Shared Structures
This chapter describes all attributes that are shared among the different operations and services.
The attributes refer to various types or structures of information (for example, some attributes define the (operation) header; others define the channel binding). All attributes belonging to the same information type or structure are listed in one dictionary (e.g., the OperationHeader Dictionary or the ChannelBinding Dictionary).
Version
The Version attributes refer to the UAF protocol version.
| Attribute | Type | Description | Optional |
|---|---|---|---|
major | number | Major version, must be 1. | false |
minor | number | Minor version, must be 1. | false |
nevisFIDO only supports the FIDO UAF protocol version 1.1.
Operation Header
The Operation Header attributes define the operation header of UAF request and response messages.
| Attribute | Type | Description | Optional |
|---|---|---|---|
upv | Version | Refers to the UAF protocol version. For details, see the Version dictionary. | false |
op | String | Name of the FIDO operation this message relates to. | false |
appID | String | The application identifier that the relying party would like to assert. | true |
serverData | String | A session identifier created by the relying party. | true |
exts | Extension[] | Defines a list of UAF message extensions. For details, see the Extension dictionary. | true |
Extension
The Extension attributes define (UAF) extensions to the operation header. The extension attributes are set in the operation header attribute exts (see also the Operation Header dictionary).
| Attribute | Type | Description | Optional |
|---|---|---|---|
id | String | Identifies the extension. | false |
data | String | Contains arbitrary data with semantics agreed between the server and client. Binary data is base64url-encoded. This field may be empty. | false |
fail_if_unknown | Boolean | Indicates whether unknown extensions must be ignored (false) or must lead to an error (true). | false |
Proprietary Extensions
Currently, there is one proprietary extension, the Session ID Extension. This extension contains a unique session identifier. This unique session identifier can be used to query the current authentication status of the FIDO session through the Status Service.
The Session ID Extension has the following settings:
id ch.nevis.auth.fido.uaf.sessionid
data \<unique session identifier>
fail_if_unknown false
Example:
{
"id": "ch.nevis.auth.fido.uaf.sessionid",
"data": "d61e461e-c597-4ed3-9d71-12d1c0e3556c",
"fail_if_unknown": false
}
Final Challenge Parameters
The Final Challenge parameters (or attributes) define all information required for the server to verify the final challenge. For a description of the final challenge parameters, see the FinalChallengeParams dictionary below.
The final challenge parameters are sent in the request messages of the Registration and Authentication Response Services, as a base64url-encoded UTF-8 string. The corresponding attribute is fcParams. For more information, see the chapters Registration Response Service and Authentication Response Service.
| Attribute | Type | Description | Optional |
|---|---|---|---|
appID | String | The application ID. The value must be taken from the appID field/attribute of the operation header (see also Operation Header dictionary). | false |
challenge | String | The challenge. The value must be taken from the challenge field/attribute of the request (e.g., RegistrationRequest.challenge, AuthenticationRequest.challenge - see also Registration Request dictionary and Authentication Request dictionary). | false |
facetID | String | The facet ID. The value is determined by the FIDO client and depends on the calling application. | false |
channelBinding | ChannelBinding | This attribute contains the TLS information that the FIDO client must send to the FIDO server. The server needs this information to bind the TLS channel to the FIDO operation. The value of this attribute is defined by the Channel Binding attributes. For more information on the channel binding attributes, see Channel Binding dictionary. | false |
Channel Binding
The Channel Binding attributes specify the binding of the TLS channel to the FIDO operation. For a description of the channel binding attributes, see the ChannelBinding dictionary below.
The channel binding information is part of the final challenge information. The channel binding attributes are set in the final challenge parameter channelBinding.
| Attribute | Type | Description | Optional |
|---|---|---|---|
serverEndPoint | String | If the TLS server certificate is available, the attribute serverEndPoint must be set to the base64url-encoded hash of the certificate. If the certificate is not available or the hash cannot be determined, the attribute must be absent. | true |
tlsServerCertificate | String | The attribute tlsServerCertificate is set to the base64url-encoded, DER-encoded TLS server certificate. If this data is not available to the FIDO Client, the attribute must be absent. | true |
tlsUnique | String | The attribute tlsUnique is set to the base64url-encoded TLS channel Finished structure. If this data is not available to the FIDO client, the attribute must be absent. | true |
cid_pubkey | String | The attribute cid_pubkey is set to the base64url-encoded serialized JwkKey structure using UTF-8 encoding. Set the attribute to "unused", if the TLS ChannelID information is supported by the client-side TLS stack but has not been signaled by the TLS (web) server. The attribute must be absent, if the client TLS stack does not provide TLS ChannelID information at all to the processing entity (e.g., the web browser or client application). | true |
UAF Status Codes
The UAF status codes indicate the result of the UAF operation at the FIDO server side. They are included in the response messages.
The table below describes the UAF status codes.
| Code | Meaning |
|---|---|
| 1200 | OK Operation completed. |
| 1202 | Accepted Message accepted, but not completed at this time. |
| 1400 | Bad Request The server did not understand the message. |
| 1401 | Unauthorized The username must be authenticated to perform this operation, or the key ID is not associated with this username. |
| 1403 | Forbidden The username is not allowed to perform this operation. The client should not retry. |
| 1404 | Not Found |
| 1408 | Request Timeout |
| 1480 | Unknown AAID The server was unable to locate authoritative metadata for the AAID (Authenticator Attestation ID). |
| 1481 | Unknown Key ID The server was unable to locate a registration for the given username and key ID combination. This error indicates that there is an invalid registration on the user’s device. When this error occurs, it is recommended that the FIDO client deletes the key from the local device. |
| 1490 | Channel Binding Refused The server refused to service the request due to missing or mismatched channel binding(s). |
| 1491 | Request Invalid The server refused to service the request because the request message nonce was unknown, expired or the server has previously serviced a message with the same nonce and username. |
| 1492 | Unacceptable Authenticator The authenticator is not acceptable according to the server’s policy, for example because the capability registry used by the server reported different capabilities than those reported at the client-side discovery. |
| 1493 | Revoked Authenticator The authenticator is considered revoked by the server. |
| 1494 | Unacceptable Key The used key is unacceptable, for example because it is on a list of known weak keys or uses insecure parameter choices. |
| 1495 | Unacceptable Algorithm The server believes the authenticator to be capable of using a stronger mutually-agreeable algorithm than was presented in the request. |
| 1496 | Unacceptable Attestation The attestation(s) provided were not accepted by the server. |
| 1497 | Unacceptable Client Capabilities The server was unable or unwilling to use required capabilities provided supplementary to the authenticator by the client software. |
| 1498 | Unacceptable Content There was a problem with the contents of the message and the server was unwilling or unable to process it. |
| 1500 | Internal Server Error |
Client Error Codes
The client error codes are generated by the FIDO UAF client, which is not part of the nevisFIDO product. This means that also these client error codes are not part of nevisFIDO. Therefore, the following descriptions of the client error codes are based on the client error code descriptions in the official FIDO UAF documentation (and do not come from our own developers). For more information, refer to FIDO UAF client error codes .
The client error codes
show the result of an UAF operation on the FIDO client side. The client error codes are included in the SendUAFResponse sent by the client to the FIDO server. They are exposed by the Status Service.
The table below describes the client error codes.
| Code | Meaning |
|---|---|
| 0 | No Error The operation has been completed without encountering any error condition. |
| 1 | Wait User Action Waiting for the user to perform a certain action, for example, to select an authenticator in the FIDO client user interface, to perform verification, or to complete an enrollment step with an authenticator. |
| 2 | Insecure Transport Indicates that the transport is insecure. For example, the value of the window.location.protocol object is not "HTTPS", or the Document Object Model DOM contains insecure mixed content. |
| 3 | User Cancelled The user declined any part of the interaction necessary to complete the registration. |
| 4 | Unsupported Version The UAF message does not include a protocol version supported by this FIDO UAF client. |
| 5 | No Suitable Authenticator There is no authenticator available that matches the authenticator policy specified in the UAF message. Another possibility is that the user declined to consent to the use of a suitable authenticator. |
| 6 | Protocol Error A violation of the UAF protocol occurred. For example, the interaction may have timed out, the origin associated with the message may not match the origin of the calling DOM context, or the protocol message may be malformed or tampered with. |
| 7 | Untrusted Facet ID The client declined to process the operation. This is because the caller’s calculated facet identifier was missing from the list of trusted application identifiers specified in the request message. |
| 9 | Key Disappeared Permanently Indicates that the UAuth key disappeared from the authenticator and cannot be restored. |
| 12 | Authenticator Access Denied The authenticator denied access to the resulting request. |
| 13 | Invalid Transaction Content Transaction content cannot be rendered. For example, the format does not fit the authenticator’s need. |
| 14 | User Not Responsive The user took too long to follow an instruction. For example, the user did not swipe the finger within the accepted time frame. |
| 15 | Insufficient Authenticator Resources Indicates that the authenticator has not enough resources to perform the requested task. |
| 16 | User Lockout If a user produces too many failed verification attempts, he/she will be locked. Usually, the user must perform an unlock operation to re-enable the main verification method. Such an unlock operation could be, for example, an alternative password authentication. This error code indicates that either such an unlock operation does not exist, or that the ASM/authenticator cannot automatically trigger it. The error code will be reported. |
| 17 | User Not Enrolled The operation failed because the user is not enrolled, and the authenticator cannot automatically trigger user enrollment. |
| 255 | Unknown Indicates an error condition not described by the above-listed codes. |
ASM Status Codes
The ASM status codes are generated by the authenticator module of the FIDO UAF client, which is not part of the nevisFIDO product. This means that also these ASM status codes are not part of nevisFIDO. Therefore, the following descriptions of the ASM status codes are based on the ASM status code descriptions in the official FIDO UAF documentation (and do not come from our own developers). For more information, refer to FIDO UAF ASM status codes .
The ASM status codes
show the result of an UAF operation at the FIDO client side, on the level of the authenticator module (ASM =
authenticator-specific module). The ASM status codes are included in the SendUAFResponse object sent by the client to the FIDO server. They are exposed by the Status Service.
The table below describes the ASM status codes.
| Code | Meaning |
|---|---|
| 0 | OK No error condition encountered. |
| 1 | Error An unknown error has been encountered during the processing. |
| 2 | Access Denied Access to this request is denied. |
| 3 | User Cancelled Indicates that the user explicitly canceled the request. |
| 4 | Cannot Render Transaction Content Transaction content cannot be rendered. For example, the format does not fit the authenticator’s need. |
| 9 | Key Disappeared Permanently Indicates that the UAuth key disappeared from the authenticator and cannot be restored. |
| 11 | Authenticator Disconnected Indicates that the authenticator is no longer connected to the ASM. |
| 14 | User not Responsive The user took too long to follow an instruction. For example, the user did not swipe the finger within the accepted time frame. |
| 15 | Insufficient Authentication Resources The authenticator has not enough resources to perform the requested task. |
| 16 | User Lockout If a user produces too many failed verification attempts, he/she will be locked. Usually, the user must perform an unlock operation to re-enable the main verification method. Such an unlock operation could be, for example, an alternative password authentication. This error code indicates that either such an unlock operation does not exist, or that the ASM/authenticator cannot automatically trigger it. The error code will be reported. |
| 17 | User not Enrolled The operation failed because the user is not enrolled, and the authenticator cannot automatically trigger user enrollment. |
Authenticators
The Authenticator attributes contain information about the authenticators.
- In the case of a successfully completed registration or authentication, the Authenticator attributes refer to the authenticators used to generate the validated assertions.
- In the case of deregistration, the Authenticator attributes refer to the deregistered authenticators.
This information is exposed by the Status Service.
| Attribute | Type | Description | Optional |
|---|---|---|---|
aaid | String | The AAID of the authenticator used to generate the assertions. | false |