WebAuthnRegistrationNode
Realm Operations
Resource path: /realm-config/authentication/authenticationtrees/nodes/WebAuthnRegistrationNode
Resource version: 1.0
create
Usage:
am> create WebAuthnRegistrationNode --realm Realm --id id --body body
Parameters:
--id
The unique identifier for the resource.
--body
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "postponeDeviceProfileStorage" : { "title" : "Store device data in transient state", "description" : "If enabled, the device will not be stored directly to the user profile upon successful completion of the node. Rather, the device information will be placed into the transient state for later storage by subsequent nodes using the key 'webauthnDeviceData'. The provided 'WebAuthn Device Storage Node' can be used for this purpose.", "propertyOrder" : 110, "type" : "boolean", "exampleValue" : "" }, "asScript" : { "title" : "Return challenge as JavaScript", "description" : "If enabled, the node will return its challenge as a fully encapsulated client-side JavaScript that will interact directly with the WebAuthn API and submit the response back. If disabled, the node will return the challenge and associated data in a metadata node, and the custom UI will use that to interact with the WebAuthn API itself.", "propertyOrder" : 140, "type" : "boolean", "exampleValue" : "" }, "enforceRevocationCheck" : { "title" : "Enforce revocation check", "description" : "Whether to enforce the checking of revocation entries from certificates. If this is set to true, then any attestation certificate's trust chain MUST have a CRL or OCSP entry that can be verified by AM during processing. If this is is set to false, then presented certificates will not be checked for revocation. Certificates downloaded from the FIDO Metadata Service may not have a CRL/OCSP entry.", "propertyOrder" : 68, "type" : "boolean", "exampleValue" : "" }, "requiresResidentKey" : { "title" : "Username to device", "description" : "Requests that the username is stored by the device. Devices which do not support storing and providing the username will be unable to utilise the node while it is operating in this mode.", "propertyOrder" : 120, "type" : "boolean", "exampleValue" : "" }, "displayNameSharedState" : { "title" : "Shared state attribute for display name", "description" : "This field determines the value of the user's displayName, used when the user's username is stored in the device. If left blank, the display name will be set to the same as the user's username. If set to a value the corresponding shared state value will be used instead. If there is no value found in the shared state for the provided key, the display name will be set to the same as the user's username.", "propertyOrder" : 130, "type" : "string", "exampleValue" : "" }, "userVerificationRequirement" : { "title" : "User verification requirement", "description" : "If specified as REQUIRED, authenticators that don't verify user identity are filtered out and should not be selectable by the user.", "propertyOrder" : 30, "type" : "string", "exampleValue" : "" }, "storeAttestationDataInTransientState" : { "title" : "Store data in transient state", "description" : "If enabled, the information provided by the device to the node will be stored in the transient state for later analysis by subsequent nodes using the key 'webauthnData'. Additionally the type of attestation achieved (BASIC, CA, SELF, etc.) will be stored using the key 'webauthnAttestationType'.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" }, "origins" : { "title" : "Origin domains", "description" : "A set of fully-qualified URLs of accepted origins, e.g. http://app.example.com:443. If empty, the accepted origin is the incoming request origin.", "propertyOrder" : 25, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "trustStoreAlias" : { "title" : "Trust Store alias", "description" : "The alias of the realm trust store which contains the secrets necessary for performing validation of a supplied attestation certificate. The alias name must only contain the characters a-z and the . symbol.", "propertyOrder" : 65, "type" : "string", "exampleValue" : "" }, "generateRecoveryCodes" : { "title" : "Generate recovery codes", "description" : "If enabled, the success outcome's transient state will contain a set of recovery codes. If this success outcome is passed into a Recovery Code Display Node, these codes will be presented to the user. A user may use recovery codes to bypass the WebAuthn authentication node in the event they have lost their authenticator. A set of recovery codes is shared among all registered WebAuthn authenticators, with the latest-generated set being the only valid set of codes. This will not occur if the option to store the device data in the transient state is also selected.", "propertyOrder" : 90, "type" : "boolean", "exampleValue" : "" }, "timeout" : { "title" : "Timeout", "description" : "The number of seconds to wait for a valid WebAuthn authenticator to be registered before failing.", "propertyOrder" : 70, "type" : "integer", "exampleValue" : "" }, "excludeCredentials" : { "title" : "Limit registrations", "description" : "If enabled, each authenticator may only be registered against a user's profile once.", "propertyOrder" : 80, "type" : "boolean", "exampleValue" : "" }, "acceptedSigningAlgorithms" : { "title" : "Accepted signing algorithms", "description" : "", "propertyOrder" : 50, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "relyingPartyDomain" : { "title" : "Relying party identifier", "description" : "The domain against which to register devices, if blank AM will make a best guess at the domain.", "propertyOrder" : 20, "type" : "string", "exampleValue" : "" }, "attestationPreference" : { "title" : "Preferred mode of attestation", "description" : "", "propertyOrder" : 40, "type" : "string", "exampleValue" : "" }, "relyingPartyName" : { "title" : "Relying party", "description" : "The name of the Relying Party to present, this could be the name of the organisation, realm, etc.", "propertyOrder" : 10, "type" : "string", "exampleValue" : "" }, "authenticatorAttachment" : { "title" : "Authentication attachment", "description" : "If specified, the authenticators will be filtered out that don't match the attachment type. A PLATFORM authenticator is part of the device, and CROSS_PLATFORM authenticator can be removed from a device and used elsewhere, e.g. via USB.", "propertyOrder" : 60, "type" : "string", "exampleValue" : "" } }, "required" : [ "generateRecoveryCodes", "asScript", "acceptedSigningAlgorithms", "postponeDeviceProfileStorage", "userVerificationRequirement", "attestationPreference", "authenticatorAttachment", "requiresResidentKey", "excludeCredentials", "origins", "storeAttestationDataInTransientState", "timeout", "relyingPartyName", "enforceRevocationCheck" ] }
delete
Usage:
am> delete WebAuthnRegistrationNode --realm Realm --id id
Parameters:
--id
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage:
am> action WebAuthnRegistrationNode --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage:
am> action WebAuthnRegistrationNode --realm Realm --actionName getCreatableTypes
listOutcomes
List the available outcomes for the node type.
Usage:
am> action WebAuthnRegistrationNode --realm Realm --body body --actionName listOutcomes
Parameters:
--body
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "Some configuration of the node. This does not need to be complete against the configuration schema." }
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage:
am> action WebAuthnRegistrationNode --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.
Usage:
am> query WebAuthnRegistrationNode --realm Realm --filter filter
Parameters:
--filter
A CREST formatted query filter, where "true" will query all.
read
Usage:
am> read WebAuthnRegistrationNode --realm Realm --id id
Parameters:
--id
The unique identifier for the resource.
update
Usage:
am> update WebAuthnRegistrationNode --realm Realm --id id --body body
Parameters:
--id
The unique identifier for the resource.
--body
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "postponeDeviceProfileStorage" : { "title" : "Store device data in transient state", "description" : "If enabled, the device will not be stored directly to the user profile upon successful completion of the node. Rather, the device information will be placed into the transient state for later storage by subsequent nodes using the key 'webauthnDeviceData'. The provided 'WebAuthn Device Storage Node' can be used for this purpose.", "propertyOrder" : 110, "type" : "boolean", "exampleValue" : "" }, "asScript" : { "title" : "Return challenge as JavaScript", "description" : "If enabled, the node will return its challenge as a fully encapsulated client-side JavaScript that will interact directly with the WebAuthn API and submit the response back. If disabled, the node will return the challenge and associated data in a metadata node, and the custom UI will use that to interact with the WebAuthn API itself.", "propertyOrder" : 140, "type" : "boolean", "exampleValue" : "" }, "enforceRevocationCheck" : { "title" : "Enforce revocation check", "description" : "Whether to enforce the checking of revocation entries from certificates. If this is set to true, then any attestation certificate's trust chain MUST have a CRL or OCSP entry that can be verified by AM during processing. If this is is set to false, then presented certificates will not be checked for revocation. Certificates downloaded from the FIDO Metadata Service may not have a CRL/OCSP entry.", "propertyOrder" : 68, "type" : "boolean", "exampleValue" : "" }, "requiresResidentKey" : { "title" : "Username to device", "description" : "Requests that the username is stored by the device. Devices which do not support storing and providing the username will be unable to utilise the node while it is operating in this mode.", "propertyOrder" : 120, "type" : "boolean", "exampleValue" : "" }, "displayNameSharedState" : { "title" : "Shared state attribute for display name", "description" : "This field determines the value of the user's displayName, used when the user's username is stored in the device. If left blank, the display name will be set to the same as the user's username. If set to a value the corresponding shared state value will be used instead. If there is no value found in the shared state for the provided key, the display name will be set to the same as the user's username.", "propertyOrder" : 130, "type" : "string", "exampleValue" : "" }, "userVerificationRequirement" : { "title" : "User verification requirement", "description" : "If specified as REQUIRED, authenticators that don't verify user identity are filtered out and should not be selectable by the user.", "propertyOrder" : 30, "type" : "string", "exampleValue" : "" }, "storeAttestationDataInTransientState" : { "title" : "Store data in transient state", "description" : "If enabled, the information provided by the device to the node will be stored in the transient state for later analysis by subsequent nodes using the key 'webauthnData'. Additionally the type of attestation achieved (BASIC, CA, SELF, etc.) will be stored using the key 'webauthnAttestationType'.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" }, "origins" : { "title" : "Origin domains", "description" : "A set of fully-qualified URLs of accepted origins, e.g. http://app.example.com:443. If empty, the accepted origin is the incoming request origin.", "propertyOrder" : 25, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "trustStoreAlias" : { "title" : "Trust Store alias", "description" : "The alias of the realm trust store which contains the secrets necessary for performing validation of a supplied attestation certificate. The alias name must only contain the characters a-z and the . symbol.", "propertyOrder" : 65, "type" : "string", "exampleValue" : "" }, "generateRecoveryCodes" : { "title" : "Generate recovery codes", "description" : "If enabled, the success outcome's transient state will contain a set of recovery codes. If this success outcome is passed into a Recovery Code Display Node, these codes will be presented to the user. A user may use recovery codes to bypass the WebAuthn authentication node in the event they have lost their authenticator. A set of recovery codes is shared among all registered WebAuthn authenticators, with the latest-generated set being the only valid set of codes. This will not occur if the option to store the device data in the transient state is also selected.", "propertyOrder" : 90, "type" : "boolean", "exampleValue" : "" }, "timeout" : { "title" : "Timeout", "description" : "The number of seconds to wait for a valid WebAuthn authenticator to be registered before failing.", "propertyOrder" : 70, "type" : "integer", "exampleValue" : "" }, "excludeCredentials" : { "title" : "Limit registrations", "description" : "If enabled, each authenticator may only be registered against a user's profile once.", "propertyOrder" : 80, "type" : "boolean", "exampleValue" : "" }, "acceptedSigningAlgorithms" : { "title" : "Accepted signing algorithms", "description" : "", "propertyOrder" : 50, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "relyingPartyDomain" : { "title" : "Relying party identifier", "description" : "The domain against which to register devices, if blank AM will make a best guess at the domain.", "propertyOrder" : 20, "type" : "string", "exampleValue" : "" }, "attestationPreference" : { "title" : "Preferred mode of attestation", "description" : "", "propertyOrder" : 40, "type" : "string", "exampleValue" : "" }, "relyingPartyName" : { "title" : "Relying party", "description" : "The name of the Relying Party to present, this could be the name of the organisation, realm, etc.", "propertyOrder" : 10, "type" : "string", "exampleValue" : "" }, "authenticatorAttachment" : { "title" : "Authentication attachment", "description" : "If specified, the authenticators will be filtered out that don't match the attachment type. A PLATFORM authenticator is part of the device, and CROSS_PLATFORM authenticator can be removed from a device and used elsewhere, e.g. via USB.", "propertyOrder" : 60, "type" : "string", "exampleValue" : "" } }, "required" : [ "generateRecoveryCodes", "asScript", "acceptedSigningAlgorithms", "postponeDeviceProfileStorage", "userVerificationRequirement", "attestationPreference", "authenticatorAttachment", "requiresResidentKey", "excludeCredentials", "origins", "storeAttestationDataInTransientState", "timeout", "relyingPartyName", "enforceRevocationCheck" ] }