[−][src]Trait webauthn_rs::WebauthnConfig
The WebauthnConfig type allows site-specific customisation of the Webauthn library. This provides a set of callbacks which are used to supply data to various structures and calls, as well as callbacks to manage data persistence and retrieval.
Required methods
fn get_relying_party_name(&self) -> String
Returns a copy of your relying parties name. This is generally any text identifier you wish, but should rarely if ever change. Changes to the relying party name may confuse authenticators and causes their credentials to be lost.
Examples of names could be "My Awesome Site", "https://my-awesome-site.com.au"
fn get_origin(&self) -> &String
Returns a reference to your sites origin. The origin is the URL to your site with protocol and port. This should rarely, if ever change. In production usage this value must always be https://, however http://localhost is acceptable for testing only. We may add warnings or errors for non-https:// urls in the future.
Examples of this value could be. "https://my-site.com.au", "https://my-site.com.au:8443"
fn get_relying_party_id(&self) -> String
Returs the relying party id. This should rarely if ever change, and is used as an id
in cryptographic operations and credential scoping. This is defined as the domain name
of the service, minuse all protocol, port and location data. For example:
https://name:port/path -> name
Examples of this value for the site "https://my-site.com.au/auth" is "my-site.com.au"
fn persist_challenge(
&mut self,
userid: UserId,
challenge: Challenge
) -> Result<(), ()>
&mut self,
userid: UserId,
challenge: Challenge
) -> Result<(), ()>
Given a UserId and Challenge, persist these to a temporary storage system. It is implementation specific if this challenge is distributed to other servires via a system like memcached or if these are persisted-per server. In the per-server case, you should use sticky sessions on your load balancer to ensure clients contact the server that issued the challenge
The UserId and Challenge are both serialisable with serde for storage in a database or structure of some kind.
fn retrieve_challenge(&mut self, userid: &UserId) -> Option<Challenge>
Given a UserId, return the challenge if one is present. If not challenge is found return
None (which will cause the client operation to fail with correct error messages). It's important
to note here the use of Option<Challenge>
- you should remove the Challenge from the
datastore as part of this request to prevent challenge re-use or bruteforce attacks from
occuring.
fn does_exist_credential(
&self,
userid: &UserId,
cred: &Credential
) -> Result<bool, ()>
&self,
userid: &UserId,
cred: &Credential
) -> Result<bool, ()>
Given a userId and a Credential, determine if this credential already exists and is registered to the user. It may be of benefit to determine if the credential belongs to any other user in your system to prevent credential re-use.
fn persist_credential(
&mut self,
userid: UserId,
credential: Credential
) -> Result<(), ()>
&mut self,
userid: UserId,
credential: Credential
) -> Result<(), ()>
On a sucessful registration, persist this Credential associated to UserId.
fn retrieve_credentials(&self, userid: &UserId) -> Option<&Vec<Credential>>
Given a userId, retrieve the set of all Credentials that the UserId has associated.
fn credential_update_counter(
&mut self,
userid: &UserId,
cred: &Credential,
counter: u32
) -> Result<(), ()>
&mut self,
userid: &UserId,
cred: &Credential,
counter: u32
) -> Result<(), ()>
Given a userId and Credential, update it's authentication counter to "counter". This helps to minimise threats from replay or reuse attacks by ensuring the counter is always advancing.
fn credential_report_invalid_counter(
&mut self,
userid: &UserId,
cred: &Credential,
counter: u32
) -> Result<(), ()>
&mut self,
userid: &UserId,
cred: &Credential,
counter: u32
) -> Result<(), ()>
Given a userId and Credential, if the counter value has gone backwards or is replayed this callback is called to allow reporting of a possible compromise of the Credential. You should take site appropriate action, ranging from audit-logging of the possible compromise, disabling of the Credential, disabling the account, or other appropriate actions.
Provided methods
fn get_credential_algorithms(&self) -> Vec<COSEContentType>
Get the list of valid credential algorthims that this servie will accept. Unless you have speific requirements around this, we advise you leave this function to the default implementation.
fn get_authenticator_timeout(&self) -> u32
Return a timeout on how long the authenticator has to respond to a challenge. This value defaults to 6000 milliseconds. You likely won't need to implemented this function, and should rely on the defaults.
fn get_user_verification_required(&self) -> bool
Returns a site policy on if user verification of the authenticator is required. This currently defaults to "false" due to implementation limitations, as per: https://github.com/Firstyear/webauthn-rs/issues/7
fn get_extensions(&self) -> Option<BTreeMap<String, String>>
Return a list of site-requested extensions to be sent to Authenticators during registration and authentication. Currently this is not implemented. Please see: https://github.com/Firstyear/webauthn-rs/issues/8 https://w3c.github.io/webauthn/#extensions
fn policy_verify_trust(&self, at: AttestationType) -> Result<Credential, ()>
A callback to allow trust decisions to be made over the attestation of the credential. It's important for your implementation of this callback to follow the advice of the w3c standard, notably:
- If validation is successful, obtain a list of acceptable trust anchors (attestation root certificates or ECDAA-Issuer public keys) for that attestation type and attestation statement format fmt, from a trusted source or from policy. For example, the FIDO Metadata Service [FIDOMetadataService] provides one way to obtain such information, using the aaguid in the attestedCredentialData in authData.
16: Assess the attestation trustworthiness using the outputs of the verification procedure in step 14, as follows: (SEE RFC) If the attestation statement attStmt successfully verified but is not trustworthy per step 16 above, the Relying Party SHOULD fail the registration ceremony.
The default implementation of this method rejects None and Uncertain attestation, and will "blindly trust" the other types as valid. If you have strict security requirements we strongly recommend you implement this function, and we may in the future provide a stronger default trust system.
Implementors
impl WebauthnConfig for WebauthnEphemeralConfig
[src]
fn get_relying_party_name(&self) -> String
[src]
Returns the relying party name. See the trait documentation for more.
fn get_relying_party_id(&self) -> String
[src]
Returns the relying party id. See the trait documentation for more.
fn persist_challenge(
&mut self,
userid: UserId,
challenge: Challenge
) -> Result<(), ()>
[src]
&mut self,
userid: UserId,
challenge: Challenge
) -> Result<(), ()>
Persist a challenge associated to a userId. See the trait documentation for more.
fn retrieve_challenge(&mut self, userid: &UserId) -> Option<Challenge>
[src]
Retrieve a challenge associated to a userId. See the trait documentation for more.
fn does_exist_credential(
&self,
userid: &UserId,
cred: &Credential
) -> Result<bool, ()>
[src]
&self,
userid: &UserId,
cred: &Credential
) -> Result<bool, ()>
Assert if a credential related to a userId exists. See the trait documentation for more.
fn persist_credential(
&mut self,
userid: UserId,
credential: Credential
) -> Result<(), ()>
[src]
&mut self,
userid: UserId,
credential: Credential
) -> Result<(), ()>
Persist a credential related to a userId. See the trait documentation for more.
fn credential_update_counter(
&mut self,
userid: &UserId,
cred: &Credential,
counter: u32
) -> Result<(), ()>
[src]
&mut self,
userid: &UserId,
cred: &Credential,
counter: u32
) -> Result<(), ()>
Update a credentials counter. See the trait documentation for more.
fn credential_report_invalid_counter(
&mut self,
userid: &UserId,
cred: &Credential,
_counter: u32
) -> Result<(), ()>
[src]
&mut self,
userid: &UserId,
cred: &Credential,
_counter: u32
) -> Result<(), ()>
Report an invalid credential counter. See the trait documentation for more.
fn retrieve_credentials(&self, userid: &UserId) -> Option<&Vec<Credential>>
[src]
Retrieve the credentials associated to a userId. See the trait documentation for more.
fn get_origin(&self) -> &String
[src]
Retrieve the relying party origin. See the trait documentation for more.