actually define other 2fa methods
This commit is contained in:
parent
54b4035926
commit
6a653410c3
1 changed files with 41 additions and 1 deletions
|
@ -249,7 +249,47 @@ The footer contains the following claim:
|
|||
|-|-|
|
||||
| `kid` | PASERK k4.pid public key id |
|
||||
|
||||
####
|
||||
#### WebAuthn
|
||||
We support support for P-256 and Ed25519 curves. If the authenticator supports Ed25519, the application **MUST** use Ed25519. [^12]
|
||||
|
||||
As per the webauthn spec, a challenge, along with other data, is signed by the authenticator.
|
||||
|
||||
The challenge signed is a json object with the following properties:
|
||||
|
||||
| Name | Description |
|
||||
|-|-|
|
||||
| `wpt` | The Authentication claim |
|
||||
| `jti` | `b64_urlsafe(blake3_derive_key(b"auth.chir.rs-2fa-webauthn-v0", session_key, 32))` |
|
||||
|
||||
The data uploaded to the server is a json dictionary containing the following properties:
|
||||
|
||||
| Name | Description |
|
||||
|-|-|
|
||||
| `tid` | Token id, prepended with `webauthn-` |
|
||||
| `authenticatorData` | Authenticator Data, encoded as urlsafe b64 |
|
||||
| `clientDataJson` | The client Data JSON, encoded as a string |
|
||||
| `signature` | The signature, encoded as urlsafe b64 |
|
||||
|
||||
The key is identified like the tid property above.
|
||||
|
||||
[^12]: Depending on standardization, future versions may accept additional Edwards-Curve based signature algorithms.
|
||||
|
||||
#### Android Keystore
|
||||
Android unfortunately only supports P-256, however luckily this is guaranteed to be supported by the strongbox implementation.
|
||||
|
||||
The challenge to be signed is a json document containing the following properties:
|
||||
|
||||
| Name | Description |
|
||||
|-|-|
|
||||
| `wpt` | The authentication claim |
|
||||
| `jti` | `b64_urlsafe(blake3_derive_key(b"auth.chir.rs-2fa-android-v0", session_key, 32))` |
|
||||
| `kid` | `keystore-b64_urlsafe(blake3(pubkey.get_encoded()))` |
|
||||
|
||||
The key is identified like the kid property above.
|
||||
|
||||
Applications **MUST** use the android keystore system for generating and storing the keypair. They **SHALL** also use the strongbox implementation the device has and **SHALL** warn the user if that is not available.
|
||||
|
||||
If a future version of the API supports Ed25519 that is also supported by strongbox, applications **SHOULD** prefer the “Plain Ed25519” variant over this.
|
||||
|
||||
### 6: Returning the authentication code
|
||||
The authentication code is generated like this and is returned to the requesting application like in oauth2
|
||||
|
|
Loading…
Reference in a new issue