Skip to main content
Version: 8.2411.x.x RR

Shared Structures

This chapter describes all attributes that are shared among the different operations and services.

The attributes refer to various types or structures of information (for example, some attributes define the (operation) header; others define the channel binding). All attributes belonging to the same information type or structure are listed in one dictionary (e.g., the OperationHeader Dictionary or the ChannelBinding Dictionary).

Version

The Version attributes refer to the UAF protocol version.

AttributeTypeDescriptionOptional
majornumberMajor version, must be 1.false
minornumberMinor version, must be 1.false
info

nevisFIDO only supports the FIDO UAF protocol version 1.1.

Operation Header

The Operation Header attributes define the operation header of UAF request and response messages.

AttributeTypeDescriptionOptional
upvVersionRefers to the UAF protocol version. For details, see the Version dictionary.false
opStringName of the FIDO operation this message relates to.false
appIDStringThe application identifier that the relying party would like to assert.true
serverDataStringA session identifier created by the relying party.true
extsExtension[]Defines a list of UAF message extensions. For details, see the Extension dictionary.true

Extension

The Extension attributes define (UAF) extensions to the operation header. The extension attributes are set in the operation header attribute exts (see also the Operation Header dictionary).

AttributeTypeDescriptionOptional
idStringIdentifies the extension.false
dataStringContains arbitrary data with semantics agreed between the server and client. Binary data is base64url-encoded. This field may be empty.false
fail_if_unknownBooleanIndicates whether unknown extensions must be ignored (false) or must lead to an error (true).false

Proprietary Extensions

Currently, there is one proprietary extension, the Session ID Extension. This extension contains a unique session identifier. This unique session identifier can be used to query the current authentication status of the FIDO session through the Status Service.

The Session ID Extension has the following settings:

id ch.nevis.auth.fido.uaf.sessionid

data \<unique session identifier>

fail_if_unknown false

Example:

{
"id": "ch.nevis.auth.fido.uaf.sessionid",
"data": "d61e461e-c597-4ed3-9d71-12d1c0e3556c",
"fail_if_unknown": false
}

Final Challenge Parameters

The Final Challenge parameters (or attributes) define all information required for the server to verify the final challenge. For a description of the final challenge parameters, see the FinalChallengeParams dictionary below.

The final challenge parameters are sent in the request messages of the Registration and Authentication Response Services, as a base64url-encoded UTF-8 string. The corresponding attribute is fcParams. For more information, see the chapters Registration Response Service and Authentication Response Service.

AttributeTypeDescriptionOptional
appIDStringThe application ID. The value must be taken from the appID field/attribute of the operation header (see also Operation Header dictionary).false
challengeStringThe challenge. The value must be taken from the challenge field/attribute of the request (e.g., RegistrationRequest.challenge, AuthenticationRequest.challenge - see also Registration Request dictionary and Authentication Request dictionary).false
facetIDStringThe facet ID. The value is determined by the FIDO client and depends on the calling application.false
channelBindingChannelBindingThis attribute contains the TLS information that the FIDO client must send to the FIDO server. The server needs this information to bind the TLS channel to the FIDO operation. The value of this attribute is defined by the Channel Binding attributes. For more information on the channel binding attributes, see Channel Binding dictionary.false

Channel Binding

The Channel Binding attributes specify the binding of the TLS channel to the FIDO operation. For a description of the channel binding attributes, see the ChannelBinding dictionary below.

The channel binding information is part of the final challenge information. The channel binding attributes are set in the final challenge parameter channelBinding.

AttributeTypeDescriptionOptional
serverEndPointStringIf the TLS server certificate is available, the attribute serverEndPoint must be set to the base64url-encoded hash of the certificate. If the certificate is not available or the hash cannot be determined, the attribute must be absent.true
tlsServerCertificateStringThe attribute tlsServerCertificate is set to the base64url-encoded, DER-encoded TLS server certificate. If this data is not available to the FIDO Client, the attribute must be absent.true
tlsUniqueStringThe attribute tlsUnique is set to the base64url-encoded TLS channel Finished structure. If this data is not available to the FIDO client, the attribute must be absent.true
cid_pubkeyStringThe attribute cid_pubkey is set to the base64url-encoded serialized JwkKey structure using UTF-8 encoding. Set the attribute to "unused", if the TLS ChannelID information is supported by the client-side TLS stack but has not been signaled by the TLS (web) server. The attribute must be absent, if the client TLS stack does not provide TLS ChannelID information at all to the processing entity (e.g., the web browser or client application).true

UAF Status Codes

The UAF status codes indicate the result of the UAF operation at the FIDO server side. They are included in the response messages.

The table below describes the UAF status codes.

CodeMeaning
1200OK Operation completed.
1202Accepted Message accepted, but not completed at this time.
1400Bad Request The server did not understand the message.
1401Unauthorized The username must be authenticated to perform this operation, or the key ID is not associated with this username.
1403Forbidden The username is not allowed to perform this operation. The client should not retry.
1404Not Found
1408Request Timeout
1480Unknown AAID The server was unable to locate authoritative metadata for the AAID (Authenticator Attestation ID).
1481Unknown Key ID The server was unable to locate a registration for the given username and key ID combination. This error indicates that there is an invalid registration on the user’s device. When this error occurs, it is recommended that the FIDO client deletes the key from the local device.
1490Channel Binding Refused The server refused to service the request due to missing or mismatched channel binding(s).
1491Request Invalid The server refused to service the request because the request message nonce was unknown, expired or the server has previously serviced a message with the same nonce and username.
1492Unacceptable Authenticator The authenticator is not acceptable according to the server’s policy, for example because the capability registry used by the server reported different capabilities than those reported at the client-side discovery.
1493Revoked Authenticator The authenticator is considered revoked by the server.
1494Unacceptable Key The used key is unacceptable, for example because it is on a list of known weak keys or uses insecure parameter choices.
1495Unacceptable Algorithm The server believes the authenticator to be capable of using a stronger mutually-agreeable algorithm than was presented in the request.
1496Unacceptable Attestation The attestation(s) provided were not accepted by the server.
1497Unacceptable Client Capabilities The server was unable or unwilling to use required capabilities provided supplementary to the authenticator by the client software.
1498Unacceptable Content There was a problem with the contents of the message and the server was unwilling or unable to process it.
1500Internal Server Error

Client Error Codes

info

The client error codes are generated by the FIDO UAF client, which is not part of the nevisFIDO product. This means that also these client error codes are not part of nevisFIDO. Therefore, the following descriptions of the client error codes are based on the client error code descriptions in the official FIDO UAF documentation (and do not come from our own developers). For more information, refer to FIDO UAF client error codes .

The client error codes show the result of an UAF operation on the FIDO client side. The client error codes are included in the SendUAFResponse sent by the client to the FIDO server. They are exposed by the Status Service.

The table below describes the client error codes.

CodeMeaning
0No Error The operation has been completed without encountering any error condition.
1Wait User Action Waiting for the user to perform a certain action, for example, to select an authenticator in the FIDO client user interface, to perform verification, or to complete an enrollment step with an authenticator.
2Insecure Transport Indicates that the transport is insecure. For example, the value of the window.location.protocol object is not "HTTPS", or the Document Object Model DOM contains insecure mixed content.
3User Cancelled The user declined any part of the interaction necessary to complete the registration.
4Unsupported Version The UAF message does not include a protocol version supported by this FIDO UAF client.
5No Suitable Authenticator There is no authenticator available that matches the authenticator policy specified in the UAF message. Another possibility is that the user declined to consent to the use of a suitable authenticator.
6Protocol Error A violation of the UAF protocol occurred. For example, the interaction may have timed out, the origin associated with the message may not match the origin of the calling DOM context, or the protocol message may be malformed or tampered with.
7Untrusted Facet ID The client declined to process the operation. This is because the caller’s calculated facet identifier was missing from the list of trusted application identifiers specified in the request message.
9Key Disappeared Permanently Indicates that the UAuth key disappeared from the authenticator and cannot be restored.
12Authenticator Access Denied The authenticator denied access to the resulting request.
13Invalid Transaction Content Transaction content cannot be rendered. For example, the format does not fit the authenticator’s need.
14User Not Responsive The user took too long to follow an instruction. For example, the user did not swipe the finger within the accepted time frame.
15Insufficient Authenticator Resources Indicates that the authenticator has not enough resources to perform the requested task.
16User Lockout If a user produces too many failed verification attempts, he/she will be locked. Usually, the user must perform an unlock operation to re-enable the main verification method. Such an unlock operation could be, for example, an alternative password authentication. This error code indicates that either such an unlock operation does not exist, or that the ASM/authenticator cannot automatically trigger it. The error code will be reported.
17User Not Enrolled The operation failed because the user is not enrolled, and the authenticator cannot automatically trigger user enrollment.
255Unknown Indicates an error condition not described by the above-listed codes.

ASM Status Codes

info

The ASM status codes are generated by the authenticator module of the FIDO UAF client, which is not part of the nevisFIDO product. This means that also these ASM status codes are not part of nevisFIDO. Therefore, the following descriptions of the ASM status codes are based on the ASM status code descriptions in the official FIDO UAF documentation (and do not come from our own developers). For more information, refer to FIDO UAF ASM status codes .

The ASM status codes show the result of an UAF operation at the FIDO client side, on the level of the authenticator module (ASM = authenticator-specific module). The ASM status codes are included in the SendUAFResponse object sent by the client to the FIDO server. They are exposed by the Status Service.

The table below describes the ASM status codes.

CodeMeaning
0OK No error condition encountered.
1Error An unknown error has been encountered during the processing.
2Access Denied Access to this request is denied.
3User Cancelled Indicates that the user explicitly canceled the request.
4Cannot Render Transaction Content Transaction content cannot be rendered. For example, the format does not fit the authenticator’s need.
9Key Disappeared Permanently Indicates that the UAuth key disappeared from the authenticator and cannot be restored.
11Authenticator Disconnected Indicates that the authenticator is no longer connected to the ASM.
14User not Responsive The user took too long to follow an instruction. For example, the user did not swipe the finger within the accepted time frame.
15Insufficient Authentication Resources The authenticator has not enough resources to perform the requested task.
16User Lockout If a user produces too many failed verification attempts, he/she will be locked. Usually, the user must perform an unlock operation to re-enable the main verification method. Such an unlock operation could be, for example, an alternative password authentication. This error code indicates that either such an unlock operation does not exist, or that the ASM/authenticator cannot automatically trigger it. The error code will be reported.
17User not Enrolled The operation failed because the user is not enrolled, and the authenticator cannot automatically trigger user enrollment.

Authenticators

The Authenticator attributes contain information about the authenticators.

  • In the case of a successfully completed registration or authentication, the Authenticator attributes refer to the authenticators used to generate the validated assertions.
  • In the case of deregistration, the Authenticator attributes refer to the deregistered authenticators.

This information is exposed by the Status Service.

AttributeTypeDescriptionOptional
aaidStringThe AAID of the authenticator used to generate the assertions.false