Authenticate a user or an app to begin a session. The caller needs to provide a basic authentication token or an appropriate request body (see input type). The response body contains a bearer authentication token which needs to be provided by subsequent calls for the duration of the session.
If this is basic auth and the user has MFA devices configured,
the response also contains challenge for the device to sign.
Until the signed assertion is passed to POST /sys/v1/session/auth/2fa/fido2
to complete 2FA, the bearer token can't be used for anything else.
The account where the IdP is configured. This should only be used if attempting to self-provision into the account. (Self-provisioning may not be possible for existing users; they may need to be manually invited into the account.)
The user's email.
The user's password.
The response token after solving a reCAPTCHA successfully.
Success result
Token value that the client should subsequently pass in Authorization header.
The time for which response from the authenticator would be awaited. This should only be a hint as per the spec. This is in milliseconds.
This optional member specifies the relying party identifier claimed by the caller. If omitted, its value will be the CredentialsContainer object’s relevant settings object's origin's effective domain.
This OPTIONAL member contains a list of [PublicKeyCredentialDescriptor] objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list).
https://www.w3.org/TR/webauthn-2/#enum-credentialType
This enum defines valid cred types.
Hints by relying party on what transport client should use to communicate with authenticator.
Hints by relying party on how client should communicate with the authenticator.
https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement https://www.w3.org/TR/webauthn-2/#user-verification
This extension excludes authenticators during registration based on legacy u2f key handles specified in "excludeCredentials". If that key handle was created with that device, it is excluded.
https://www.w3.org/TR/webauthn-2/#sctn-appid-exclude-extension
This extension allows RPs that have previously registered a cred using legacy U2F APIs to request an assertion.
Dummy extension used by conformance tests
The time for which response from the authenticator would be awaited. This should only be a hint as per the spec. This is in milliseconds.
This optional member specifies the relying party identifier claimed by the caller. If omitted, its value will be the CredentialsContainer object’s relevant settings object's origin's effective domain.
This OPTIONAL member contains a list of [PublicKeyCredentialDescriptor] objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list).
https://www.w3.org/TR/webauthn-2/#enum-credentialType
This enum defines valid cred types.
Hints by relying party on what transport client should use to communicate with authenticator.
Hints by relying party on how client should communicate with the authenticator.
https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement https://www.w3.org/TR/webauthn-2/#user-verification
This extension excludes authenticators during registration based on legacy u2f key handles specified in "excludeCredentials". If that key handle was created with that device, it is excluded.
https://www.w3.org/TR/webauthn-2/#sctn-appid-exclude-extension
This extension allows RPs that have previously registered a cred using legacy U2F APIs to request an assertion.
Dummy extension used by conformance tests
Name given to the FIDO device.
Type of MFA device
Origin of the FIDO device.