FIDO-2 Authentication

This section describes how to configure authentication using FIDO 2.

Note: FIDO 2 is only supported in version 4.2.1 and later.

Note: FIDO-2 can only be used over HTTPS

1. Manage authenticators

Add new authenticator, rename it or delete - use OpenIAM UI manager on self-service : fido key manager 01

Add new key fido key manager 01

Touch ssh key after browser message appear fido key manager 01

Rename key fido key manager 01

2. Configure OpenIAM to use FIDO authentication

1. Check "Use Web authentication" flag on "System configuration page" fido key manager 01

2. Use default authentication rule in content provider: fido key manager 01

or create new custom authentication rule. For example: fido key manager 01

3. Login with FIDO authenticator

fido key manager 01

fido key manager 01

4. Some API for FIDO-2 authentication

Preregistration request.

/idp/reg/preregister POST
request :
{
username : login,
displayName : displayName
}
response :
{
rp: data.rp,
user: {
id: decodeBase64url(data..id),
name: data..name,
displayName: data..displayName,
icon: data..icon
},
challenge: decodeBase64url(data.challenge),
pubKeyCredParams: data.pubKeyCredParams,
timeout: data.timeout,
excludeCredentials: data.excludeCredentials,
// {
// type: credential.type,
// id: decodeBase64url(credential.id),
// transports: credential.transports
// }
authenticatorSelection: data.authenticatorSelection,
attestation: data.attestation,
extensions: data.extensions
}

Registration request.

/idp/reg/register POST
request:
{
name : authenticatorName,
id = credential.id;
type = credential.type;
rawId = encodeBase64url(new Uint8Array(publicKeyCredential.rawId));
clientData = encodeBase64url(new Uint8Array(clientData));
attestationObject = encodeBase64url(new Uint8Array(attestationObject));
clientExtensionsJSON = clientExtensionsJSON;
}
response:
{
successMessage : "Authenticator saved"
}

Preauthentication request.

/idp/auth/preauthenticate POST
request:
{
username : authenticatorName,
userVerification = credential.id;
extensions = credential.type;
}
response:
{
challenge: decodeBase64url(data.challenge),
timeout: data.timeout,
rpId: data.rpId,
allowCredentials: data.allowCredentials
// {
// type: credential.type,
// id: base64url.decodeBase64url(credential.id),
// transports: credential.transports
// }
userVerification: data.userVerification,
extensions: data.extensions
}

Authentication request.

/idp/auth/authenticate POST
request:
{
credentialId = encodeBase64url(new Uint8Array(publicKeyCredential.rawId));
clientDataJSON = encodeBase64url(new Uint8Array(clientDataJSON));
authenticatorData = encodeBase64url(new Uint8Array(authenticatorData));
signature = encodeBase64url(new Uint8Array(signature));
clientExtensionsJSON = JSON.stringify(clientExtensions);
}