If the quorum policy is configured to require 2FA, then a call to this API
produces a challenge that needs to be signed by the respective FIDO2/U2F device.
The signed data that U2F device provides can be then used with
POST /sys/v1/approval_requests/:req_id/approve to successfully approve the
request.
Protocols for MFA.
Success result
Name of the entity.
A unique identifier for the Relying Party entity, which sets the RP ID.
Name of the entity.
Human friendly name intended only for display.
This member contains information about the desired properties of the credential to be created. The sequence is ordered from most preferred to least preferred.
https://www.w3.org/TR/webauthn-2/#enum-credentialType
This enum defines valid cred types.
https://www.w3.org/TR/webauthn-2/#typedefdef-cosealgorithmidentifier
Signing algorithms from IANA COSE Algorithms registry that are supported on DSM side for verifying signed messages from authenticator.
The time for which response from the authenticator would be awaited. This should only be a hint as per the spec. This is in milliseconds.
The existing creds mapped to the current user. This tells
the authenticator to not create multiple creds for the same
user.
NOTE: This isn't for U2F authenticators. For that, appidExclude
needs to be set instead.
https://www.w3.org/TR/webauthn-2/#enum-credentialType
This enum defines valid cred types.
Hints by relying party on what transport client should use to communicate with authenticator.
Hints by relying party on how client should communicate with the authenticator.
https://www.w3.org/TR/webauthn-2/#enum-residentKeyRequirement
Tells Relying Party's requirement about client side discoverable
creds (formely known as resident keys).
If client side discoverable creds are there, it means that the
authenticator is self-sufficient in identifying the user. If this
isn't the case, the user needs to login first so that the server
can identify the user and help send allowCredentials to authenticator.
This is mostly meant for username-less authentication (which we don't support in DSM). We support 2FA where we already know about the logged in user.
Exists for backcompat with webauthn level 1.
By default it is false and should be set to true
if residentKey is set to required.
https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement https://www.w3.org/TR/webauthn-2/#user-verification
https://www.w3.org/TR/webauthn-2/#enum-attestation-convey https://www.w3.org/TR/webauthn-2/#sctn-attestation
If you really want to understand attestation, read the following: https://fidoalliance.org/fido-technotes-the-truth-about-attestation/ https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651
This enum just specified how the attestation should be conveyed to the RP. You can see doc of the individual variants to understand various ways.
This extension excludes authenticators during registration based on legacy u2f key handles specified in "excludeCredentials". If that key handle was created with that device, it is excluded.
https://www.w3.org/TR/webauthn-2/#sctn-appid-exclude-extension
This extension allows RPs that have previously registered a cred using legacy U2F APIs to request an assertion.
Dummy extension used by conformance tests
The time for which response from the authenticator would be awaited. This should only be a hint as per the spec. This is in milliseconds.
This optional member specifies the relying party identifier claimed by the caller. If omitted, its value will be the CredentialsContainer object’s relevant settings object's origin's effective domain.
This OPTIONAL member contains a list of [PublicKeyCredentialDescriptor] objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list).
https://www.w3.org/TR/webauthn-2/#enum-credentialType
This enum defines valid cred types.
Hints by relying party on what transport client should use to communicate with authenticator.
Hints by relying party on how client should communicate with the authenticator.
https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement https://www.w3.org/TR/webauthn-2/#user-verification
This extension excludes authenticators during registration based on legacy u2f key handles specified in "excludeCredentials". If that key handle was created with that device, it is excluded.
https://www.w3.org/TR/webauthn-2/#sctn-appid-exclude-extension
This extension allows RPs that have previously registered a cred using legacy U2F APIs to request an assertion.
Dummy extension used by conformance tests