WebAuthnRegistrationNode

Realm Operations

Resource path:

/realm-config/authentication/authenticationtrees/nodes/WebAuthnRegistrationNode

Resource version: 1.0

create

Usage

am> create WebAuthnRegistrationNode --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "excludeCredentials" : {
      "title" : "Limit registrations",
      "description" : "If enabled, each authenticator may only be registered against a user's profile once.",
      "propertyOrder" : 80,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "displayNameSharedState" : {
      "title" : "Shared state attribute for display name",
      "description" : "This field determines the value of the user's displayName, used when the user's username is stored in the device. If left blank, the display name will be set to the same as the user's username. If set to a value the corresponding shared state value will be used instead. If there is no value found in the shared state for the provided key, the display name will be set to the same as the user's username.",
      "propertyOrder" : 130,
      "type" : "string",
      "exampleValue" : ""
    },
    "relyingPartyDomain" : {
      "title" : "Relying party identifier",
      "description" : "The domain against which to register devices, if blank AM will make a best guess at the domain.",
      "propertyOrder" : 20,
      "type" : "string",
      "exampleValue" : ""
    },
    "relyingPartyName" : {
      "title" : "Relying party",
      "description" : "The name of the Relying Party to present, this could be the name of the organisation, realm, etc.",
      "propertyOrder" : 10,
      "type" : "string",
      "exampleValue" : ""
    },
    "userVerificationRequirement" : {
      "title" : "User verification requirement",
      "description" : "If specified as REQUIRED, authenticators that don't verify user identity are filtered out and should not be selectable by the user.",
      "propertyOrder" : 30,
      "type" : "string",
      "exampleValue" : ""
    },
    "origins" : {
      "title" : "Origin domains",
      "description" : "A set of fully-qualified URLs of accepted origins, e.g. http://app.example.com:443. If empty, the accepted origin is the incoming request origin.",
      "propertyOrder" : 25,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "generateRecoveryCodes" : {
      "title" : "Generate recovery codes",
      "description" : "If enabled, the success outcome's transient state will contain a set of recovery codes. If this success outcome is passed into a Recovery Code Display Node, these codes will be presented to the user. A user may use recovery codes to bypass the WebAuthn authentication node in the event they have lost their authenticator. A set of recovery codes is shared among all registered WebAuthn authenticators, with the latest-generated set being the only valid set of codes. This will not occur if the option to store the device data in the transient state is also selected.",
      "propertyOrder" : 90,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticatorAttachment" : {
      "title" : "Authentication attachment",
      "description" : "If specified, the authenticators will be filtered out that don't match the attachment type. A PLATFORM authenticator is part of the device, and CROSS_PLATFORM authenticator can be removed from a device and used elsewhere, e.g. via USB.",
      "propertyOrder" : 60,
      "type" : "string",
      "exampleValue" : ""
    },
    "acceptedSigningAlgorithms" : {
      "title" : "Accepted signing algorithms",
      "description" : "",
      "propertyOrder" : 50,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "requiresResidentKey" : {
      "title" : "Username to device",
      "description" : "Requests that the username is stored by the device. Devices which do not support storing and providing the username will be unable to utilise the node while it is operating in this mode.",
      "propertyOrder" : 120,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "storeAttestationDataInTransientState" : {
      "title" : "Store data in transient state",
      "description" : "If enabled, the information provided by the device to the node will be stored in the transient state for later analysis by subsequent nodes using the key 'webauthnData'. Additionally the type of attestation achieved (BASIC, CA, SELF, etc.) will be stored using the key 'webauthnAttestationType'.",
      "propertyOrder" : 100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "asScript" : {
      "title" : "Return challenge as JavaScript",
      "description" : "If enabled, the node will return its challenge as a fully encapsulated client-side JavaScript that will interact directly with the WebAuthn API and submit the response back. If disabled, the node will return the challenge and associated data in a metadata node, and the custom UI will use that to interact with the WebAuthn API itself.",
      "propertyOrder" : 140,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "enforceRevocationCheck" : {
      "title" : "Enforce revocation check",
      "description" : "Whether to enforce the checking of revocation entries from certificates. If this is set to true, then any attestation certificate's trust chain MUST have a CRL or OCSP entry that can be verified by AM during processing. If this is is set to false, then presented certificates will not be checked for revocation. Certificates downloaded from the FIDO Metadata Service may not have a CRL/OCSP entry.",
      "propertyOrder" : 68,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "postponeDeviceProfileStorage" : {
      "title" : "Store device data in transient state",
      "description" : "If enabled, the device will not be stored directly to the user profile upon successful completion of the node. Rather, the device information will be placed into the transient state for later storage by subsequent nodes using the key 'webauthnDeviceData'. The provided 'WebAuthn Device Storage Node' can be used for this purpose.",
      "propertyOrder" : 110,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "trustStoreAlias" : {
      "title" : "Trust Store alias",
      "description" : "The alias of the realm trust store which contains the secrets necessary for performing validation of a supplied attestation certificate. The alias name must only contain the characters a-z and the . symbol.",
      "propertyOrder" : 65,
      "type" : "string",
      "exampleValue" : ""
    },
    "attestationPreference" : {
      "title" : "Preferred mode of attestation",
      "description" : "",
      "propertyOrder" : 40,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeout" : {
      "title" : "Timeout",
      "description" : "The number of seconds to wait for a valid WebAuthn authenticator to be registered before failing.",
      "propertyOrder" : 70,
      "type" : "integer",
      "exampleValue" : ""
    }
  },
  "required" : [ "timeout", "asScript", "enforceRevocationCheck", "requiresResidentKey", "storeAttestationDataInTransientState", "authenticatorAttachment", "postponeDeviceProfileStorage", "attestationPreference", "acceptedSigningAlgorithms", "origins", "userVerificationRequirement", "relyingPartyName", "excludeCredentials", "generateRecoveryCodes" ]
}

delete

Usage

am> delete WebAuthnRegistrationNode --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action WebAuthnRegistrationNode --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action WebAuthnRegistrationNode --realm Realm --actionName getCreatableTypes

listOutcomes

List the available outcomes for the node type.

Usage

am> action WebAuthnRegistrationNode --realm Realm --body body --actionName listOutcomes

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action WebAuthnRegistrationNode --realm Realm --actionName nextdescendents

query

Get the full list of instances of this collection. This query only supports _queryFilter=true filter.

Usage

am> query WebAuthnRegistrationNode --realm Realm --filter filter

Parameters

--filter

A CREST formatted query filter, where "true" will query all.

read

Usage

am> read WebAuthnRegistrationNode --realm Realm --id id

Parameters

--id

The unique identifier for the resource.

update

Usage

am> update WebAuthnRegistrationNode --realm Realm --id id --body body

Parameters

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "excludeCredentials" : {
      "title" : "Limit registrations",
      "description" : "If enabled, each authenticator may only be registered against a user's profile once.",
      "propertyOrder" : 80,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "displayNameSharedState" : {
      "title" : "Shared state attribute for display name",
      "description" : "This field determines the value of the user's displayName, used when the user's username is stored in the device. If left blank, the display name will be set to the same as the user's username. If set to a value the corresponding shared state value will be used instead. If there is no value found in the shared state for the provided key, the display name will be set to the same as the user's username.",
      "propertyOrder" : 130,
      "type" : "string",
      "exampleValue" : ""
    },
    "relyingPartyDomain" : {
      "title" : "Relying party identifier",
      "description" : "The domain against which to register devices, if blank AM will make a best guess at the domain.",
      "propertyOrder" : 20,
      "type" : "string",
      "exampleValue" : ""
    },
    "relyingPartyName" : {
      "title" : "Relying party",
      "description" : "The name of the Relying Party to present, this could be the name of the organisation, realm, etc.",
      "propertyOrder" : 10,
      "type" : "string",
      "exampleValue" : ""
    },
    "userVerificationRequirement" : {
      "title" : "User verification requirement",
      "description" : "If specified as REQUIRED, authenticators that don't verify user identity are filtered out and should not be selectable by the user.",
      "propertyOrder" : 30,
      "type" : "string",
      "exampleValue" : ""
    },
    "origins" : {
      "title" : "Origin domains",
      "description" : "A set of fully-qualified URLs of accepted origins, e.g. http://app.example.com:443. If empty, the accepted origin is the incoming request origin.",
      "propertyOrder" : 25,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "generateRecoveryCodes" : {
      "title" : "Generate recovery codes",
      "description" : "If enabled, the success outcome's transient state will contain a set of recovery codes. If this success outcome is passed into a Recovery Code Display Node, these codes will be presented to the user. A user may use recovery codes to bypass the WebAuthn authentication node in the event they have lost their authenticator. A set of recovery codes is shared among all registered WebAuthn authenticators, with the latest-generated set being the only valid set of codes. This will not occur if the option to store the device data in the transient state is also selected.",
      "propertyOrder" : 90,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticatorAttachment" : {
      "title" : "Authentication attachment",
      "description" : "If specified, the authenticators will be filtered out that don't match the attachment type. A PLATFORM authenticator is part of the device, and CROSS_PLATFORM authenticator can be removed from a device and used elsewhere, e.g. via USB.",
      "propertyOrder" : 60,
      "type" : "string",
      "exampleValue" : ""
    },
    "acceptedSigningAlgorithms" : {
      "title" : "Accepted signing algorithms",
      "description" : "",
      "propertyOrder" : 50,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "requiresResidentKey" : {
      "title" : "Username to device",
      "description" : "Requests that the username is stored by the device. Devices which do not support storing and providing the username will be unable to utilise the node while it is operating in this mode.",
      "propertyOrder" : 120,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "storeAttestationDataInTransientState" : {
      "title" : "Store data in transient state",
      "description" : "If enabled, the information provided by the device to the node will be stored in the transient state for later analysis by subsequent nodes using the key 'webauthnData'. Additionally the type of attestation achieved (BASIC, CA, SELF, etc.) will be stored using the key 'webauthnAttestationType'.",
      "propertyOrder" : 100,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "asScript" : {
      "title" : "Return challenge as JavaScript",
      "description" : "If enabled, the node will return its challenge as a fully encapsulated client-side JavaScript that will interact directly with the WebAuthn API and submit the response back. If disabled, the node will return the challenge and associated data in a metadata node, and the custom UI will use that to interact with the WebAuthn API itself.",
      "propertyOrder" : 140,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "enforceRevocationCheck" : {
      "title" : "Enforce revocation check",
      "description" : "Whether to enforce the checking of revocation entries from certificates. If this is set to true, then any attestation certificate's trust chain MUST have a CRL or OCSP entry that can be verified by AM during processing. If this is is set to false, then presented certificates will not be checked for revocation. Certificates downloaded from the FIDO Metadata Service may not have a CRL/OCSP entry.",
      "propertyOrder" : 68,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "postponeDeviceProfileStorage" : {
      "title" : "Store device data in transient state",
      "description" : "If enabled, the device will not be stored directly to the user profile upon successful completion of the node. Rather, the device information will be placed into the transient state for later storage by subsequent nodes using the key 'webauthnDeviceData'. The provided 'WebAuthn Device Storage Node' can be used for this purpose.",
      "propertyOrder" : 110,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "trustStoreAlias" : {
      "title" : "Trust Store alias",
      "description" : "The alias of the realm trust store which contains the secrets necessary for performing validation of a supplied attestation certificate. The alias name must only contain the characters a-z and the . symbol.",
      "propertyOrder" : 65,
      "type" : "string",
      "exampleValue" : ""
    },
    "attestationPreference" : {
      "title" : "Preferred mode of attestation",
      "description" : "",
      "propertyOrder" : 40,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeout" : {
      "title" : "Timeout",
      "description" : "The number of seconds to wait for a valid WebAuthn authenticator to be registered before failing.",
      "propertyOrder" : 70,
      "type" : "integer",
      "exampleValue" : ""
    }
  },
  "required" : [ "timeout", "asScript", "enforceRevocationCheck", "requiresResidentKey", "storeAttestationDataInTransientState", "authenticatorAttachment", "postponeDeviceProfileStorage", "attestationPreference", "acceptedSigningAlgorithms", "origins", "userVerificationRequirement", "relyingPartyName", "excludeCredentials", "generateRecoveryCodes" ]
}