Skip to main content
Version: 7.2402.x.x RR

FIDO AuthStates

nevisFIDO provides its own AuthStates, which you can configure and use in nevisAuth.

Installation

The nevisFIDO AuthStates are installed using the client RPM. After installing the RPM, the AuthStates and the required dependencies are located under /opt/nevisfidocl/nevisauth/lib.

Configuration

We provide the following AuthStates:

  • FidoUafAuthState: configure this AuthState, if mobile authentication is executed by an AccessApp, where a browser is not involved.
    • Example use-case: the user initiates a removal of a credential through their AccessApp, and the process is to be authenticated with mobile authentication.
  • OutOfBandFidoUafAuthState: configure this AuthState, if mobile authentication is executed by an AccessApp, but the authentication is initiated from a browser from a different device.
    • Example use-case: the user tries to transfer money via a web application in the browser, and the process is to be authenticated by a push notification sent to the AccessApp, followed by mobile authentication.
  • Fido2AuthState: configure this AuthState if authentication is executed by the browser and native capabilities of the device.
    • Example use-case: the user logs into a web application through the browser using the fingerprint scanner of the mobile device.

When you configure a nevisFIDO AuthState, pay attention to the following:

  • If the classPath attribute is specified in the AuthEngine configuration, it has to contain the directory with the nevisFIDO AuthStates directory (as in the following sample code):

    <AuthEngine name="AuthEngine"
                classPath="/var/opt/nevisauth/default/plugin:/opt/nevisauth/plugin:/opt/nevisfidocl/nevisauth/lib"
                classLoadStrategy="PARENT_FIRST"
                useLiteralDictionary="true"
                addAutheLevelToSecRoles="true"
                compatLevel="none"
                inputLanguageCookie="LANG">

  • If you employ a JSON based client, use a DirectResponseState AuthState as the AuthDone AuthState to make integration easier. For example, the AuthDone AuthState in the sample below will return a successful HTTP response with { "message" : "successful authentication" } as body:

    <AuthState name="AuthDone"
               class="ch.nevis.esauth.auth.states.directResponse.DirectResponseState"
               final="true"
               resumeState="false">
        <Response value="AUTH_DONE"/>
        <property name="contentType" value="application/json"/>
        <property name="content" value="{&quot;message&quot;:&quot;successful authentication&quot;}"/>
        <property name="statusCode" value="200"/>
    </AuthState>

  • Restart the nevisAuth instance.

General Considerations

The FIDO UAF AuthStates have been designed to interact with clients that are capable of handling JSON. They can be configured to take information from HTTP requests containing JSON as payload; the configuration allows to define the attribute names of the JSON payload (see details below).

If the AuthStates are configured to take JSON as input, it is required that the Content-Type header of the incoming HTTP request is set to application/json;charset=UTF-8.

The protocol between the HTTP client and nevisAuth is not exactly the same as the one interacting directly with nevisFIDO (this protocol is specified in the FIDO UAF HTTP API). For example when using the FIDO UAF AuthStates, nevisAuth is the one generating the GetUAFRequest that triggers the authentication process and sends it to nevisFIDO. Depending on the use case and on how nevisAuth is configured, the information required to generate this GetUAFRequest (the username and the transactions) may come from the HTTP client or not.