Package ch.nevis.mobile.sdk.api.operation.selection

Interface AccountSelectionContext

public interface AccountSelectionContext

The service returning the information required to choose the account to be used: it returns all the available accounts and authenticators and also informs whether a given authenticator is compliant with the policy required by the FIDO UAF server for the ongoing operation.

See Also:

• OutOfBandAuthentication.accountSelector(ch.nevis.mobile.sdk.api.operation.selection.AccountSelector)
• AccountSelector

Method Summary

Modifier and Type	Method	Description
Set<Account>	accounts()	The accounts that have been registered with the SDK.
Set<Authenticator>	authenticators()	The available authenticators.
boolean	isPolicyCompliant(String username, String aaid)	Returns whether the specified account with the provided authenticator is compliant with the policy of the server.
Optional<byte[]>	transactionConfirmationData()	The transaction confirmation data, if any, to be presented to the user for verification.

Method Details

accounts

Set<Account> accounts()

The accounts that have been registered with the SDK.

Returns:

the accounts

authenticators

Set<Authenticator> authenticators()

The available authenticators. Note that this may also include authenticators that cannot be used to complete the operation.

All the available authenticators are returned so that the users of the SDK can figure out not only whether an account authenticator can be used for the operation, but also why. For example, a developer would like to give a visual hint explaining why the Fingerprint authenticator for a given user cannot be used during authentication if it is not registered: by using Authenticator.registration() this situation can be identified.

The following snippet can be used to identify whether the authenticator can be used or not with a given account (identified by its username):

     private static boolean isValid(Authenticator authenticator, String username,
             AccountSelectionContext context) {
         Registration registration = authenticator.registration()
         // This method will filter the authenticators that are no supported by the hardware, those
         // not registered, and those that are compliant with the server policy.
         return registration.isRegistered(username) && authenticator.isSupportedByHardware() &&
                        context.isPolicyCompliant(authenticator.aaid());
     }
 

Returns:

all the available authenticators.

See Also:

• Authenticator.registration()
• Authenticator.isSupportedByHardware()
• isPolicyCompliant(String, String)

isPolicyCompliant

boolean isPolicyCompliant(String username,
 String aaid)

Returns whether the specified account with the provided authenticator is compliant with the policy of the server.

If a username without an authenticator that is policy compliant is provided through AccountSelectionHandler.username(String) (String)}, an OperationError with FidoErrorCode.NO_SUITABLE_AUTHENTICATOR will be returned as a result of the operation.

To know if a given account has at least one policy compliant authenticator, the following code can be used:

     private boolean hasPolicyCompliantAuthenticator(String username) {
               for (Authenticator authenticator: authenticators()) {
             if (isPolicyCompliant(username, authenticator.aaid())) {
                 return true;
             }
         }
         return false;
     }
 

Parameters:

username - the username of the accunt

aaid - the AAID of the Authenticator

Returns:

true if the authenticator is compliant with the policy, and false otherwise.

transactionConfirmationData

Optional<byte[]> transactionConfirmationData()

The transaction confirmation data, if any, to be presented to the user for verification. If this data is present, data must be presented to the user before authenticating.

Basic implementation layout:

     @Override
     public void selectAuthenticator(AuthenticatorSelectionContext context, AuthenticatorSelectionHandler handler) {
         if (context.transactionConfirmationData().isPresent()) {
             showTransactionMessage(context.transactionConfirmationData().get(),
             userConfirmed -> {
                 if (userConfirmed) {
                     selectAuthenticator(context, handler);
                 }
                 else {
                     // Cancel the operation if the transaction was rejected
                     handler.cancel();
                 }
             });
         } else {
             // No transaction confirmation, just proceed to authenticator selection
             selectAuthenticator(context, handler);
         }
     }

     private void showTransactionMessage(byte[] transactionConfirmationData,
             Consumer<Boolean> confirmationConsumer) {
         // Display the transaction confirmation data and ask the user to confirm it. Then
         // invoke confirmationConsumer with the result of the confirmation:
         // confirmationConsumer.accept(confirmation);
     }
 

Note that in the case of registration or authentication not involving transaction confirmation, this is typically empty and thus, it does not require handling.

The contents are the base64 URL decoded contents of the Transaction as described in the FIDO UAF specification.

Returns:

the transaction confirmation data