[−][src]Trait webauthn_rs::WebauthnConfig
The WebauthnConfig type allows site-specific customisation of the Webauthn library. This provides a set of callbacks which are used to supply data to various structures and calls, as well as callbacks to manage data persistence and retrieval.
Required methods
fn get_relying_party_name(&self) -> String
Returns a copy of your relying parties name. This is generally any text identifier you wish, but should rarely if ever change. Changes to the relying party name may confuse authenticators and will cause their credentials to be lost.
Examples of names could be "My Awesome Site", "https://my-awesome-site.com.au"
fn get_origin(&self) -> &String
Returns a reference to your sites origin. The origin is the URL to your site with protocol and port. This should rarely, if ever change. In production usage this value must always be https://, however http://localhost is acceptable for testing only. We may add warnings or errors for non-https:// urls in the future. Changing this may cause associated authenticators to lose credentials.
Examples of this value could be. "https://my-site.com.au", "https://my-site.com.au:8443"
fn get_relying_party_id(&self) -> String
Returns the relying party id. This should never change, and is used as an id
in cryptographic operations and credential scoping. This is defined as the domain name
of the service, minuse all protocol, port and location data. For example:
https://name:port/path -> name
If changed, all associated credentials will be lost in all authenticators.
Examples of this value for the site "https://my-site.com.au/auth" is "my-site.com.au"
Provided methods
fn get_credential_algorithms(&self) -> Vec<COSEContentType>
Get the list of valid credential algorthims that this service can accept. Unless you have speific requirements around this, we advise you leave this function to the default implementation.
fn get_authenticator_timeout(&self) -> u32
Return a timeout on how long the authenticator has to respond to a challenge. This value defaults to 6000 milliseconds. You likely won't need to implement this function, and should rely on the defaults.
fn get_attestation_preference(&self) -> AttestationConveyancePreference
Returns the default attestation type. Options are None, Direct and Indirect.
Defaults to None.
IMPORTANT: You must also implement policy_verify_trust if you change this from
None.
fn get_authenticator_attachment(&self) -> Option<AuthenticatorAttachment>
Get the preferred policy on authenticator attachement hint. Defaults to None (use any attachment method).
WARNING: This is not enforced, as the client may modify the registration request to disregard this, and no part of the registration response indicates attachement. This is purely a hint, and is NOT a security enforcment.
Default of None allows any attachment method.
fn get_require_resident_key(&self) -> bool
Get the site policy on if the registration should use a resident key so that username and other details can be embedded into the authenticator to allow bypassing that part of the interaction flow.
WARNING: This is not enforced as the client may modify the registration request to disregard this, and no part of the registration process indicates residence of the credentials. This is not a security enforcement.
Defaults to "false" aka non-resident keys. See also: https://www.w3.org/TR/webauthn/#resident-credential
fn get_extensions(&self) -> Option<BTreeMap<String, String>>
Return a list of site-requested extensions to be sent to Authenticators during registration and authentication. Currently this is not implemented. Please see: https://github.com/Firstyear/webauthn-rs/issues/8 https://w3c.github.io/webauthn/#extensions
fn policy_verify_trust(&self, at: AttestationType) -> Result<Credential, ()>
A callback to allow trust decisions to be made over the attestation of the credential. It's important for your implementation of this callback to follow the advice of the w3c standard, notably:
- If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData.
16: Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows: (SEE RFC) If the attestation statement attStmt successfully verified but is not trustworthy per step 16 above, the Relying Party SHOULD fail the registration ceremony.
The default implementation of this method rejects None and Uncertain attestation, and will "blindly trust" self attestation and the other types as valid. If you have strict security requirements we strongly recommend you implement this function, and we may in the future provide a stronger default relying party policy.
Implementors
impl WebauthnConfig for WebauthnEphemeralConfig[src]
fn get_relying_party_name(&self) -> String[src]
Returns the relying party name. See the trait documentation for more.
fn get_relying_party_id(&self) -> String[src]
Returns the relying party id. See the trait documentation for more.
fn get_origin(&self) -> &String[src]
Retrieve the relying party origin. See the trait documentation for more.
fn get_authenticator_attachment(&self) -> Option<AuthenticatorAttachment>[src]
Retrieve the authenticator attachment hint. See the trait documentation for more.
fn get_attestation_preference(&self) -> AttestationConveyancePreference[src]
Retrieve the authenticator attestation preference. See the trait documentation for more.
fn get_credential_algorithms(&self) -> Vec<COSEContentType>[src]
Retrieve the list of support algorithms.
WARNING: This returns all possible algorithms, not just SUPPORTED ones. This is so that