pub struct PublicKeyCredentialRequestOptions {
pub challenge: Bytes,
pub timeout: Option<u32>,
pub rp_id: Option<String>,
pub allow_credentials: Option<Vec<PublicKeyCredentialDescriptor>>,
pub user_verification: UserVerificationRequirement,
pub hints: Option<Vec<PublicKeyCredentialHints>>,
pub attestation: AttestationConveyancePreference,
pub attestation_formats: Option<Vec<AttestationStatementFormatIdentifiers>>,
pub extensions: Option<AuthenticationExtensionsClientInputs>,
}Expand description
This type supplies get() requests with the data it needs to generate an assertion.
Its challenge member MUST be present, while its other members are OPTIONAL.
https://w3c.github.io/webauthn/#dictdef-publickeycredentialrequestoptions
Fields§
§challenge: BytesThis member specifies a challenge that the authenticator signs, along with other data, when producing an authentication assertion. See the Cryptographic Challenges security consideration.
timeout: Option<u32>This OPTIONAL member specifies a time, in milliseconds, that the Relying Party is willing to wait for the call to complete. The value is treated as a hint, and MAY be overridden by the client.
rp_id: Option<String>This OPTIONAL member specifies the RP ID claimed by the Relying Party. The client MUST verify that the Relying Party’s origin matches the scope of this RP ID. The authenticator MUST verify that this RP ID exactly equals the rpId of the credential to be used for the authentication ceremony.
If omitted, its value will be the requesting origin’s effective domain.
allow_credentials: Option<Vec<PublicKeyCredentialDescriptor>>This OPTIONAL member is used by the client to find authenticators eligible for this authentication ceremony. It can be used in two ways:
-
If the user account to authenticate is already identified (e.g. if the user has entered a username), then the Relying Party SHOULD use this member to list credential descriptors for credential records in the user account. This SHOULD usually include all credential records in the user account.
The items SHOULD specify
PublicKeyCredentialDescriptor::transportswhenever possible. This helps the client optimize the user experience for any given situation. Also note that the Relying Party does not need to filter the list when requesting user verification — the client will automatically ignore non-eligible credentials ifSelf::user_verificationis set to required.See also the Privacy leak via credential IDs privacy consideration.
-
If the user account to authenticate is not already identified, then the Relying Party MAY leave this member empty or unspecified. In this case, only discoverable credentials will be utilized in this authentication ceremony, and the user account MAY be identified by the of the resulting
AuthenticatorAssertionResponse::user_handle. If the available authenticators contain more than one discoverable credential scoped to the Relying Party, the credentials are displayed by the client platform or authenticator for the user to select from.
If not empty, the client MUST return an error if none of the listed credentials can be used.
The list is ordered in descending order of preference: the first item in the list is the most preferred credential, and the last is the least preferred.
user_verification: UserVerificationRequirementThis OPTIONAL member specifies the Relying Party’s requirements regarding user verification
for the get() operation. The value SHOULD be a member of UserVerificationRequirement
but client platforms MUST ignore unknown values, treating an unknown value as if the member
does not exist and using its default value. Eligible authenticators are filtered to only
those capable of satisfying this requirement.
See UserVerificationRequirement for the description of this field’s values and semantics.
hints: Option<Vec<PublicKeyCredentialHints>>This OPTIONAL member contains zero or more elements from PublicKeyCredentialHints` to
guide the user agent in interacting with the user.
This field ignores unknown hint values at deserialization.
attestation: AttestationConveyancePreferenceThe Relying Party MAY use this OPTIONAL member to specify a preference regarding attestation
conveyance. Its value SHOULD be a member of AttestationConveyancePreference. Client platforms
MUST ignore unknown values, treating an unknown value as if the member does not exist,
therefore acting as the default value.
The default value is AttestationConveyancePreference::None
attestation_formats: Option<Vec<AttestationStatementFormatIdentifiers>>The Relying Party MAY use this OPTIONAL member to specify a preference regarding the attestation statement format used by the authenticator. Values SHOULD be taken from the IANA “WebAuthn Attestation Statement Format Identifiers” registry IANA-WebAuthn-Registries established by RFC8809. Values are ordered from most preferable to least preferable. This parameter is advisory and the authenticator MAY use an attestation statement not enumerated in this parameter.
The default value is the empty list, which indicates no preference.
extensions: Option<AuthenticationExtensionsClientInputs>The Relying Party MAY use this OPTIONAL member to provide client extension inputs requesting additional processing by the client and authenticator.
See AuthenticationExtensionsClientInputs for the list of currenly supported WebAuthn Extensions.