The following keys are optional: - “webauthn_user_verification_requirement”, defaults to preferred

Returns:

A numerical value where values larger than zero indicate success.

Return type:

int

client_mode = 'webauthn'
create_challenge(transactionid=None, options=None)[source]

Passkey does not create a challenge itself, it uses an open challenge acquired from /validate/initialize. By returning False here, passkey tokens will not generate a challenge via /validate/triggerchallenge -> create_challenge_from_tokens() Optionally, creating a challenge can be enabled by setting the passkey_trigger_by_pin policy

static get_class_info(key=None, ret='all')[source]

Returns a dict with information about the passkey token class and related policy options. The parameter ret can be used to specify the “section” of the information that should be returned.

static get_class_prefix()[source]
static get_class_type()[source]
classmethod get_default_challenge_text_auth() str[source]
classmethod get_default_challenge_text_register() str[source]
get_init_detail(params=None, user=None)[source]

First step of enrollment: Returns the registration data for the passkey token. Also creates a challenge in the database which has to be verified in the second step. The following parameters are required in params: - “webauthn_relying_party_id” (FIDO2PolicyAction.RELYING_PARTY_ID) - “webauthn_relying_party_name” (FIDO2PolicyAction.RELYING_PARTY_NAME)

The following parameters are optional in params to customize the registration: - “registered_credential_ids”: A list of credential IDs that are already registered with the user. - FIDO2PolicyAction.PUBLIC_KEY_CREDENTIAL_ALGORITHMS (default: ECDSA_SHA_256, RSASSA_PKCS1_v1_5_SHA_256) - FIDO2PolicyAction.USER_VERIFICATION_REQUIREMENT (default: PREFERRED) - PasskeyAction.AttestationConveyancePreference (default: NONE)

import_token(token_information: dict)[source]

Import a passkey token.

inc_failcount()[source]

Do not increment the fail count for passkey, since their authentication process is decoupled from the usual.

is_challenge_request(passw, user=None, options=None)[source]

This token type is always challenge-response. If the pin matches, a challenge should be created.

classmethod is_multichallenge_enrollable()[source]
mode = ['challenge']
update(param, reset_failcount=True)[source]

Second step of enrollment: Verify the registration data from the authenticator with the challenge from the database. If the registration is successful, the token is set to enrolled and metadata is written to the token info. To complete the registration, the following parameters are required in param: - attestationObject - clientDataJSON - credential_id - rawId - authenticatorAttachment - transaction_id - HTTP_ORIGIN - FIDO2PolicyAction.RELYING_PARTY_ID (“webauthn_relying_party_id”)

use_for_authentication(options)[source]

This method checks, if this token should be used for authentication. Certain token classes could be excluded from the authentication request in certain situations.

Returns True, if the token should be used for authentication. Returns False, if the token should be completely ignored for authentication.

Parameters:

options – This is the option list, that basically contains the Request parameters.

Returns: