Registration Response Service
The FIDO client calls the Registration Response Service when it has processed the RegistrationRequest
object coming from the FIDO server. The client invokes the Registration Response Service by providing a RegistrationResponse
object that must be processed by nevisFIDO. This chapter describes the request and response messages between the FIDO client and server when calling the Registration Response Service.
The client can send to nevisFIDO the ASM Status Code received by the ASM in the registration response. In case of error, the Registration Response will contain no assertions, but the rest of its contents must be specification compliant. This is not part of the standard specification and can be used notably together with the Status Service.
Base URL
All URLs referenced in this section have the following base:
https://fido.siven.ch/nevisfido/uaf/1.1/registration
HTTP Methods
POST
is the only supported HTTP method.
Request Headers
The following request headers are mandatory:
Name | Description |
---|---|
Accept | Accept header, must be application/fido+uaf . |
Content-Type | Content type header, must be application/fido+uaf;charset=UTF-8 . |
Request Body
The Registration Response Service requires a JSON payload with a SendUAFResponse
object as defined in the FIDO UAF HTTP Transport Specification
. The SendUAFResponse
object has the following structure:
Attribute | Type | Description | Optional |
---|---|---|---|
context | String | The contextual information must be a stringified JSON object that conforms to the Registration Response Context dictionary. It contains the status code returned by the ASM (Authenticator Specific Module) in the authenticating device. | true |
uafResponse | String | The stringified JSON containing the registration response sent by the UAF client. | false |
The uafResponse
part of the SendUAFResponse
object consists of an array with a single The RegistrationResponse
object contains a registration response for a specific protocol version.
The RegistrationResponse dictionary includes all attributes that define a RegistrationResponse
object. The following table describes the RegistrationResponse dictionary:
Attribute | Type | Description | Optional |
---|---|---|---|
header | Object | See Operation Header Dictionary. The operation header of the uafResponse . | false |
fcParams | String | Base64url-encoded final challenge parameters using UTF-8 encoding, see Final Challenge Dictionary. | false |
assertions | Array | Array of required assertion response data for each authenticator being registered. | true. The assertions can be empty if an error occurred and the client provides the ASM status code in the [Context Registration Response]. |
assertions[].assertionScheme | String | Name of the assertion scheme used to encode the assertion. The only currently supported mandatory assertion scheme is: UAFV1TLV . | false |
assertions[].assertion | String | Base64url-encoded TAG_UAFV1_REG_ASSERTION object, contains the newly generated UAuth.pub key and is signed by the attestation's private key. | false |
assertions[].tcDisplayPNGCharacteristics | String | Supported transaction PNG type for the definition of the DisplayPNGCharacteristicsDescriptor . | true |
assertions[].exts | Array | Extensions prepared by the authenticator. | true |
If an error occurs on the client side, the client may return a RegistrationResponse containing an empty assertions array. In this case, the server will respond with UAF status code "1498" ("Unacceptable Content"). This is intended behavior: The response is not valid according to the specification.
Context
The client can provide the ASM Status Code and the Client Error Code in the context. These codes are exposed by the Status Service. The Status Service uses the codes to better identify problems on the client side, which occur during the authentication with the FIDO authenticators.
The client can also optionally provide information required to create a Dispatch Target together with the to-be-registered FIDO UAF credentials. This prevents the client from having to authenticate twice to create a dispatch target. This is particularly useful in the out-of-band scenarios (with the Create Token Service and the Dispatch Token Service).
Attribute | Type | Description | Optional |
---|---|---|---|
asmStatusCode | number | The ASM Status Code | true |
clientErrorCode | number | The Client Error Code | true |
dispatchTarget | Object | The Dispatch Target information. | true |
deviceId | String | The string identifying the device, such as a mobile phone, where the dispatch target and the FIDO UAF credentials are stored. The goal of this attribute is to allow administration tools to link the FIDO UAF credentials and the dispatch targets. This identifier should not change during the whole lifetime of the device. If a deviceId and a dispatch target are provided, the device identifier will also be used for the created dispatch target. | true |
Attribute | Type | Description | Optional |
---|---|---|---|
name | `String | The name describing the dispatch target. It can be used as a user-friendly representation that helps the end-user to identify this target. It must be unique for all the dispatch targets defined for the user. | false |
dispatcher | String | The name of the default [Dispatcher] as configured in nevisFIDO that must be associated with this dispatch target. This value corresponds to the value of the type attribute in the nevisFIDO YAML configuration. If the client does not provide the dispatcher to be used in the dispatch token request, this is the dispatcher that will be invoked. This attribute is deprecated and will be ignored in future releases. | true |
target | String | The information required by the dispatcher to dispatch a token. Currently, this is only required when using the FCM dispatcher: it is the Firebase push registration token that nevisFIDO uses to send a push notification. If the FCM dispatcher is not used (i.e. if no push notifications are required), this attribute can be omitted when creating the dispatch target. | true |
signatureKey | Object | The public key that is used by nevisFIDO to verify the signature of the messages sent by the client to modify the dispatch target. It must be provided as a JWS object as described in the {jws-spec}. The use attribute of the JWS must be set to sig and the key_ops attribute must contain the value sign . | true |
encryptionKey | Object | The public key used by nevisFIDO to encrypt the tokens sent to the dispatch target. It must be provided as a JWS object as described in the {jws-spec}. The use attribute of the JWS must be set to enc and the key_ops attribute must contain the value encrypt . | true |
Suppose the following scenario: The client provides a Dispatch Target in the context, the FIDO UAF contents are successfully validated, but it is not possible to create the dispatch target. In this case, the server will return UAF status code "1498" ("Unacceptable Content"). Furthermore, also no FIDO UAF credential will be created, as the whole operation is handled atomically.
Response Headers
The following response headers will be set:
Name | Description |
---|---|
Content-Type | Content type header, fixed to application/fido+uaf;charset=UTF-8 . |
Response Body
The Registration Response Service will return a ServerResponse
object as described in the FIDO UAF HTTP Transport Specification
The ServerResponse
object has the following structure:
Attribute | Type | Description |
---|---|---|
statusCode | Number | UAF status code for the operation, see UAF Status Codes. If the client provided a dispatchTarget in the SendUAFResponse context, the validation of the FIDO UAF contents was successful, but the dispatch target could not be created, nevisFIDO will return a UAF status code UNACCEPTABLE_CONTENT (1498). |
description | String | Detailed message containing a user-friendly description of the registration result and the dispatch target ID (if one was created). This is the stringified representation of the JSON described in the [Registration Server Response]. |
additionalTokens | Array | New authentication or authorization token(s) for the client that are not natively handled by HTTP transport. |
location | String | If present, indicates to the client web application that it should navigate to the URI contained in this field. |
postData | String | If present, and in combination with location , indicates the client should POST the contents to the specified location. |
newUAFRequest | String | Server may return a new UAF protocol message with this field. This might be used to supply a fresh request to retry an operation in response to a transient failure, to request additional confirmation for a transaction, or to send a deregistration message in response to a permanent failure. |
The following attributes are ignored and not handled by nevisFIDO:
additionalTokens
location
postData
newUAFRequest
Attribute | Type | Description | Optional |
---|---|---|---|
message | String | A user-friendly description of the result of the registration operation. | true |
dispatchTargetId | String | The identifier of the dispatch target (if created). | true |
Example Request
POST /nevisfido/uaf/1.1/registration HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/fido+uaf;charset=UTF-8
Host: fido.siven.ch
Content-Length: 3636
{
"uafResponse" : "[{\"header\":{\"serverData\":\"serverdata\",\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Reg\",\"appID\":\"appID\"},\"fcParams\":\"eyJjaGFsbGVuZ2UiOiJjaGFsbGVuZ2UiLCJjaGFubmVsQmluZGluZyI6eyJjaWRfcHVia2V5IjoicHVia2V5In0sImFwcElEIjoiYXBwSUQiLCJmYWNldElEIjoiZmFjZXRJRCJ9\",\"assertions\":[{\"assertionScheme\":\"UAFV1TLV\",\"assertion\":\"AT5TAAM-PgALLgkAQUJCQiM5OTk5Di4HAAEAAQMAAAEKLgAACS4FAGtleUlkDS4IAAEAAAAFAAAADC4JAHB1YmxpY0tleQc-DQAGLgkAc2lnbmF0dXJl\"}]}]",
"context" : "{\"asmStatusCode\":0,\"clientErrorCode\":0,\"dispatchTarget\":{\"name\":\"My Mobile Phone\",\"target\":\"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P198aDPO\",\"dispatcher\":\"firebase-cloud-messaging\",\"signatureKey\":{\"kty\":\"RSA\",\"x5t#S256\":\"Gdx2FPL7iCmnm7w9oZMIB5uAIJqD4_GTk9Opj4eWPig\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"12815362391007865962\",\"x5c\":[\"MIICuzCCAaOgAwIBAgIJALHZUDIn7KxqMA0GCSqGSIb3DQEBCwUAMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjAeFw0yMjA3MjQxMzMwMjFaFw0yNDA3MjUxMzMwMjFaMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOIqpTA7FrpxZrGWF8aLSrAD4UQanypOZmPA8PmVL9p+nDEG93/kD3iV/RBGvdL6IWhaCDZB2U/kZNID8vcgfwrAESNHhJaK3dcxV87E1D5H1oRnIv/R9dkS/WExErivRtk1qFXT+GKQf4j9oEKu8YsPaRHeZvvBc9oksQWbEDJPAkjXxEb/2+HJvu2tv6AC5K7f2GOwslkBV/LFQ4Iv1NYPdzD6kIYjAb+//KwJGCkRx5b4lVONobB2KY+6sBHVSYoWTakaSUhy44Ci550d16hpZ7xObdNgiX4am+2bLj4F2ZD3LYKs3171hIk2XlhhuYxiGaCU5ieHjZuqcP6rq8kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEATkTYXOHdu1Eg5q8SjSOC3Xb1grg36RCa7W1v9vqoGP4qKdoe1a7giOHe9YIWhcwXKtlkWiE687wO3ZvzLTWLSwMTRpI3wO6bBsYfYWNWb60Q4uR9XEw5GbVprqQnXb7cNvrdCFsXcYwO4G/nX08s+vRsZkn710sVey9X/u4SuVPac8gavTXvLMz2Nitivkjn/luKhKzUfPLxlqOWjmyeLNs5FFEqzYBasiuU+2QOasoXahqtg7j34ODS9ZkDYVvBMwpesmm3Mz3K+ovWBflQa/PAmGIMlZhcmhTQ/JxnkjukUNWhfD6vNvQuY9y/Anc5JgnicoOWFIDA65jtnlT0Dg==\"],\"n\":\"4iqlMDsWunFmsZYXxotKsAPhRBqfKk5mY8Dw-ZUv2n6cMQb3f-QPeJX9EEa90vohaFoINkHZT-Rk0gPy9yB_CsARI0eElord1zFXzsTUPkfWhGci_9H12RL9YTESuK9G2TWoVdP4YpB_iP2gQq7xiw9pEd5m-8Fz2iSxBZsQMk8CSNfERv_b4cm-7a2_oALkrt_YY7CyWQFX8sVDgi_U1g93MPqQhiMBv7_8rAkYKRHHlviVU42hsHYpj7qwEdVJihZNqRpJSHLjgKLnnR3XqGlnvE5t02CJfhqb7ZsuPgXZkPctgqzfXvWEiTZeWGG5jGIZoJTmJ4eNm6pw_quryQ\"},\"encryptionKey\":{\"kty\":\"RSA\",\"x5t#S256\":\"Gdx2FPL7iCmnm7w9oZMIB5uAIJqD4_GTk9Opj4eWPig\",\"e\":\"AQAB\",\"use\":\"enc\",\"kid\":\"12815362391007865962\",\"x5c\":[\"MIICuzCCAaOgAwIBAgIJALHZUDIn7KxqMA0GCSqGSIb3DQEBCwUAMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjAeFw0yMjA3MjQxMzMwMjFaFw0yNDA3MjUxMzMwMjFaMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOIqpTA7FrpxZrGWF8aLSrAD4UQanypOZmPA8PmVL9p+nDEG93/kD3iV/RBGvdL6IWhaCDZB2U/kZNID8vcgfwrAESNHhJaK3dcxV87E1D5H1oRnIv/R9dkS/WExErivRtk1qFXT+GKQf4j9oEKu8YsPaRHeZvvBc9oksQWbEDJPAkjXxEb/2+HJvu2tv6AC5K7f2GOwslkBV/LFQ4Iv1NYPdzD6kIYjAb+//KwJGCkRx5b4lVONobB2KY+6sBHVSYoWTakaSUhy44Ci550d16hpZ7xObdNgiX4am+2bLj4F2ZD3LYKs3171hIk2XlhhuYxiGaCU5ieHjZuqcP6rq8kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEATkTYXOHdu1Eg5q8SjSOC3Xb1grg36RCa7W1v9vqoGP4qKdoe1a7giOHe9YIWhcwXKtlkWiE687wO3ZvzLTWLSwMTRpI3wO6bBsYfYWNWb60Q4uR9XEw5GbVprqQnXb7cNvrdCFsXcYwO4G/nX08s+vRsZkn710sVey9X/u4SuVPac8gavTXvLMz2Nitivkjn/luKhKzUfPLxlqOWjmyeLNs5FFEqzYBasiuU+2QOasoXahqtg7j34ODS9ZkDYVvBMwpesmm3Mz3K+ovWBflQa/PAmGIMlZhcmhTQ/JxnkjukUNWhfD6vNvQuY9y/Anc5JgnicoOWFIDA65jtnlT0Dg==\"],\"n\":\"4iqlMDsWunFmsZYXxotKsAPhRBqfKk5mY8Dw-ZUv2n6cMQb3f-QPeJX9EEa90vohaFoINkHZT-Rk0gPy9yB_CsARI0eElord1zFXzsTUPkfWhGci_9H12RL9YTESuK9G2TWoVdP4YpB_iP2gQq7xiw9pEd5m-8Fz2iSxBZsQMk8CSNfERv_b4cm-7a2_oALkrt_YY7CyWQFX8sVDgi_U1g93MPqQhiMBv7_8rAkYKRHHlviVU42hsHYpj7qwEdVJihZNqRpJSHLjgKLnnR3XqGlnvE5t02CJfhqb7ZsuPgXZkPctgqzfXvWEiTZeWGG5jGIZoJTmJ4eNm6pw_quryQ\"}}}"
}
cURL:
$ curl 'https://fido.siven.ch/nevisfido/uaf/1.1/registration' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/fido+uaf;charset=UTF-8' \
-d '{
"uafResponse" : "[{\"header\":{\"serverData\":\"serverdata\",\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Reg\",\"appID\":\"appID\"},\"fcParams\":\"eyJjaGFsbGVuZ2UiOiJjaGFsbGVuZ2UiLCJjaGFubmVsQmluZGluZyI6eyJjaWRfcHVia2V5IjoicHVia2V5In0sImFwcElEIjoiYXBwSUQiLCJmYWNldElEIjoiZmFjZXRJRCJ9\",\"assertions\":[{\"assertionScheme\":\"UAFV1TLV\",\"assertion\":\"AT5TAAM-PgALLgkAQUJCQiM5OTk5Di4HAAEAAQMAAAEKLgAACS4FAGtleUlkDS4IAAEAAAAFAAAADC4JAHB1YmxpY0tleQc-DQAGLgkAc2lnbmF0dXJl\"}]}]",
"context" : "{\"asmStatusCode\":0,\"clientErrorCode\":0,\"dispatchTarget\":{\"name\":\"My Mobile Phone\",\"target\":\"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P198aDPO\",\"dispatcher\":\"firebase-cloud-messaging\",\"signatureKey\":{\"kty\":\"RSA\",\"x5t#S256\":\"Gdx2FPL7iCmnm7w9oZMIB5uAIJqD4_GTk9Opj4eWPig\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"12815362391007865962\",\"x5c\":[\"MIICuzCCAaOgAwIBAgIJALHZUDIn7KxqMA0GCSqGSIb3DQEBCwUAMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjAeFw0yMjA3MjQxMzMwMjFaFw0yNDA3MjUxMzMwMjFaMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOIqpTA7FrpxZrGWF8aLSrAD4UQanypOZmPA8PmVL9p+nDEG93/kD3iV/RBGvdL6IWhaCDZB2U/kZNID8vcgfwrAESNHhJaK3dcxV87E1D5H1oRnIv/R9dkS/WExErivRtk1qFXT+GKQf4j9oEKu8YsPaRHeZvvBc9oksQWbEDJPAkjXxEb/2+HJvu2tv6AC5K7f2GOwslkBV/LFQ4Iv1NYPdzD6kIYjAb+//KwJGCkRx5b4lVONobB2KY+6sBHVSYoWTakaSUhy44Ci550d16hpZ7xObdNgiX4am+2bLj4F2ZD3LYKs3171hIk2XlhhuYxiGaCU5ieHjZuqcP6rq8kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEATkTYXOHdu1Eg5q8SjSOC3Xb1grg36RCa7W1v9vqoGP4qKdoe1a7giOHe9YIWhcwXKtlkWiE687wO3ZvzLTWLSwMTRpI3wO6bBsYfYWNWb60Q4uR9XEw5GbVprqQnXb7cNvrdCFsXcYwO4G/nX08s+vRsZkn710sVey9X/u4SuVPac8gavTXvLMz2Nitivkjn/luKhKzUfPLxlqOWjmyeLNs5FFEqzYBasiuU+2QOasoXahqtg7j34ODS9ZkDYVvBMwpesmm3Mz3K+ovWBflQa/PAmGIMlZhcmhTQ/JxnkjukUNWhfD6vNvQuY9y/Anc5JgnicoOWFIDA65jtnlT0Dg==\"],\"n\":\"4iqlMDsWunFmsZYXxotKsAPhRBqfKk5mY8Dw-ZUv2n6cMQb3f-QPeJX9EEa90vohaFoINkHZT-Rk0gPy9yB_CsARI0eElord1zFXzsTUPkfWhGci_9H12RL9YTESuK9G2TWoVdP4YpB_iP2gQq7xiw9pEd5m-8Fz2iSxBZsQMk8CSNfERv_b4cm-7a2_oALkrt_YY7CyWQFX8sVDgi_U1g93MPqQhiMBv7_8rAkYKRHHlviVU42hsHYpj7qwEdVJihZNqRpJSHLjgKLnnR3XqGlnvE5t02CJfhqb7ZsuPgXZkPctgqzfXvWEiTZeWGG5jGIZoJTmJ4eNm6pw_quryQ\"},\"encryptionKey\":{\"kty\":\"RSA\",\"x5t#S256\":\"Gdx2FPL7iCmnm7w9oZMIB5uAIJqD4_GTk9Opj4eWPig\",\"e\":\"AQAB\",\"use\":\"enc\",\"kid\":\"12815362391007865962\",\"x5c\":[\"MIICuzCCAaOgAwIBAgIJALHZUDIn7KxqMA0GCSqGSIb3DQEBCwUAMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjAeFw0yMjA3MjQxMzMwMjFaFw0yNDA3MjUxMzMwMjFaMB0xCzAJBgNVBAYTAmNoMQ4wDAYDVQQDEwVzaXZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOIqpTA7FrpxZrGWF8aLSrAD4UQanypOZmPA8PmVL9p+nDEG93/kD3iV/RBGvdL6IWhaCDZB2U/kZNID8vcgfwrAESNHhJaK3dcxV87E1D5H1oRnIv/R9dkS/WExErivRtk1qFXT+GKQf4j9oEKu8YsPaRHeZvvBc9oksQWbEDJPAkjXxEb/2+HJvu2tv6AC5K7f2GOwslkBV/LFQ4Iv1NYPdzD6kIYjAb+//KwJGCkRx5b4lVONobB2KY+6sBHVSYoWTakaSUhy44Ci550d16hpZ7xObdNgiX4am+2bLj4F2ZD3LYKs3171hIk2XlhhuYxiGaCU5ieHjZuqcP6rq8kCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEATkTYXOHdu1Eg5q8SjSOC3Xb1grg36RCa7W1v9vqoGP4qKdoe1a7giOHe9YIWhcwXKtlkWiE687wO3ZvzLTWLSwMTRpI3wO6bBsYfYWNWb60Q4uR9XEw5GbVprqQnXb7cNvrdCFsXcYwO4G/nX08s+vRsZkn710sVey9X/u4SuVPac8gavTXvLMz2Nitivkjn/luKhKzUfPLxlqOWjmyeLNs5FFEqzYBasiuU+2QOasoXahqtg7j34ODS9ZkDYVvBMwpesmm3Mz3K+ovWBflQa/PAmGIMlZhcmhTQ/JxnkjukUNWhfD6vNvQuY9y/Anc5JgnicoOWFIDA65jtnlT0Dg==\"],\"n\":\"4iqlMDsWunFmsZYXxotKsAPhRBqfKk5mY8Dw-ZUv2n6cMQb3f-QPeJX9EEa90vohaFoINkHZT-Rk0gPy9yB_CsARI0eElord1zFXzsTUPkfWhGci_9H12RL9YTESuK9G2TWoVdP4YpB_iP2gQq7xiw9pEd5m-8Fz2iSxBZsQMk8CSNfERv_b4cm-7a2_oALkrt_YY7CyWQFX8sVDgi_U1g93MPqQhiMBv7_8rAkYKRHHlviVU42hsHYpj7qwEdVJihZNqRpJSHLjgKLnnR3XqGlnvE5t02CJfhqb7ZsuPgXZkPctgqzfXvWEiTZeWGG5jGIZoJTmJ4eNm6pw_quryQ\"}}}"
}'
Example Response
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:22 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 226
{
"statusCode" : 1200,
"description" : "{\"message\":\"OK. Operation completed. A device with ID 650b436e-cf43-4e75-88a5-f406535ff253 has been registered.\",\"dispatchTargetId\":\"650b436e-cf43-4e75-88a5-f406535ff253\"}"
}
HTTP Status Codes
The following HTTP status codes are returned by the Registration Response Service:
HTTP Code | Description |
---|---|
200 | OK The server processed the request successfully. Check the response body for UAF specific status information. |
405 | Method Not Allowed The method of the received request was not POST . |
406 | Not Acceptable The Accept header is not properly set to application/fido+uaf . |
415 | Unsupported Media Type The Content-Type header is not properly set to application/fido+uaf;charset=UTF-8 . |