Package ch.nevis.mobile.sdk.api.operation.selection

Interface AuthenticatorSelectionContext

public interface AuthenticatorSelectionContext

The service returning the information required to choose the authenticator to be used: it returns all the available authenticators, the operation being executed and also informs whether a given authenticator is compliant with the policy required by the FIDO UAF server for the ongoing operation.

See Also:

• AuthenticatorSelector.selectAuthenticator(AuthenticatorSelectionContext, AuthenticatorSelectionHandler)

Method Summary

Modifier and Type	Method	Description
Account	account()	The account used to execute the operation.
Set<Authenticator>	authenticators()	The available authenticators.
boolean	isPolicyCompliant(String aaid)	Returns whether the provided authenticator is compliant with the policy of the server.
Optional<byte[]>	transactionConfirmationData()	The transaction confirmation data, if any, to be presented to the user for verification.

Method Details

account

Account account()

The account used to execute the operation.

Returns:

the account

authenticators

Set<Authenticator> authenticators()

The available authenticators. Note that this may also include authenticators that cannot be used to complete the operation.

All the available authenticators are returned so that the users of the SDK can figure out not only whether an authenticator can be used for the operation, but also why. For example, a developer would like to give a visual hint explaining why the Fingerprint authenticator cannot be used during registration if it is not enrolled: by using Authenticator.userEnrollment() this situation can be identified during registration and then some message can be displayed to the user informing that a fingerprint must be defined in the OS settings to be able to register the fingerprint authenticator. In the case where a user registers two authenticators, but the server's policy only allows to use PIN in a given authentication operation, isPolicyCompliant(String) can be used to identify this situation and to inform the user why the fingerprint authenticator is not available.

The following snippet can be used to identify whether the operation can be used or not:

     private static boolean isValid(Authenticator authenticator AuthenticatorSelectionContext context) {
         String username = authenticator.account().username();
         Registration registration = authenticator.registration();
         // This method will filter the authenticators that are no supported by the hardware, those
         // whose registration status does not correspond to the operation and in the case of registration
         // and authentication, those that are compliant with the server policy.
         if (isRegistrationOperation()) {
                 return !registration.isRegistered(username) && authenticator.isSupportedByHardware() &&
                        context.isPolicyCompliant(authenticator.aaid());
         }
         if (isAuthenticationOperation()) {
             return registration.isRegistered(username) && authenticator.isSupportedByHardware() &&
                 context.isPolicyCompliant(authenticator.aaid());
         }
         // Bug
         throw new IllegalStateException();
     }
 

Returns:

all the available authenticators.

See Also:

• Authenticator.registration()
• Authenticator.isSupportedByHardware()
• isPolicyCompliant(String)

isPolicyCompliant

boolean isPolicyCompliant(String aaid)

Returns whether the provided authenticator is compliant with the policy of the server.

If an authenticator that is not policy compliant is provided through AuthenticatorSelectionHandler.aaid(String) for registration or authentication operations, a OperationError or an OperationError will be returned as a result of the operation.

Parameters:

aaid - the AAID of the Authenticator

Returns:

true if the authenticator is compliant with the policy, and false otherwise.

transactionConfirmationData

Optional<byte[]> transactionConfirmationData()

The transaction confirmation data, if any, to be presented to the user for verification. If this data is present, data must be presented to the user before authenticating.

Basic implementation layout:

     @Override
     public void selectAuthenticator(AuthenticatorSelectionContext context, AuthenticatorSelectionHandler handler) {
         if (context.transactionConfirmationData().isPresent()) {
             showTransactionMessage(context.transactionConfirmationData().get(),
             userConfirmed -> {
                 if (userConfirmed) {
                     selectAuthenticator(context, handler);
                 }
                 else {
                     // Cancel the operation if the transaction was rejected
                     handler.cancel();
                 }
             });
         } else {
             // No transaction confirmation, just proceed to authenticator selection
             selectAuthenticator(context, handler);
         }
     }

     private void showTransactionMessage(byte[] transactionConfirmationData,
             Consumer<Boolean> confirmationConsumer) {
         // Display the transaction confirmation data and ask the user to confirm it. Then
         // invoke confirmationConsumer with the result of the confirmation:
         // confirmationConsumer.accept(confirmation);
     }
 

Note that in the case of registration or authentication not involving transaction confirmation, this is typically empty and thus, it does not require handling.

The contents are the base64 URL decoded contents of the Transaction as described in the FIDO UAF specification.

Returns:

the transaction confirmation data