Backend Requirements
- Overview
- nevisFIDO Endpoint Protection
- Out-Of-Band Registration
- Out-Of-Band Authentication
- In-Band Authentication
- Modify Dispatch Target
- Authorization Provider Retrieval
Overview
For the Nevis Mobile Authentication SDK a number of assumptions are made regarding how the backend is configured. This section enumerates them.
nevisFIDO Endpoint Protection
The Nevis Mobile Authentication SDK allows accessing endpoints of the backend that are protected for some operations. To access these protected endpoints, a AuthorizationProvider must be protected. This is the case for the following operations: in-band registration, deregistration, and delete dispatch target. See the Protected Operations section for details.
However, the other operations assume that the endpoints are not protected:
Out-Of-Band Registration
The registration redeem endpoint of nevisFIDO must not be protected.
The facet ID endpoint of nevisFIDO must not be protected. This is in any way imposed by the FIDO UAF specification.
The registration response endpoint. This endpoint is configured in the SDK using NevisAuthenticationSession.Configuration.registrationResponsePath
.
Out-Of-Band Authentication
The authentication redeem endpoint of nevisFIDO must not be protected.
The facet ID endpoint of nevisFIDO must not be protected. This is in any way imposed by the FIDO UAF specification.
The authentication response endpoint. This endpoint is configured in the SDK using NevisAuthenticationSession.Configuration.authenticationResponsePath
.
In-Band Authentication
The authentication request endpoint must not be protected. This endpoint is configured in the SDK using NevisAuthenticationSession.Configuration.authenticationRequestPath
.
The facet ID endpoint of nevisFIDO must not be protected. This is in any way imposed by the FIDO UAF specification.
The authentication response endpoint. This endpoint is configured in the SDK using NevisAuthenticationSession.Configuration.authenticationResponsePath
.
The SDK assumes that the initial authentication request is sent to the Relying Party and not to the nevisFIDO server directly. The Relying party can be for example the web application that will grant access, nevisAuth, etc. The request that the SDK will send to the Relying party to start the in-band authentication is described below.
Payload: a JSON object with a single username attribute, like the one below.
{ "username" : "Joe Smith" }
Content type: application/json; charset=utf-8
This is for example the payload that is handled by the default configuration of the FidoUafAuthState AuthState of nevisAuth.
Modify Dispatch Target
The update dispatch target endpoint of nevisFIDO must not be protected. This endpoint is configured in the SDK using NevisAuthenticationSession.Configuration.dispatchTargetResourcePath
.
This is a special case: even though the SDK does require the endpoint not to be protected externally (for instance using nevisAuth), nevisFIDO only accepts signed requests. So the endpoint is protected so to speak out-of-the box (only the device where the dispatch target to be modifies is defined can effectively use this endpoint).
Authorization Provider Retrieval
The AuthorizationProvider can be used to access protected resources. See in-band authentication for more details.
Cookie Authorization Provider
To retrieve a cookie, the Nevis Mobile Authentication SDK assumes that the backend configuration is the one described in the In-Band Authentication section of the Use Cases and Best Practices in the NEVIS Mobile Authentication Concept and Integration Guide.
With that configuration, the following behaviour is expected from the backend:
The backend returns a successful ServerResponse indicating that the FIDO UAF authentication is complete.
The Nevis Mobile Authentication SDK will send the following payload to check whether the whole authentication process is finished:
{
"fidoUafSessionId": "1c8a5b00-165c-4a63-ae13-2e03fb7f57ce"
}
The backend returns an HTTP response with the following body indicating that the whole authentication flow is complete:
{
"status": "completed"
}
If a cookie is set in the Set-Cookie header of the HTTP response, it will return this cookie inside the CookieAuthorizationProvider
.
JWT Authorization Provider
If the backend returns a JWT after a successful authentication, the JWT will be returned in a JwtAuthorizationProvider
. The JWT must be provided inside the tokens of the ServerResponse for the Nevis Mobile Authentication SDK to retrieve it. The token type must be “JWT” and its value must be encoded as described in RFC 7519 (i.e. a concatenation of base64 url encoded strings).
ServerResponse with JWT example:
{
"statusCode": 1200,
"additionalTokens": [
{
"type": "JWT",
"value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI"
}
]
}