Reputation: 361
How does relying party determine the user when resident keys are used?
When client-side discoverable resident keys are used with WebAuthN, it is not necessary for the relying party to first identify the user trying to sign in. How then does the RP know which user signed in? Does the RP just receive the AuthenticatorAssertionResponse and get the user.id from that?
Upvotes: 2
Views: 563
Answers (1)
Reputation: 3426
The value of response.userHandle in an assertion response can be used to identify the user that's logging in - it will equal whatever was set to user.id in the PublicKeyCredentialCreationOptions that were passed to navigator.credentials.create().
userHandle is a potentially undefined value, but when resident keys are required during attestation then the authenticator must remember the user ID - see Step 7.4 of the authenticatorMakeCredential operation (the user handle is part of the key the authenticator uses in its internal credentials map to remember a discoverable credential for a given RP ID and user handle).
Upvotes: 2
Related Questions
- FIDO2 / WebAuthn Heuristic discovery of ambient /pre-authorized user(s) at authentication time
- Why WebAuthn API at browser restructures data from authenticator to relying party in WebAuth?
- Difference between key handle and credential id
- Purpose of id in PublicKeyCredentialUserEntity
- How does Keycloak determinate a User in new browser window?
- How does IdentityServer tracks which clients the user has signed into?
- How does website identity different user by cities automatically?
- How exactly does Auhtorization in web applications work?
- How is User Identity | Principal set during the application lifecycle
- asp.net impersonation identity: Where does it come from?