Skip to main content
Version: 8.2411.x.x RR

Registration Options Service

By calling the Registration Options Service and requesting a ServerPublicKeyCredentialCreationOptionsResponse object from the FIDO2 server. This chapter describes the request and response messages between the FIDO2 Relying Party client and Server when calling the Registration Options Service.

info

It is recommended to protect this service using a SecToken.

Base URL

All URLs referenced in this section have the following base:

https://fido.siven.ch/nevisfido/fido2/attestation/options

HTTP Methods

POST and OPTIONS are the only supported HTTP method.

Request Headers

The following request headers are mandatory:

NameDescription
AcceptAccept header, must be application/json.
Content-TypeContent type header, must be application/json.

Request Body

The Registration Options Service requires from the FIDO2 client side of the Relying Party a JSON payload with a ServerPublicKeyCredentialOptionsRequest object. This object has the following structure:

AttributeTypeDescriptionOptional
usernameStringShould match conceptually with the user-attribute in the credential-repository.false
displayNameStringHuman-palatable name for the user account. Intended only for display.false
authenticatorSelectionObjectAuthenticatorSelectionCriteria to select the appropriate authenticators to participate in the registration.true
authenticatorSelection.authenticatorAttachmentStringDescribes the authenticators' attachment modalities.true
authenticatorSelection.requireResidentKeyBooleanBackwards compatibility, SHOULD set it to true if, and only if, residentKey is set to required.true
authenticatorSelection.residentKeyStringSpecifies the extent to which the Relying Party desires to create a client-side discoverable credential.true
authenticatorSelection.userVerificationStringThis member describes the Relying Party's requirements regarding user verification for the create() operation.true
attestationStringSpecify preference regarding attestation conveyance during credential generation.true

Response Headers

The following response headers will be set:

NameDescription
Content-TypeContent type header, fixed to application/json.

Response Body

The Registration Options Service returns a JSON body with a ServerPublicKeyCredentialCreationOptionsResponse object. This object has the following structure:

AttributeTypeDescription
statusStringDescribing the status of the response. Can be set to either "ok" or "failed".
errorMessageStringError message in case the status is failed.
fido2SessionIdStringIdentifier of the FIDO2 session in nevisFIDO. Can be used to query the status from the status service.
rp.idStringA unique identifier for the Relying Party entity. Configured in nevisfido.yml.
rp.nameStringA human-palatable identifier for the Relying Party, intended only for display. Configured in nevisfido.yml.
user.idStringThe user handle of the user account entity.
user.displayNameStringA human-palatable name for the user account, intended only for display.
user.nameStringA human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.
challengeStringChallenge intended to be used for generating the newly created credential's attestation object.
pubKeyCredParamsArrayDescribes the algorithms the server requires the client to adhere to upon credential generation.
pubKeyCredParams[].typeStringType of credential to be created. It is an extension point, currently only support public-key.
pubKeyCredParams[].algNumberThe COSEAlgorithmIdentifier specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.
timeoutNumberTimeout of the ceremony expressed in milliseconds.
excludeCredentialsArrayA sequence of ServerPublicKeyCredentialDescriptor objects, which represent authenticators the backend require the client to exclude from the ceremony, to avoid the registration of multiple credentials with the same authenticator.
authenticatorSelection.authenticatorAttachmentStringDescribes the authenticators' attachment modalities.
authenticatorSelection.requireResidentKeyBooleanBackwards compatibility, SHOULD set it to true if, and only if, residentKey is set to required.
authenticatorSelection.residentKeyStringSpecifies the extent to which the Relying Party desires to create a client-side discoverable credential.
authenticatorSelection.userVerificationStringThis member describes the Relying Party's requirements regarding user verification for the create() operation.
attestationStringSpecify preference regarding attestation conveyance during credential generation.
info

The nevisFIDO component currently does not support the FIDO2 specification for extensions.

Example Request

POST /nevisfido/fido2/attestation/options HTTP/1.1
Accept: application/json
Content-Type: application/json
Host: fido.siven.ch
Content-Length: 274

{
"username" : "[email protected]",
"displayName" : "jeff",
"authenticatorSelection" : {
"authenticatorAttachment" : "platform",
"requireResidentKey" : false,
"residentKey" : "discouraged",
"userVerification" : "preferred"
},
"attestation" : "direct"
}

cURL:

$ curl 'https://fido.siven.ch/nevisfido/fido2/attestation/options' -i -X POST \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"username" : "[email protected]",
"displayName" : "jeff",
"authenticatorSelection" : {
"authenticatorAttachment" : "platform",
"requireResidentKey" : false,
"residentKey" : "discouraged",
"userVerification" : "preferred"
},
"attestation" : "direct"
}'

Example Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:31:03 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Content-Length: 963

{
"status" : "ok",
"errorMessage" : "",
"fido2SessionId" : "a89d00cb-0957-4b58-8f87-55ccf5d51b35",
"rp" : {
"id" : "siven.ch",
"name" : "siven"
},
"user" : {
"id" : "amVmZkBzaXZlbi5jaA",
"displayName" : "jeff",
"name" : "[email protected]"
},
"challenge" : "7T0MFD8EQrmG5wKe0bWd6Q",
"pubKeyCredParams" : [ {
"type" : "public-key",
"alg" : -65535
}, {
"type" : "public-key",
"alg" : -257
}, {
"type" : "public-key",
"alg" : -258
}, {
"type" : "public-key",
"alg" : -259
}, {
"type" : "public-key",
"alg" : -7
}, {
"type" : "public-key",
"alg" : -35
}, {
"type" : "public-key",
"alg" : -36
} ],
"timeout" : 300000,
"excludeCredentials" : [ ],
"authenticatorSelection" : {
"authenticatorAttachment" : "platform",
"requireResidentKey" : false,
"residentKey" : "discouraged",
"userVerification" : "preferred"
},
"attestation" : "direct"
}
info

Note that nevisFIDO includes proprietary extensions on the top of what is defined by the Conformance Test API:

  • fido2SessionId

HTTP Status Codes

The following HTTP status codes are returned by the Registration Options Service:

HTTP CodeDescription
200OK The server processed the request successfully. A ServerPublicKeyCredentialCreationOptionsResponse JSON object is returned.
405Method Not Allowed The method of the received request was not POST.
406Not Acceptable The Accept header is not properly set to application/json.
415Unsupported Media Type The Content-Type header is not properly set to application/json.