Skip to main content
Version: 7.2405.x.x LTS

Deregistration Request Service

By calling the Deregistration Request Service and requesting a DeregistrationRequest object from the FIDO server, the user/FIDO client initiates the FIDO deregistration process. This chapter describes the request and response messages between the FIDO client and Server when calling the Deregistration Request Service.

info

It is recommended to protect this service using a SecToken.

Base URL

All URLs referenced in this section have the following base:

https://fido.siven.ch/nevisfido/uaf/1.1/request/deregistration

HTTP Methods

POST is the only supported HTTP method.

Request Headers

The following request headers are mandatory:

NameDescription
AcceptAccept header, must be application/fido+uaf.
Content-TypeContent type header, must be application/fido+uaf;charset=UTF-8.

Request Body

The Deregistration Request Service requires from the FIDO client a JSON payload with a GetUAFRequest object as defined in the FIDO UAF HTTP Transport Specificationn t The GetUAFRequest object has the following structure:

AttributeTypeDescriptionOptional
opStringThe request operation, must be set to Dereg.false
previousRequestStringIf the application is requesting a new UAF request message because the previous one expired, the previous one could be sent to the server.true
contextStringThe contextual information must be a stringified JSON object that conforms to the Deregistration Context.false
info

The previousRequest parameter is ignored and not handled.

Context

The client must provide the credentials to be deregistered for a specific user in the context part of the GetUAFRequest object. The following three options are available and can be configured via the mode attribute.

  • Deregister all credentials associated with the user. The mode attribute value is username.
  • Deregister all credentials associated with the user and with any of the provided AAIDs. The mode attribute value is aaid.
  • Deregister all credentials associated with the user and with any of the provided tuples of AAID and Key ID. The mode attribute value is aaid_and_keyid.

The Context dictionary below lists all attributes that can be included in the context part of the GetUAFRequest object.

AttributeTypeDescriptionOptional
modeStringThe deregistration mode. The value is either username, aaid or aaid_and_keyid.false
aaidString[]The AAIDs of the credentials to be deregistered.false (if the deregistration mode is aaid)
aaid_and_keyidAaidAndKeyId[] (see AAID and Key ID dictionary for details)The AAID and KeyID tuples of the credentials to be deregistered.false (if the deregistration mode is aaid_and_keyid)
usernameStringIdentity information regarding the user on whose behalf the FIDO client is operating. In the case of the idm credential repository, the accepted type of username (loginId, email, etc.) depends on how the username mapper of the credential repository is configured.false

AAID And Key ID Dictionary

AttributeTypeDescriptionOptional
aaidStringThe AAID of the credential to be deregistered.false
keyidStringThe base64url-encoded value of the key ID of the credential to be deregistered.false

Response Headers

The following response headers will be set:

NameDescription
Content-TypeContent type header, fixed to application/fido+uaf;charset=UTF-8.

Response Body

The Deregistration Request Service returns a JSON body with a ReturnUAFRequest object as defined in the FIDO UAF HTTP Transport Specification . The ReturnUAFRequest object has the following structure:

AttributeTypeDescription
statusCodeNumberUAF status code for the operation.
uafRequestStringThe new UAF request message if the server decides to issue one.
opStringHint to the client regarding the operation type of the message, must be set to Dereg.

The uafRequest part of the ReturnUAFRequest object contains the DeregistrationRequest object. The DeregistrationRequest dictionary includes the attributes that define a DeregistrationRequest object. The following table describes the DeregistrationRequest dictionary:

AttributeTypeDescriptionOptional
headerOperationHeaderThe header defines the operation header of the UAF messages coming from the Deregistration Request Service. Within the header, the operation header attributes are specified. For a description of these attributes, see Request Header. Note that the attribute header.op must be set to "Dereg".false
authenticatorsDeregisterAuthenticator[]List of authenticators to be deregistered.false
info

nevisFIDO follows the Deregistration Request Generation Rules for FIDO Server:

It will return empty strings in the authenticators attribute of the DeregistrationRequest when the aaid or the username deregistration modes are used.

Example Request Using aaid_and_keyid Mode

POST /nevisfido/uaf/1.1/request/deregistration HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/fido+uaf;charset=UTF-8
Host: fido.siven.ch
Content-Length: 168

{
"context" : "{\"username\":\"jeff\",\"mode\":\"aaid_and_keyid\",\"aaid_and_keyid\":[{\"aaid\":\"1234#ABCD\",\"keyID\":\"a2V5SWRJbkJhc2U2NA\"}]}",
"op" : "Dereg"
}

cURL:

$ curl 'https://fido.siven.ch/nevisfido/uaf/1.1/request/deregistration' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/fido+uaf;charset=UTF-8' \
-d '{
"context" : "{\"username\":\"jeff\",\"mode\":\"aaid_and_keyid\",\"aaid_and_keyid\":[{\"aaid\":\"1234#ABCD\",\"keyID\":\"a2V5SWRJbkJhc2U2NA\"}]}",
"op" : "Dereg"
}'

Example Response Using aaid_and_keyid Mode

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:55 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 384

{
"statusCode" : 1200,
"uafRequest" : "[{\"header\":{\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Dereg\",\"appID\":\"https://www.siven.ch/appID\",\"exts\":[{\"id\":\"ch.nevis.auth.fido.uaf.sessionid\",\"data\":\"58a5a35e-fd22-4321-86ed-ad022b97a818\",\"fail_if_unknown\":false}]},\"authenticators\":[{\"aaid\":\"1234#ABCD\",\"keyID\":\"a2V5SWRJbkJhc2U2NA\"}]}]",
"op" : "Dereg"
}

Example Request Using username Mode

POST /nevisfido/uaf/1.1/request/deregistration HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/fido+uaf;charset=UTF-8
Host: fido.siven.ch
Content-Length: 83

{
"context" : "{\"username\":\"jeff\",\"mode\":\"username\"}",
"op" : "Dereg"
}

cURL:

$ curl 'https://fido.siven.ch/nevisfido/uaf/1.1/request/deregistration' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/fido+uaf;charset=UTF-8' \
-d '{
"context" : "{\"username\":\"jeff\",\"mode\":\"username\"}",
"op" : "Dereg"
}'

Example Response Using username Mode

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:57 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 357

{
"statusCode" : 1200,
"uafRequest" : "[{\"header\":{\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Dereg\",\"appID\":\"https://www.siven.ch/appID\",\"exts\":[{\"id\":\"ch.nevis.auth.fido.uaf.sessionid\",\"data\":\"dd934cda-1fdc-4a80-9449-683a4de6ff0d\",\"fail_if_unknown\":false}]},\"authenticators\":[{\"aaid\":\"\",\"keyID\":\"\"}]}]",
"op" : "Dereg"
}

HTTP Status Codes

The following HTTP status codes are returned by the Deregistration Request Service:

HTTP CodeDescription
200OK The server processed the request successfully. A ReturnUAFRequest JSON object containing a DeregistrationRequest object is returned.
405Method Not Allowed The method of the received request was not POST.
406Not Acceptable The Accept header is not properly set to application/fido+uaf.
415Unsupported Media Type The Content-Type header is not properly set to application/fido+uaf;charset=UTF-8.