webauthn_rp package¶

Submodules¶

webauthn_rp.attesters module¶

webauthn_rp.attesters.attest(att_stmt: webauthn_rp.types.AttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶

webauthn_rp.attesters.attest(att_stmt: webauthn_rp.types.FIDOU2FAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]

webauthn_rp.attesters.attest(att_stmt: webauthn_rp.types.AndroidKeyAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]

webauthn_rp.attesters.attest(att_stmt: webauthn_rp.types.NoneAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]

Attest an attestation object.

Parameters

att_stmt (AttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.

Returns

The attestation type and trusted path.

References

https://www.w3.org/TR/webauthn/#defined-attestation-formats

webauthn_rp.attesters.attest_android_key(att_stmt: webauthn_rp.types.AndroidKeyAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶

Attest an android key.

Parameters

att_stmt (AndroidKeyAttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.

Returns

The attestation type and trusted path.

References

webauthn_rp.attesters.attest_fido_u2f(att_stmt: webauthn_rp.types.FIDOU2FAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶

Attest a FIDO U2F key.

Parameters

att_stmt (FIDOU2FAttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.

Returns

The attestation type and trusted path.

References

https://www.w3.org/TR/webauthn/#fido-u2f-attestation

webauthn_rp.attesters.attest_none(att_stmt: webauthn_rp.types.NoneAttestationStatement, att_obj: webauthn_rp.types.AttestationObject, auth_data: bytes, client_data_hash: bytes) → Tuple[webauthn_rp.types.AttestationType, Optional[Sequence[cryptography.x509.base.Certificate]]]¶

Don’t perform any attestation.

Parameters

att_stmt (NoneAttestationStatement) – The attestation statment.
att_obj (AttestationObject) – The attestation object.
auth_data (bytes) – The raw authenticator data.
client_data_hash (bytes) – The client data hash.

Returns

The attestation type and trusted path.

References

https://www.w3.org/TR/webauthn/#none-attestation

webauthn_rp.backends module¶

class webauthn_rp.backends.CredentialsBackend(registrar: webauthn_rp.registrars.CredentialsRegistrar)¶

Bases: object

A backend to manage the registration and authentication of credentials.

The process of registering a credential involves:

Creating a CredentialCreationOptions object (possibly using a

builder).

Converting the options to JSON using the jsonify converter.
Sending the JSON options to the user’s client.
Getting a JSON PublicKeyCredential from the user’s client.
Parsing the JSON PublicKeyCredential using

parse_public_key_credential.

Finally, calling CredentialsBackend.handle_credential_attestation.

The process of authenticating a credential is similarly:

Creating a CredentialRequestOptions object (possibly using a builder).
Converting the options to JSON using the jsonify converter.
Sending the JSON options to the user’s client.
Getting a JSON PublicKeyCredential from the user’s client.
Parsing the JSON PublicKeyCredential using

parse_public_key_credential.

Finally, calling CredentialsBackend.handle_credential_assertion.

registrar¶

The RP credentials registrar.

Type: CredentialsRegistrar

Initialize the credentials backend with a registrar.

Parameters: registrar (CredentialsRegistrar) – The RP credentials registrar.

handle_credential_assertion(*, credential: webauthn_rp.types.PublicKeyCredential, expected_challenge: bytes, expected_origin: Union[str, Collection[str]], rp: Optional[webauthn_rp.types.PublicKeyCredentialRpEntity] = None, user: Optional[webauthn_rp.types.PublicKeyCredentialUserEntity] = None, allow_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None, token_binding: Optional[webauthn_rp.types.TokenBinding] = None, require_user_verification: bool = False, expected_extensions: Optional[Set[webauthn_rp.types.ExtensionIdentifier]] = None, ignore_clone_error: bool = False) → None¶

Handle authentication using a user’s credential.

Parameters

credential (PublicKeyCredential) – The public key credential generated by the user’s client containing an authenticator assertion response.
expected_challenge (bytes) – The initial challenge sent to the user’s client.
expected_origin (Union[str, Collection[str]]) – The exact origin to use for the RP or a collection of allowed origins.
rp (PublicKeyCredentialRpEntity) – The optional RP to enforce when authenticating the user (if not supplied an RP must be part of the credential data returned for the user by the credentials registrar).
user (PublicKeyCredentialUserEntity) – The optional user to be authenticated (if not supplied a user handle must exist in the authenticator assertion response).
allow_credentials (Optional[Sequence[PublicKeyCredentialDescriptor]]) – An optional specification of the credentials that the user authenticating is allowed to use.
token_binding (Optional[TokenBinding]) – The optional token binding to check for.
require_user_verification (bool) – Whether to require user verification.
expected_extensions (Optional[Set[ExtensionIdentifier]]) – The set of extensions that are required to be present.
ignore_clone_error (bool) – Whether or not to ignore a signature count error that indicates a possible authenticator clone.

Raises

ClientDataTypeError – The type of the client data is invalid.
ChallengeError – The user’s challenge and the expected challenge don’t match.
DecodingError – There is an error in decoding some data.
ParserError – There is an error in parsing some data.
OriginError – There is an issue with a provided web origin.
TokenBindingError – There is a mismatch in the provided and the user’s token binding.
RPIDError – The provided and the user’s RP IDs don’t match.
UserPresenceError – The user was not present during authentication.
UserVerificationError – The user did not perform verification but the require_user_verification parameter is True.
ExtensionError – An expected extension is missing.
RegistrationError – There is an issue registering the user with the credentials registrar.
CredentialDataError – The CredentialData for the given user could not be retrieved by the registrar.
CredentialNotAllowedError – A set of allowed credentials is provided and the user’s credential is not in that set.
UserIDError – There is a mismatch in the provided user’s ID and the user ID belonging to the user that the credentials registrar has associated with the credential.
UserHandleError – There is a mismatch in the user handle present in the authenticator assertion response and the user ID belonging to the user that the credentials registrar has associated with the credential.
RPNotFoundError – An RP was not provided and could not be retrieved from the credentials registrar.
SignatureCountError – The signature count of the credential indicates that the authenticator could potentially have been cloned.
InternalError – An unexpected internal error occurred.

handle_credential_attestation(*, credential: webauthn_rp.types.PublicKeyCredential, user: webauthn_rp.types.PublicKeyCredentialUserEntity, rp: webauthn_rp.types.PublicKeyCredentialRpEntity, expected_challenge: bytes, expected_origin: Union[str, Collection[str]], token_binding: Optional[webauthn_rp.types.TokenBinding] = None, require_user_verification: bool = False, expected_extensions: Optional[Set[webauthn_rp.types.ExtensionIdentifier]] = None) → None¶

Handle the attestation of a user’s credential.

Parameters

credential (PublicKeyCredential) – The public key credential generated by the user’s client containing an authenticator attestation response.
user (PublicKeyCredentialUserEntity) – The user to be registered.
rp (PublicKeyCredentialRpEntity) – The RP to use to register the user.
expected_challenge (bytes) – The initial challenge sent to the user’s client.
expected_origin (Union[str, Collection[str]]) – The exact origin to use for the RP or a collection of allowed origins.
token_binding (Optional[TokenBinding]) – The optional token binding to check for.
require_user_verification (bool) – Whether to require user verification.
expected_extensions (Optional[Set[ExtensionIdentifier]]) – The set of extensions that are required to be present.

Raises

ClientDataTypeError – The type of the client data is invalid.
ChallengeError – The user’s challenge and the expected challenge don’t match.
DecodingError – There is an error in decoding some data.
ParserError – There is an error in parsing some data.
OriginError – There is an issue with a provided web origin.
TokenBindingError – There is a mismatch in the provided and the user’s token binding.
RPIDError – The provided and the user’s RP IDs don’t match.
UserPresenceError – The user was not present during authentication.
UserVerificationError – The user did not perform verification but the require_user_verification parameter is True.
ExtensionError – An expected extension is missing.
RegistrationError – There is an issue registering the user with the credentials registrar.
InternalError – An unexpected internal error occurred.

webauthn_rp.builders module¶

class webauthn_rp.builders.CredentialCreationOptionsBuilder(*, rp: Optional[webauthn_rp.types.PublicKeyCredentialRpEntity] = None, pub_key_cred_params: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialParameters]] = None, timeout: Optional[int] = None, authenticator_selection: Optional[webauthn_rp.types.AuthenticatorSelectionCriteria] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, attestation: Optional[webauthn_rp.types.AttestationConveyancePreference] = <AttestationConveyancePreference.NONE: 'none'>, exclude_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None)¶

Bases: object

A CredentialCreationOptions builder.

Using a builder can allow for saving shared build parameters and simplify the construction of option data types which can have a number of nested attributes.

After initializing the builder, each time an attribute is updated using one of the provided setter functions, a new copy of the builder is returned and the original is left unmodified.

In the following example, builder, and builder_n would be different:

>>> builder = CredentialCreationOptionsBuilder()
>>> builder_n = builder.rp(...).attestation(...)

Initialize the builder’s attributes.

Parameters

rp (Optional[PublicKeyCredentialRpEntity]) – The Relying Party being used.
(Optional[Sequence[ (exclude_credentials) – PublicKeyCredentialParameters]]): The public key credential parameters used to create the credential.
timeout (Optional[int]) – The timeout to create the credential.
authenticator_selection (Optional[AuthenticatorSelectionCriteria]) – The specific criteria to enforce on the created authenticator.
extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
attestation (Optional[AttestationConveyancePreference]) – The preference to enforce on allowed authenticator attestations.
(Optional[Sequence[ – PublicKeyCredentialDescriptor]]): An optional list of credentials to exclude from use.

attestation(attestation: webauthn_rp.types.AttestationConveyancePreference) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the attestation conveyance preference.

Parameters: attestation (Optional[AttestationConveyancePreference]) – The preference to enforce on allowed authenticator attestations.
Returns: A new CredentialCreationOptionsBuilder copy.

authenticator_selection(authenticator_selection: Optional[webauthn_rp.types.AuthenticatorSelectionCriteria]) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the authenticator selection.

authenticator_selection (Optional[AuthenticatorSelectionCriteria]):: The specific criteria to enforce on the created authenticator.

Returns: A new CredentialCreationOptionsBuilder copy.

build(*, user: webauthn_rp.types.PublicKeyCredentialUserEntity, challenge: bytes) → webauthn_rp.types.CredentialCreationOptions ¶

Build a CredentialCreationOptions instance.

Parameters

user (PublicKeyCredentialUserEntity) – The user whose credential is being requested.
challenge (bytes) – The challenge to provide to the user’s credential.

Returns

An instance of CredentialCreationOptions.

Raises

BuilderError – If a required attribute has not been set yet.

exclude_credentials(exclude_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]]) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the public key credentials to exclude from use.

Parameters: (Optional[Sequence[ (exclude_credentials) – PublicKeyCredentialDescriptor]]): An optional list of credentials to exclude from use.
Returns: A new CredentialCreationOptionsBuilder copy.

extensions(extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs]) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the authenticator extensions’ client inputs.

Parameters: extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
Returns: A new CredentialCreationOptionsBuilder copy.

pub_key_cred_params(pub_key_cred_params: Sequence[webauthn_rp.types.PublicKeyCredentialParameters]) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the public key credential parameters.

Parameters: pub_key_cred_params (Sequence[PublicKeyCredentialParameters]]) – The public key credential parameters used to create the credential.
Returns: A new CredentialCreationOptionsBuilder copy.

rp(rp: webauthn_rp.types.PublicKeyCredentialRpEntity) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the Relying Party (RP).

Parameters: rp (PublicKeyCredentialRpEntity) – The Relying Party being used.
Returns: A new CredentialCreationOptionsBuilder copy.

timeout(timeout: Optional[int]) → webauthn_rp.builders.CredentialCreationOptionsBuilder ¶

Set the timeout.

Parameters: timeout (Optional[int]) – The timeout to create the credential.
Returns: A new CredentialCreationOptionsBuilder copy.

class webauthn_rp.builders.CredentialRequestOptionsBuilder(*, mediation: webauthn_rp.types.CredentialMediationRequirement = <CredentialMediationRequirement.OPTIONAL: 'optional'>, timeout: Optional[int] = None, rp_id: Optional[str] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, user_verification: Optional[webauthn_rp.types.UserVerificationRequirement] = <UserVerificationRequirement.PREFERRED: 'preferred'>)¶

Bases: object

A CredentialRequestOptions builder.

Using a builder can allow for saving shared build parameters and simplify the construction of option data types which can have a number of nested attributes.

After initializing the builder, each time an attribute is updated using one of the provided setter functions, a new copy of the builder is returned and the original is left unmodified.

In the following example, builder, and builder_n would be different:

>>> builder = CredentialRequestOptionsBuilder()
>>> builder_n = builder.mediation(...).rp_id(...)

Initialize the builder’s attributes.

Parameters

mediation (CredentialMediationRequirement) – The kind of mediation that should be enforced between the user agent and the user’s authenticator.
timeout (Optional[int]) – The timeout to request the credential.
rp_id (Optional[str]) – The Relying Party ID to use.
extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
user_verification (Optional[UserVerificationRequirement]) – An optional specification of whether or not a user’s verification is required.

build(*, challenge: bytes, allow_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None) → webauthn_rp.types.CredentialRequestOptions ¶

Build a CredentialRequestOptions instance.

Parameters

challenge (bytes) – The challenge to provide to the user’s credential.
(Optional[ (allow_credentials) – Sequence[PublicKeyCredentialDescriptor]]): A optional list of allowed credentials ordered from most preferred to least preferred.

Returns

An instance of CredentialRequestOptions.

Raises

BuilderError – If a required attribute has not been set yet.

extensions(extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs]) → webauthn_rp.builders.CredentialRequestOptionsBuilder ¶

Set the authenticator extensions’ client inputs.

Parameters: extensions (Optional[AuthenticationExtensionsClientInputs]) – Any extension inputs to provide to the authenticator.
Returns: A new CredentialRequestOptionsBuilder copy.

mediation(mediation: webauthn_rp.types.CredentialMediationRequirement) → webauthn_rp.builders.CredentialRequestOptionsBuilder ¶

Set credential mediation requirement.

Parameters: mediation (CredentialMediationRequirement) – The kind of mediation that should be enforced between the user agent and the user’s authenticator.
Returns: A new CredentialRequestOptionsBuilder copy.

rp_id(rp_id: Optional[str]) → webauthn_rp.builders.CredentialRequestOptionsBuilder ¶

Set the Relying Party ID.

Parameters: rp_id (Optional[str]) – The Relying Party ID to use.
Returns: A new CredentialRequestOptionsBuilder copy.

timeout(timeout: Optional[int]) → webauthn_rp.builders.CredentialRequestOptionsBuilder ¶

Set the timeout.

Parameters: mediation (PublicKeyCredentialRpEntity) – The Relying Party being used.
Returns: A new CredentialRequestOptionsBuilder copy.

user_verification(user_verification: Optional[webauthn_rp.types.UserVerificationRequirement]) → webauthn_rp.builders.CredentialRequestOptionsBuilder ¶

Set the user verification requirement.

Parameters: user_verification (Optional[UserVerificationRequirement]) – An optional specification of whether or not a user’s verification is required.
Returns: A new CredentialRequestOptionsBuilder copy.

webauthn_rp.converters module¶

webauthn_rp.converters.cose_ec2_public_key(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → bytes¶

Convert an EC2CredentialPublicKey into a COSE key.

Parameters: credential_public_key (EC2CredentialPublicKey) – The key to convert.
Returns: The COSE-encoded key bytes.

webauthn_rp.converters.cose_key(credential_public_key: webauthn_rp.types.CredentialPublicKey) → bytes¶

webauthn_rp.converters.cose_key(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → bytes

webauthn_rp.converters.cose_key(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → bytes

Convert a CredentialPublicKey into a COSE key.

Parameters: credential_public_key (CredentialPublicKey) – The key to convert.
Returns: The COSE-encoded key bytes.

webauthn_rp.converters.cose_okp_public_key(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → bytes¶

Convert an OKPCredentialPublicKey into a COSE key.

Parameters: credential_public_key (OKPCredentialPublicKey) – The key to convert.
Returns: The COSE-encoded key bytes.

webauthn_rp.converters.cryptography_ec2_public_key(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey¶

Convert an EC2CredentialPublicKey into a cryptography EC2PublicKey.

Parameters

credential_public_key (EC2CredentialPublicKey) – The key to convert.

Returns

A cryptography EC2PublicKey.

Raises

UnimplementedError – If the conversion logic for the given type of CredentialPublicKey has not been implemented.
PublicKeyConversionError – If the provided key could not be converted into a valid cryptography EC2PublicKey.

webauthn_rp.converters.cryptography_okp_public_key(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → Union[cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey]¶

Convert an OKPCredentialPublicKey into a cryptography OKPPublicKey.

Parameters

credential_public_key (EC2CredentialPublicKey) – The key to convert.

Returns

A cryptography EC2PublicKey.

Raises

UnimplementedError – If the conversion logic for the given type of CredentialPublicKey has not been implemented.
PublicKeyConversionError – If the provided key could not be converted into a valid cryptography EC2PublicKey.

webauthn_rp.converters.cryptography_public_key(credential_public_key: webauthn_rp.types.CredentialPublicKey) → Union[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey]¶

webauthn_rp.converters.cryptography_public_key(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey

webauthn_rp.converters.cryptography_public_key(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → Union[cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey, cryptography.hazmat.primitives.asymmetric.ed448.Ed448PublicKey]

Convert a CredentialPublicKey into a cryptography PublicKey.

Parameters: credential_public_key (CredentialPublicKey) – The key to convert.
Returns: A cryptography PublicKey.
Raises: UnimplementedError – If the conversion logic for the given type of CredentialPublicKey has not been implemented.

webauthn_rp.converters.jsonify(data: Any, convert_case: bool = True) → Optional[Union[dict, list, bool, int, float, str]]¶

Convert a Python object into a JSON value.

Parameters

data (Any) – The object to convert.
convert_case (bool) – Whether to convert the attribute names of the object into camel case from snake case.

Returns

A JSONValue.

Raises

JSONConversionError – If the provided data cannot be converted into valid JSON.
UnimplementedError – If the conversion logic for the given data type has not been implemented.

webauthn_rp.errors module¶

exception webauthn_rp.errors.AttestationError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an invalid attestation statement.

exception webauthn_rp.errors.BackendError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an error in a backend.

exception webauthn_rp.errors.BuilderError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for a builder error.

exception webauthn_rp.errors.ChallengeError¶

Bases: webauthn_rp.errors.BackendError

Raised for an invalid challenge.

exception webauthn_rp.errors.ClientDataTypeError¶

Bases: webauthn_rp.errors.BackendError

Raised for an invalid client data type.

exception webauthn_rp.errors.ConverterError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an error during data type conversion.

exception webauthn_rp.errors.CredentialDataError¶

Bases: webauthn_rp.errors.BackendError

Raised for an unretrievable CredentialData.

exception webauthn_rp.errors.CredentialNotAllowedError¶

Bases: webauthn_rp.errors.BackendError

Raised for the use of disallowed credential.

exception webauthn_rp.errors.DecodingError¶

Bases: webauthn_rp.errors.ParserError

Raised for an error decoding raw data.

exception webauthn_rp.errors.ExtensionError¶

Bases: webauthn_rp.errors.BackendError

Raised for a missing extension.

exception webauthn_rp.errors.InternalError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an unexpected internal error.

exception webauthn_rp.errors.JSONConversionError¶

Bases: webauthn_rp.errors.ConverterError

Raised for an error converting data into JSON.

exception webauthn_rp.errors.OriginError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an invalid web origin.

exception webauthn_rp.errors.ParserError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an error parsing raw data.

exception webauthn_rp.errors.PublicKeyConversionError¶

Bases: webauthn_rp.errors.ConverterError

Raised for an error converting a CredentialPublicKey.

exception webauthn_rp.errors.RPIDError¶

Bases: webauthn_rp.errors.BackendError

Raised for an invalid Relying Party ID.

exception webauthn_rp.errors.RPIDHashError¶

Bases: webauthn_rp.errors.BackendError

Raised for a mismatching Relying Party ID hash.

exception webauthn_rp.errors.RPNotFoundError¶

Bases: webauthn_rp.errors.BackendError

Raised for a missing Relying Party configuration.

exception webauthn_rp.errors.RegistrationError¶

Bases: webauthn_rp.errors.BackendError

Raised for an error during registration.

exception webauthn_rp.errors.SignatureCountError¶

Bases: webauthn_rp.errors.BackendError

Raised for an invalid signature count.

exception webauthn_rp.errors.TokenBindingError¶

Bases: webauthn_rp.errors.BackendError

Raised for an error in token binding.

exception webauthn_rp.errors.UnimplementedError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an attempt to use an unimplemented feature.

exception webauthn_rp.errors.UserHandleError¶

Bases: webauthn_rp.errors.BackendError

Raised for an invalid user handle.

exception webauthn_rp.errors.UserIDError¶

Bases: webauthn_rp.errors.BackendError

Raised for an invalid user ID.

exception webauthn_rp.errors.UserPresenceError¶

Bases: webauthn_rp.errors.BackendError

Raised for a missing user presence bit when it is required.

exception webauthn_rp.errors.UserVerificationError¶

Bases: webauthn_rp.errors.BackendError

Raised for a missing user verification bit when it is required.

exception webauthn_rp.errors.ValidationError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an error validating the format of a CredentialPublicKey.

exception webauthn_rp.errors.VerificationError¶

Bases: webauthn_rp.errors.WebAuthnRPError

Raised for an error verifying a signature using a CredentialPublicKey.

exception webauthn_rp.errors.WebAuthnRPError¶

Bases: Exception

The base error for all exceptions raised by the library.

webauthn_rp.parsers module¶

webauthn_rp.parsers.parse_android_key_attestation_statement(att_stmt: Dict) → webauthn_rp.types.AndroidKeyAttestationStatement ¶

Parse a JSON Android key attestation statement.

Parameters: att_stmt (Dict) – The JSON attestation statement.
Returns: An AndroidKeyAttestationStatement instance.
Raises: ParserError – Could not correctly parse the attestation statement.

References

https://w3.org/TR/webauthn/#android-key-attestation

webauthn_rp.parsers.parse_android_safetynet_attestation_statement(att_stmt: Dict) → webauthn_rp.types.AndroidSafetyNetAttestationStatement ¶

Parse a JSON Android SafetyNet attestation statement.

Parameters: att_stmt (Dict) – The JSON attestation statement.
Returns: An AndroidSafetyNetAttestationStatement instance.
Raises: ParserError – Could not correctly parse the attestation statement.

References

https://w3.org/TR/webauthn/#android-safetynet-attestation

webauthn_rp.parsers.parse_attestation_object(attestation_object: bytes) → Tuple[webauthn_rp.types.AttestationObject, Dict]¶

Parse the raw CBOR-encoded attestation object.

Parameters

attestation_object (bytes) – The raw authenticator data bytes.

Returns

A 2-tuple where the first element is the parsed AttestationObject instance and the second element is its raw CBOR-decoded dictionary.

Raises

ParserError – Could not correctly parse the authenticator data.
DecodingError – Could not decode raw CBOR data.

References

https://w3.org/TR/webauthn/#attestation-object

webauthn_rp.parsers.parse_authenticator_data(auth_data: bytes) → webauthn_rp.types.AuthenticatorData ¶

Parse the raw authenticator data.

Parameters

auth_data (bytes) – The raw authenticator data bytes.

Returns

An instance of AuthenticatorData.

Raises

ParserError – Could not correctly parse the authenticator data.
DecodingError – Could not decode raw CBOR data.

References

https://w3.org/TR/webauthn/#authenticator-data

webauthn_rp.parsers.parse_client_data(client_data_JSON: bytes) → webauthn_rp.types.CollectedClientData ¶

Parse the raw UTF-8-encoded client data JSON.

Parameters: client_data_JSON (bytes) – The UTF-8-encoded client data JSON.
Returns: A CollectedClientData instance.
Raises: ParserError – Could not correctly parse the client data JSON.

References

https://w3.org/TR/webauthn/#dictdef-collectedclientdata

webauthn_rp.parsers.parse_cose_key(credential_public_key: Union[Dict, bytes]) → webauthn_rp.types.CredentialPublicKey ¶

Parse the CBOR-encoded, or decoded, credential public key.

Parameters

credential_public_key (Union[Dict, bytes]) – A CBOR-encoded public key or a CBOR-decoded dictionary of a credential public key.

Returns

An instance of CredentialPublicKey.

Raises

ParserError – Could not correctly parse the credential public key.
DecodingError – Could not decode the raw CBOR data.

References

webauthn_rp.parsers.parse_ec2_public_key(credential_public_key: Dict) → webauthn_rp.types.EC2CredentialPublicKey ¶

Parse a JSON EC2 credential public key into an EC2CredentialPublicKey.

Parameters: credential_public_key (Dict) – The JSON EC2 credential public key generated by a user agent.
Returns: An EC2CredentialPublicKey instance.
Raises: ParserError – Could not correctly parse the data.

References

webauthn_rp.parsers.parse_extensions(extensions: Dict) → webauthn_rp.types.AuthenticationExtensionsClientOutputs ¶

Parse an authenticator’s JSON extension outputs.

Parameters: extensions (Dict) – The JSON extension client outputs generated by a user agent and the user’s authenticator.
Returns: An AuthenticationExtensionsClientOutputs instance.
Raises: ParserError – Could not correctly parse the extension data.

References

https://w3.org/TR/webauthn/#dictdef-authenticationextensionsclientoutputs

webauthn_rp.parsers.parse_fido_u2f_attestation_statement(att_stmt: Dict) → webauthn_rp.types.FIDOU2FAttestationStatement ¶

Parse a JSON FIDO U2F attestation statement.

Parameters: att_stmt (Dict) – The JSON attestation statement.
Returns: A FIDOU2FAttestationStatement instance.
Raises: ParserError – Could not correctly parse the attestation statement.

References

https://www.w3.org/TR/webauthn/#fido-u2f-attestation

webauthn_rp.parsers.parse_none_attestation_statement(att_stmt: Dict) → webauthn_rp.types.NoneAttestationStatement ¶

Parse a JSON NONE attestation statement.

Parameters: att_stmt (Dict) – The JSON attestation statement.
Returns: A NoneAttestationStatement instance.
Raises: ParserError – Could not correctly parse the attestation statement.

References

https://w3.org/TR/webauthn/#none-attestation

webauthn_rp.parsers.parse_okp_public_key(credential_public_key: Dict) → webauthn_rp.types.OKPCredentialPublicKey ¶

Parse a JSON OKP credential public key into an OKPCredentialPublicKey.

Parameters: credential_public_key (Dict) – The JSON OKP credential public key generated by a user agent.
Returns: An OKPCredentialPublicKey instance.
Raises: ParserError – Could not correctly parse the data.

References

webauthn_rp.parsers.parse_origin(origin: str) → webauthn_rp.types.Origin ¶

Parse an origin string into the Origin tuple.

Parameters: origin (str) – An origin as defined in the HTML specification.
Returns: An Origin tuple.

References

https://html.spec.whatwg.org/multipage/origin.html

webauthn_rp.parsers.parse_packed_attestation_statement(att_stmt: Dict) → webauthn_rp.types.PackedAttestationStatement ¶

Parse a JSON packed attestation statement.

Parameters: att_stmt (Dict) – The JSON attestation statement.
Returns: A PackedAttestationStatement instance.
Raises: ParserError – Could not correctly parse the attestation statement.

References

https://w3.org/TR/webauthn/#packed-attestation

webauthn_rp.parsers.parse_public_key_credential(data: Dict) → webauthn_rp.types.PublicKeyCredential ¶

Parse a JSON public key credential into a PublicKeyCredential.

Note that data that was originally bytes is expected to have been encoded using standard base64.

Parameters

data (Dict) – The JSON public key credential generated by a user agent.

Returns

A PublicKeyCredential instance.

Raises

ParserError – Could not correctly parse the data.
DecodingError – Could not decode base64-encoded data.

webauthn_rp.parsers.parse_tpm_attestation_statement(att_stmt: Dict) → webauthn_rp.types.TPMAttestationStatement ¶

Parse a JSON TPM attestation statement.

Parameters: att_stmt (Dict) – The JSON attestation statement.
Returns: A TPMAttestationStatement instance.
Raises: ParserError – Could not correctly parse the attestation statement.

References

https://w3.org/TR/webauthn/#tpm-attestation

webauthn_rp.registrars module¶

class webauthn_rp.registrars.CredentialData(credential_public_key: webauthn_rp.types.CredentialPublicKey, signature_count: Optional[int], user_entity: webauthn_rp.types.PublicKeyCredentialUserEntity, rp_entity: Optional[webauthn_rp.types.PublicKeyCredentialRpEntity] = None)¶

Bases: tuple

Information stored about a specific user credential.

credential_public_key¶

The public key associated with a particular credential.

Type: CredentialPublicKey

signature_count¶

The current signature count of a credential if one has been registered. It should be None if it has not been initialized yet (right after the creation of a credential).

Type: Optional[int]

user_entity¶

The user that owns the credential.

Type: PublicKeyCredentialUserEntity

rp_entity¶

The optional Relying Party that is associated with this credential.

Type: Optional[PublicKeyCredentialRpEntity]

Create new instance of CredentialData(credential_public_key, signature_count, user_entity, rp_entity)

property credential_public_key¶: Alias for field number 0

property rp_entity¶: Alias for field number 3

property signature_count¶: Alias for field number 1

property user_entity¶: Alias for field number 2

class webauthn_rp.registrars.CredentialsRegistrar¶

Bases: object

A registrar for public key credentials.

This class specifies the interface between the CredentialsBackend and the Relying Party’s credentials storage and processing layer.

The provided methods will be invoked by the CredentialsBackend at specific points during the user registration and user authentication phases.

get_credential_data(credential_id: bytes) → Optional[webauthn_rp.registrars.CredentialData]¶

Gets the CredentialData associated with a specific credential.

Parameters: credential_id (bytes) – The probabilistically-unique credential ID.
Returns: The CredentialData associated with the given ID or None if it does not exist.

References

https://w3.org/TR/webauthn/#credential-id

register_credential_assertion(credential: webauthn_rp.types.PublicKeyCredential, authenticator_data: webauthn_rp.types.AuthenticatorData, user: webauthn_rp.types.PublicKeyCredentialUserEntity, rp: webauthn_rp.types.PublicKeyCredentialRpEntity) → Any¶

Registers the attempted assertion of a credential by a user.

This is the last step in the user authentication ceremony which was initiated by the user agent. Successful completion indicates that the any necessary state related to the user’s credential was updated and the authentication process can finish.

Parameters

credential (PublicKeyCredential) – The public key credential associated with the given user and Relying Party.
authenticator_data (AuthenticatorData) – The parsed authenticator data.
user (PublicKeyCredentialUserEntity) – The user associated with the public key credential.
rp (PublicKeyCredentialRpEntity) – The Relying Party associated with the public key credential.

Returns

None for success and anything else to indicate an error.

register_credential_attestation(credential: webauthn_rp.types.PublicKeyCredential, att: webauthn_rp.types.AttestationObject, att_type: webauthn_rp.types.AttestationType, user: webauthn_rp.types.PublicKeyCredentialUserEntity, rp: webauthn_rp.types.PublicKeyCredentialRpEntity, trusted_path: Optional[Sequence[cryptography.x509.base.Certificate]] = None) → Any¶

Registers the attempted attestation of a credential by a user.

This is the last step in the user registration ceremony which was initiated by the user agent. Successful completion indicates that the user’s credential has been stored and is ready for authentication.

Parameters

credential (PublicKeyCredential) – The public key credential to associate with a user and Relying Party.
att (AttestationObject) – The attestation object associated with the given public key credential.
att_type (AttestationType) – The type of attestation that was confirmed by the CredentialsBackend.
user (PublicKeyCredentialUserEntity) – The user to associate with the public key credential.
rp (PublicKeyCredentialRpEntity) – The Relying Party to associate with the public key credential.
trusted_path (Optional[TrustedPath]) – The optional trusted path for the credential and attestation object provided by the CredentialsBackend.

Returns

None for success and anything else to indicate an error.

webauthn_rp.types module¶

webauthn_rp.types.AAGUID¶: alias of bytes

class webauthn_rp.types.AndroidKeyAttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, x5c: Sequence[bytes])¶

Bases: webauthn_rp.types.AttestationStatement

The Android Key Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

x5c¶

The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate MUST be the first element in the array.

Type: Sequence[bytes]

References

class webauthn_rp.types.AndroidSafetyNetAttestationStatement(*, ver: str, response: bytes)¶

Bases: webauthn_rp.types.AttestationStatement

The Android SafetyNet Attestation Statement.

ver¶

The version number of Google Play Services responsible for providing the SafetyNet API.

Type: str

response¶

The UTF-8 encoded result of the getJwsResult() call of the SafetyNet API. This value is a JWS object (see SafetyNet online documentation) in Compact Serialization.

Type: bytes

References

class webauthn_rp.types.AttestationConveyancePreference(value)¶

Bases: enum.Enum

WebAuthn Relying Parties may use AttestationConveyancePreference to specify their preference regarding attestation conveyance during credential generation.

NONE¶

This value indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA.

Type: str

INDIRECT¶

This value indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy, or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.

Type: str

DIRECT¶

This value indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator.

Type: str

References

https://w3.org/TR/webauthn/#enumdef-attestationconveyancepreference

DIRECT = 'direct'¶

INDIRECT = 'indirect'¶

NONE = 'none'¶

class webauthn_rp.types.AttestationObject(*, auth_data: webauthn_rp.types.AuthenticatorData, fmt: webauthn_rp.types.AttestationStatementFormatIdentifier, att_stmt: webauthn_rp.types.AttestationStatement)¶

Bases: object

Authenticators MUST also provide some form of attestation. The basic requirement is that the authenticator can produce, for each credential public key, an attestation statement verifiable by the WebAuthn Relying Party. Typically, this attestation statement contains a signature by an attestation private key over the attested credential public key and a challenge, as well as a certificate or similar data providing provenance information for the attestation public key, enabling the Relying Party to make a trust decision. However, if an attestation key pair is not available, then the authenticator MUST perform self attestation of the credential public key with the corresponding credential private key. All this information is returned by authenticators any time a new public key credential is generated, in the overall form of an attestation object.

auth_data¶

The authenticator data.

Type: AuthenticatorData

fmt¶

The format of the attestation statement.

Type: AttestationStatementFormatIdentifier

att_stmt¶

The attestation statement.

Type: AttestationStatment

References

https://w3.org/TR/webauthn/#attestation-object

class webauthn_rp.types.AttestationStatement(*, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, sig: Optional[bytes] = None)¶

Bases: object

An important component of the attestation object is the attestation statement. This is a specific type of signed data object, containing statements about a public key credential itself and the authenticator that created it. It contains an attestation signature created using the key of the attesting authority (except for the case of self attestation, when it is created using the credential private key). In order to correctly interpret an attestation statement, a Relying Party needs to understand these two aspects of attestation:

1. The attestation statement format is the manner in which the signature is represented and the various contextual bindings are incorporated into the attestation statement by the authenticator. In other words, this defines the syntax of the statement. Various existing components and OS platforms (such as TPMs and the Android OS) have previously defined attestation statement formats. 2. The attestation type defines the semantics of attestation statements and their underlying trust models. Specifically, it defines how a Relying Party establishes trust in a particular attestation statement, after verifying that it is cryptographically valid.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: Optional[COSEAlgorithmIdentifier]

sig¶

A byte string containing the attestation signature.

Type: Optional[bytes]

References

https://w3.org/TR/webauthn/#attestation-statement

class webauthn_rp.types.AttestationStatementFormatIdentifier(value)¶

Bases: enum.Enum

Attestation statement formats are identified by a string, called an attestation statement format identifier, chosen by the author of the attestation statement format.

PACKED¶

This is a WebAuthn optimized attestation statement format. It uses a very compact but still extensible encoding method. It is implementable by authenticators with limited resources (e.g., secure elements).

Type: str

TPM¶

This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic engine.

Type: str

ANDROID_KEY¶

When the authenticator in question is a platform-provided Authenticator on the Android “N” or later platform, the attestation statement is based on the Android key attestation. In these cases, the attestation statement is produced by a component running in a secure operating environment, but the authenticator data for the attestation is produced outside this environment. The WebAuthn Relying Party is expected to check that the authenticator data claimed to have been used for the attestation is consistent with the fields of the attestation certificate’s extension data.

Type: str

ANDROID_SAFETYNET¶

When the authenticator in question is a platform-provided Authenticator on certain Android platforms, the attestation statement is based on the SafetyNet API. In this case the authenticator data is completely controlled by the caller of the SafetyNet API (typically an application running on the Android platform) and the attestation statement only provides some statements about the health of the platform and the identity of the calling application. This attestation does not provide information regarding provenance of the authenticator and its associated data. Therefore platform-provided authenticators SHOULD make use of the Android Key Attestation when available, even if the SafetyNet API is also present.

Type: str

FIDO_U2F¶

This attestation statement format is used with FIDO U2F authenticators.

Type: str

NONE¶

The none attestation statement format is used to replace any authenticator-provided attestation statement when a WebAuthn Relying Party indicates it does not wish to receive attestation information.

Type: str

References

https://w3.org/TR/webauthn/#attestation-statement-format-identifier

ANDROID_KEY = 'android-key'¶

ANDROID_SAFETYNET = 'android-safetynet'¶

FIDO_U2F = 'fido-u2f'¶

NONE = 'none'¶

PACKED = 'packed'¶

TPM = 'tpm'¶

class webauthn_rp.types.AttestationType(value)¶

Bases: enum.Enum

WebAuthn supports several attestation types, defining the semantics of attestation statements and their underlying trust models.

BASIC¶

In the case of basic attestation, the authenticator’s attestation key pair is specific to an authenticator model. Thus, authenticators of the same model often share the same attestation key pair.

Type: str

SELF¶

In the case of self attestation, also known as surrogate basic attestation, the Authenticator does not have any specific attestation key. Instead it uses the credential private key to create the attestation signature. Authenticators without meaningful protection measures for an attestation private key typically use this attestation type.

Type: str

ATTCA¶

In this case, an authenticator is based on a Trusted Platform Module (TPM) and holds an authenticator-specific “endorsement key” (EK). This key is used to securely communicate with a trusted third party, the Attestation CA (formerly known as a “Privacy CA”). The authenticator can generate multiple attestation identity key pairs (AIK) and requests an Attestation CA to issue an AIK certificate for each. Using this approach, such an authenticator can limit the exposure of the EK (which is a global correlation handle) to Attestation CA(s). AIKs can be requested for each authenticator-generated public key credential individually, and conveyed to Relying Parties as attestation certificates.

Type: str

ECDAA¶

In this case, the Authenticator receives direct anonymous attestation (DAA) credentials from a single DAA-Issuer. These DAA credentials are used along with blinding to sign the attested credential data. The concept of blinding avoids the DAA credentials being misused as global correlation handle. WebAuthn supports DAA using elliptic curve cryptography and bilinear pairings, called ECDAA in this specification. Consequently we denote the DAA-Issuer as ECDAA-Issuer.

Type: str

NONE¶

In this case, no attestation information is available.

Type: str

UNCERTAIN¶

In this case, the attestation type is uncertain.

Type: str

References

https://w3.org/TR/webauthn/#sctn-attestation-types

ATTCA = 'AttCA'¶

BASIC = 'Basic'¶

ECDAA = 'ECDAA'¶

NONE = 'None'¶

SELF = 'Self'¶

UNCERTAIN = 'Uncertain'¶

class webauthn_rp.types.AttestedCredentialData(aaguid: bytes, credential_id_length: int, credential_id: bytes, credential_public_key: Optional[webauthn_rp.types.CredentialPublicKey] = None)¶

Bases: object

Attested credential data is a variable-length byte array added to the authenticator data when generating an attestation object for a given credential.

aaguid¶

The AAGUID of the authenticator. Each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this. The Relying Party MAY use the AAGUID to infer certain properties of the authenticator, such as certification level and strength of key protection, using information from other sources.

Type: bytes

credential_id_length¶

Byte length of Credential ID, parsed from a 16-bit unsigned big-endian integer.

Type: int

credential_id¶

A probabilistically-unique byte sequence identifying a public key credential source and its authentication assertions.

Type: bytes

credential_public_key¶

The credential public key encoded in COSE_Key format. The COSE_Key-encoded credential public key MUST contain the “alg” parameter and MUST NOT contain any other OPTIONAL parameters. The “alg” parameter MUST contain a COSEAlgorithmIdentifier value. The encoded credential public key MUST also contain any additional REQUIRED parameters stipulated by the relevant key type specification, i.e., REQUIRED for the key type “kty” and algorithm “alg”.

Type: Optional[CredentialPublicKey]

References

class webauthn_rp.types.AuthenticationExtensionsClientInputs(*, appid: Optional[str] = None, tx_auth_simple: Optional[str] = None, tx_auth_generic: Optional[webauthn_rp.types.TxAuthGenericArg] = None, authn_sel: Optional[Sequence[bytes]] = None, exts: Optional[bool] = None, uvi: Optional[bool] = None, loc: Optional[bool] = None, uvm: Optional[bool] = None, biometric_perf_bounds: Optional[webauthn_rp.types.AuthenticatorBiometricPerfBounds] = None)¶

Bases: object

This is an object containing the client extension input values for zero or more WebAuthn extensions.

appid¶

A single string specifying a FIDO AppID.

Type: Optional[str]

tx_auth_simple¶

A single string prompt.

Type: Optional[str]

tx_auth_generic¶

An object containing generic inputs.

Type: Optional[TxAuthGenericArg]

authn_sel¶

A sequence of AAGUIDs. Each AAGUID corresponds to an authenticator model that is acceptable to the Relying Party for this credential creation. The list is ordered by decreasing preference.

An AAGUID is defined as an array containing the globally unique identifier of the authenticator model being sought.

Type: Optional[AuthenticatorSelectionList]

exts¶

The Boolean value true to indicate that this extension is requested by the Relying Party.

Type: Optional[bool]

uvi¶

The Boolean value true to indicate that this extension is requested by the Relying Party.

Type: Optional[bool]

loc¶

The Boolean value true to indicate that this extension is requested by the Relying Party.

Type: Optional[bool]

uvm¶

The Boolean value true to indicate that this extension is requested by the Relying Party.

Type: Optional[bool]

biometric_perf_bounds¶

The biometric performance bounds.

Type: Optional[AuthenticatorBiometricPerfBounds]

References

class webauthn_rp.types.AuthenticationExtensionsClientOutputs(*, appid: Optional[bool] = None, tx_auth_simple: Optional[str] = None, tx_auth_generic: Optional[bytes] = None, authn_sel: Optional[bool] = None, exts: Optional[Sequence[str]] = None, uvi: Optional[bytes] = None, loc: Optional[webauthn_rp.types.Coordinates] = None, uvm: Optional[Sequence[Sequence[int]]] = None, biometric_perf_bounds: Optional[bool] = None)¶

Bases: object

This is an object containing the client extension output values for zero or more WebAuthn extensions.

appid¶

If true, the AppID was used and thus, when verifying an assertion, the Relying Party MUST expect the rpIdHash to be the hash of the AppID, not the RP ID.

Type: Optional[bool]

tx_auth_simple¶

The authenticator extension output string UTF-8 decoded into a string.

Type: Optional[str]

tx_auth_generic¶

A generic byte string.

Type: Optional[bytes]

authn_sel¶

Returns the value true to indicate to the Relying Party that the extension was acted upon.

Type: Optional[AuthenticatorSelectionList]

exts¶

Returns the list of supported extensions as an array of extension identifier strings.

Type: Optional[AuthenticationExtensionsSupported]

uvi¶

Returns the authenticator extension output as a byte string.

Type: Optional[bytes]

loc¶

Returns an object that encodes the location information in the authenticator extension output as a Coordinates value.

Type: Optional[Coordinates]

uvm¶

Returns a sequence of UvmEntry objects which are 3-element arrays of numbers that encode the factors in the authenticator extension output.

Type: Optional[UvmEntries]

biometric_perf_bounds¶

Returns the value true to indicate to the Relying Party that the extension was acted upon.

Type: Optional[bool]

References

https://w3.org/TR/webauthn/#dictdef-authenticationextensionsclientoutputs

class webauthn_rp.types.AuthenticatorAssertionResponse(*, client_data_JSON: bytes, authenticator_data: bytes, signature: bytes, user_handle: Optional[bytes] = None)¶

Bases: webauthn_rp.types.AuthenticatorResponse

The AuthenticatorAssertionResponse interface represents an authenticator’s response to a client’s request for generation of a new authentication assertion given the WebAuthn Relying Party’s challenge and OPTIONAL list of credentials it is aware of. This response contains a cryptographic signature proving possession of the credential private key, and optionally evidence of user consent to a specific transaction.

client_data_JSON¶

This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either navigator.credentials.create() or navigator.credentials.get().

Type: bytes

authenticator_data¶

This attribute contains the authenticator data returned by the authenticator.

Type: bytes

signature¶

This attribute contains the raw signature returned from the authenticator.

Type: bytes

user_handle¶

This attribute contains the user handle returned from the authenticator, or null if the authenticator did not return a user handle.

Type: Optional[bytes]

References

class webauthn_rp.types.AuthenticatorAttachment(value)¶

Bases: enum.Enum

This enumeration’s values describe authenticators’ attachment modalities. Relying Parties use this for two purposes:

to express a preferred authenticator attachment modality when calling navigator.credentials.create() to create a credential, and

to inform the client of the Relying Party’s best belief about how to locate the managing authenticators of the credentials listed in allowCredentials when calling navigator.credentials.get() (on the client side).

PLATFORM¶

This value indicates platform attachment.

Type: str

CROSS_PLATFORM¶

This value indicates cross-platform attachment.

Type: str

References

https://w3.org/TR/webauthn/#enumdef-authenticatorattachment

CROSS_PLATFORM = 'cross-platform'¶

PLATFORM = 'platform'¶

class webauthn_rp.types.AuthenticatorAttestationResponse(*, client_data_JSON: bytes, attestation_object: bytes)¶

Bases: webauthn_rp.types.AuthenticatorResponse

The AuthenticatorAttestationResponse represents the authenticator’s response to a client’s request for the creation of a new public key credential. It contains information about the new credential that can be used to identify it for later use, and metadata that can be used by the WebAuthn Relying Party to assess the characteristics of the credential during registration.

client_data_JSON¶

This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either navigator.credentials.create() or navigator.credentials.get().

Type: bytes

attestation_object¶

This attribute contains an attestation object, which is opaque to, and cryptographically protected against tampering by, the client. The attestation object contains both authenticator data and an attestation statement. The former contains the AAGUID, a unique credential ID, and the credential public key. The contents of the attestation statement are determined by the attestation statement format used by the authenticator. It also contains any additional information that the Relying Party’s server requires to validate the attestation statement, as well as to decode and validate the authenticator data along with the JSON-serialized client data.

Type: bytes

References

class webauthn_rp.types.AuthenticatorBiometricPerfBounds(*, FAR: float, FRR: float)¶

Bases: object

Biometric performance bounds.

FAR¶

The maximum false acceptance rate for a biometric authenticator allowed by the Relying Party.

Type: float

FRR¶

The maximum false rejection rate for a biometric authenticator allowed by the Relying Party.

Type: float

References

w3.org/TR/webauthn/#sctn-authenticator-biometric-criteria-extension

class webauthn_rp.types.AuthenticatorData(*, rp_id_hash: bytes, flags: int, sign_count: int, attested_credential_data: Optional[webauthn_rp.types.AttestedCredentialData] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientOutputs] = None)¶

Bases: object

The authenticator data structure encodes contextual bindings made by the authenticator. These bindings are controlled by the authenticator itself, and derive their trust from the WebAuthn Relying Party’s assessment of the security properties of the authenticator. In one extreme case, the authenticator may be embedded in the client, and its bindings may be no more trustworthy than the client data. At the other extreme, the authenticator may be a discrete entity with high-security hardware and software, connected to the client over a secure channel. In both cases, the Relying Party receives the authenticator data in the same format, and uses its knowledge of the authenticator to make trust decisions.

rp_id_hash¶

SHA-256 hash of the RP ID the credential is scoped to.

Type: bytes

flags¶

8 flag bits for the authenticator data.

Type: int

sign_count¶

Signature counter parsed from a 32-bit unsigned big-endian integer.

Type: int

attested_credential_data¶

The attested credential data.

Type: Optional[AttestedCredentialData]

extensions¶

Extension-defined authenticator data.

Type: Optional[AuthenticationExtensionsClientOutputs]

References

https://w3.org/TR/webauthn/#authenticator-data

class webauthn_rp.types.AuthenticatorDataFlag(value)¶

Bases: enum.Enum

The authenticator data bit flags.

UP¶

User is present.

Type: int

RFU1¶

Reserved for future use.

Type: int

UV¶

User is verified.

Type: int

RFU2¶

Reserved for future use.

Type: int

AT¶

Attested credential data included.

Type: int

ED¶

Extension data is included in the authenticator data.

Type: int

References

https://w3.org/TR/webauthn/#sec-authenticator-data

AT = 64¶

ED = 128¶

RFU1 = 2¶

RFU2 = 56¶

UP = 1¶

UV = 4¶

class webauthn_rp.types.AuthenticatorResponse(*, client_data_JSON: bytes)¶

Bases: object

Authenticators respond to Relying Party requests by returning an object derived from an AuthenticatorResponse.

client_data_JSON¶

This attribute contains a JSON serialization of the client data passed to the authenticator by the client in its call to either navigator.credentials.create() or navigator.credentials.get().

Type: bytes

References

https://w3.org/TR/webauthn/#authenticatorresponse

class webauthn_rp.types.AuthenticatorSelectionCriteria(*, authenticator_attachment: Optional[webauthn_rp.types.AuthenticatorAttachment] = None, require_resident_key: bool = False, user_verification: webauthn_rp.types.UserVerificationRequirement = <UserVerificationRequirement.PREFERRED: 'preferred'>)¶

Bases: object

WebAuthn Relying Parties may use the AuthenticatorSelectionCriteria to specify their requirements regarding authenticator attributes.

authenticator_attachment¶

If this member is present, eligible authenticators are filtered to only authenticators attached with the specified Authenticator Attachment Enumeration (enum AuthenticatorAttachment).

Type: AuthenticatorAttachment

require_resident_key¶

This member describes the Relying Party’s requirements regarding resident credentials. If the parameter is set to true, the authenticator MUST create a client-side-resident public key credential source when creating a public key credential.

Type: bool

user_verification¶

This member describes the Relying Party’s requirements regarding user verification for the navigator.credentials.create() operation (on the client side). Eligible authenticators are filtered to only those capable of satisfying this requirement.

Type: UserVerificationRequirement

References

https://w3.org/TR/webauthn/#dictdef-authenticatorselectioncriteria

class webauthn_rp.types.AuthenticatorTransport(value)¶

Bases: enum.Enum

Authenticators may implement various transports for communicating with clients. This enumeration defines hints as to how clients might communicate with a particular authenticator in order to obtain an assertion for a specific credential. Note that these hints represent the WebAuthn Relying Party’s best belief as to how an authenticator may be reached. A Relying Party may obtain a list of transports hints from some attestation statement formats or via some out-of-band mechanism; it is outside the scope of this specification to define that mechanism.

USB¶

Indicates the respective authenticator can be contacted over removable USB.

Type: str

NFC¶

Indicates the respective authenticator can be contacted over Near Field Communication (NFC).

Type: str

BLE¶

Indicates the respective authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy / BLE).

Type: str

INTERNAL¶

Indicates the respective authenticator is contacted using a client device-specific transport. These authenticators are not removable from the client device.

Type: str

References

https://w3.org/TR/webauthn/#enumdef-authenticatortransport

BLE = 'ble'¶

INTERNAL = 'internal'¶

NFC = 'nfc'¶

USB = 'usb'¶

class webauthn_rp.types.COSEAlgorithmIdentifier(value: Union[int, str])¶

Bases: object

A COSEAlgorithmIdentifier’s value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry.

This Enum only contains algorithms that are internally supported. It can be extended upon further support. As Web Authentication mainly performs signing and verification, only algorithms that pertain to those operations are considered.

References

class Name(value)¶

Bases: enum.Enum

An enumeration.

EDDSA = 'EdDSA'¶

ES256 = 'ES256'¶

ES384 = 'ES384'¶

ES512 = 'ES512'¶

class Value(value)¶

Bases: enum.Enum

An enumeration.

EDDSA = -8¶

ES256 = -7¶

ES384 = -35¶

ES512 = -36¶

class webauthn_rp.types.COSEKeyOperation(value: Union[int, str])¶

Bases: object

A metaclass for the COSEKeyOperation Name and Value Enums.

Both the Name and Value Enums share the following documentation.

The COSEKeyOperation object specifies the type of operations that are permitted for the COSE Key.

SIGN¶: The key is used to create signatures. Requires private key fields.

VERIFY¶: The key is used for verification of signatures.

ENCRYPT¶: The key is used for key transport encryption.

DECRYPT¶: The key is used for key transport decryption. Requires private key fields.

WRAP_KEY¶: The key is used for key wrapping.

UNWRAP_KEY¶: The key is used for key unwrapping. Requires private key fields.

DERIVE_KEY¶: The key is used for deriving keys. Requires private key fields.

DERIVE_BITS¶: The key is used for deriving bits not to be used as a key. Requires private key fields.

MAC_CREATE¶: The key is used for creating MACs.

MAC_VERIFY¶: The key is used for validating MACs.

References

https://cose-wg.github.io/cose-spec/#rfc.section.7.1

class Name(value)¶

Bases: enum.Enum

An enumeration.

DECRYPT = 'decrypt'¶

DERIVE_BITS = 'derive bits'¶

DERIVE_KEY = 'derive key'¶

ENCRYPT = 'encrypt'¶

MAC_CREATE = 'MAC create'¶

MAC_VERIFY = 'MAC verify'¶

SIGN = 'sign'¶

UNWRAP_KEY = 'unwrap key'¶

VERIFY = 'verify'¶

WRAP_KEY = 'wrap key'¶

class Value(value)¶

Bases: enum.Enum

An enumeration.

DECRYPT = 4¶

DERIVE_BITS = 8¶

DERIVE_KEY = 7¶

ENCRYPT = 3¶

MAC_CREATE = 9¶

MAC_VERIFY = 10¶

SIGN = 1¶

UNWRAP_KEY = 6¶

VERIFY = 2¶

WRAP_KEY = 5¶

class webauthn_rp.types.COSEKeyType(value: Union[int, str])¶

Bases: object

A metaclass for the COSEKeyOperation Name and Value Enums.

Both the Name and Value Enums share the following documentation.

The COSEKeyType object defines a way to hold a single key object. It is still required that the members of individual key types be defined.

OKP¶: Octet Key Pair

EC2¶: Elliptic Curve Keys with X, Y Coordinate pair

SYMMETRIC¶: Symmetric Keys

References

https://cose-wg.github.io/cose-spec/#rfc.section.13

class Name(value)¶

Bases: enum.Enum

An enumeration.

EC2 = 'EC2'¶

OKP = 'OKP'¶

SYMMETRIC = 'Symmetric'¶

class Value(value)¶

Bases: enum.Enum

An enumeration.

EC2 = 2¶

OKP = 1¶

SYMMETRIC = 4¶

class webauthn_rp.types.CollectedClientData(*, type: str, challenge: str, origin: str, token_binding: Optional[webauthn_rp.types.TokenBinding] = None)¶

Bases: object

The client data represents the contextual bindings of both the WebAuthn Relying Party and the client.

type¶

This member contains the string “webauthn.create” when creating new credentials, and “webauthn.get” when getting an assertion from an existing credential. The purpose of this member is to prevent certain types of signature confusion attacks (where an attacker substitutes one legitimate signature for another).

Type: str

challenge¶

This member contains the base64url encoding of the challenge provided by the Relying Party.

Type: str

origin¶

This member contains the fully qualified origin of the requester, as provided to the authenticator by the client, in the syntax defined by RFC6454.

Type: str

token_binding¶

This OPTIONAL member contains information about the state of the Token Binding protocol used when the client was communicating with the Relying Party. Its absence that the client doesn’t support token binding.

Type: Optional[TokenBinding]

References

https://w3.org/TR/webauthn/#dictdef-collectedclientdata

class webauthn_rp.types.Coordinates(*, latitude: float, longitude: float, altitude: Optional[float] = None, accuracy: float, altitude_accuracy: Optional[float] = None, heading: Optional[float] = None, speed: Optional[float] = None)¶

Bases: object

The geographic coordinate reference system used by the attributes in this interface is the World Geodetic System (2d) [WGS84]. No other reference system is supported.

latitude¶

Geographic latitude specified in decimal degrees.

Type: float

longitude¶

Geographic longitude specified in decimal degrees.

Type: float

altitude¶

Denotes the height of the position, specified in meters above the ellipsoid established by http://earth-info.nga.mil/GandG/publications/tr8350.2/wgs84fin.pdf. If the implementation cannot provide altitude information, the value of this attribute must be null.

Type: Optional[float]

accuracy¶

Denotes the accuracy level of the latitude and longitude coordinates. It is specified in meters and must be supported by all implementations. The value of the accuracy attribute must be a non-negative real number.

Type: float

altitude_accuracy¶

Specified in meters. If the implementation cannot provide altitude information, the value of this attribute must be null. Otherwise, the value must be a non-negative real number.

Type: Optional[float]

heading¶

Denotes the direction of travel of the hosting device and is specified in degrees, where 0° ≤ heading < 360°, counting clockwise relative to the true north. If the implementation cannot provide heading information, the value of this attribute must be null. If the hosting device is stationary (i.e. the value of the speed attribute is 0), then the value of the heading attribute must be NaN.

Type: Optional[float]

speed¶

Denotes the magnitude of the horizontal component of the hosting device’s current velocity and is specified in meters per second. If the implementation cannot provide speed information, the value of this attribute must be null. Otherwise, the value of the speed attribute must be a non-negative real number.

Type: Optional[float]

Notes¶

The accuracy and altitude_accuracy values returned by an implementation should correspond to a 95% confidence level.

References¶

class webauthn_rp.types.Credential(*, id: str, type: str)¶

Bases: object

A credential is an object which allows a developer to make an authentication decision for a particular action.

id¶

The credential’s identifier. The requirements for the identifier are distinct for each type of credential. It might represent a username for username/password tuples, for example.

Type: str

type¶

Specifies the credential type represented by this object.

Type: str

References

https://w3.org/TR/credential-management-1/#credential

class webauthn_rp.types.CredentialCreationOptions(*, public_key: webauthn_rp.types.PublicKeyCredentialCreationOptions)¶

Bases: object

The object used for registration of credentials using the navigator.credentials.create() function on the client side.

public_key¶

The creation options for the public key credential.

Type: PublicKeyCredentialCreationOptions

References

https://w3.org/TR/webauthn/#credentialcreationoptions-extension

class webauthn_rp.types.CredentialMediationRequirement(value)¶

Bases: enum.Enum

When making a request via get(options), developers can set a case-by-case requirement for user mediation by choosing the appropriate CredentialMediationRequirement enum value.

SILENT¶

User mediation is suppressed for the given operation. If the operation can be performed without user involvement, wonderful. If user involvement is necessary, then the operation will return null rather than involving the user.

Type: str

OPTIONAL¶

If credentials can be handed over for a given operation without user mediation, they will be. If user mediation is required, then the user agent will involve the user in the decision.

Type: str

REQUIRED¶

The user agent will not hand over credentials without user mediation, even if the prevent silent access flag is unset for an origin.

Type: str

References

https://w3.org/TR/credential-management-1/#mediation-requirements

OPTIONAL = 'optional'¶

REQUIRED = 'required'¶

SILENT = 'silent'¶

class webauthn_rp.types.CredentialPublicKey(*, kty: Union[webauthn_rp.types.COSEKeyType.Name, webauthn_rp.types.COSEKeyType.Value], kid: Optional[bytes] = None, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, key_ops: Optional[Sequence[Union[webauthn_rp.types.COSEKeyOperation.Name, webauthn_rp.types.COSEKeyOperation.Value]]] = None, base_IV: Optional[bytes] = None)¶

Bases: object

The credential public key encoded in COSE_Key format.

kty¶

This parameter is used to identify the family of keys for this structure, and thus the set of key type specific parameters to be found. This parameter MUST be present in a key object. Implementations MUST verify that the key type is appropriate for the algorithm being processed. The key type MUST be included as part of the trust decision process.

Type: Union[COSEKeyType.Name, COSEKeyType.Value]

kid¶

This parameter is used to give an identifier for a key. The identifier is not structured and can be anything from a user provided string to a value computed on the public portion of the key. This field is intended for matching against a ‘kid’ parameter in a message in order to filter down the set of keys that need to be checked.

Type: Optional[bytes]

alg (Optional[: Union[COSEAlgorithmIdentifier.Name, COSEAlgorithmIdentifier.Value]]): This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used. If the algorithms do not match, then this key object MUST NOT be used to perform the cryptographic operation. Note that the same key can be in a different key structure with a different or no algorithm specified, however this is considered to be a poor security practice.

key_ops (Optional[: Sequence[Union[COSEKeyOperation.Name, COSEKeyOperation.Value]]]): This parameter is defined to restrict the set of operations that a key is to be used for. Algorithms define the values of key ops that are permitted to appear and are required for specific operations.

base_IV¶

This parameter is defined to carry the base portion of an IV. This field provides the ability to associate a partial IV with a key that is then modified on a per message basis with the partial IV. Extreme care needs to be taken when using a Base IV in an application. Many encryption algorithms lose security if the same IV is used twice.

Type: Optional[bytes]

References

class webauthn_rp.types.CredentialRequestOptions(*, mediation: webauthn_rp.types.CredentialMediationRequirement = <CredentialMediationRequirement.OPTIONAL: 'optional'>, public_key: webauthn_rp.types.PublicKeyCredentialRequestOptions)¶

Bases: object

The object used to obtain assertions using the navigator.credentials.get() function on the client side.

mediation¶

Specifies the mediation requirements for a given credential request.

Type: CredentialMediationRequirement

public_key¶

The request options for the public key credential.

Type: PublicKeyCredentialRequestOptions

References

class webauthn_rp.types.EC2CredentialPublicKey(*, kty: Union[webauthn_rp.types.COSEKeyType.Name, webauthn_rp.types.COSEKeyType.Value], kid: Optional[bytes] = None, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, key_ops: Optional[Sequence[Union[webauthn_rp.types.COSEKeyOperation.Name, webauthn_rp.types.COSEKeyOperation.Value]]] = None, base_IV: Optional[bytes] = None, x: bytes, y: bytes, crv: Union[webauthn_rp.types.EC2Curve.Name, webauthn_rp.types.EC2Curve.Value])¶

Bases: webauthn_rp.types.CredentialPublicKey

The Elliptic Curve Cryptography (EC2) credential public key encoded in COSE_Key format.

kty¶

This parameter is used to identify the family of keys for this structure, and thus the set of key type specific parameters to be found. This parameter MUST be present in a key object. Implementations MUST verify that the key type is appropriate for the algorithm being processed. The key type MUST be included as part of the trust decision process.

Type: Union[COSEKeyType.Name, COSEKeyType.Value]

kid¶

This parameter is used to give an identifier for a key. The identifier is not structured and can be anything from a user provided string to a value computed on the public portion of the key. This field is intended for matching against a ‘kid’ parameter in a message in order to filter down the set of keys that need to be checked.

Type: Optional[bytes]

alg (Optional[: Union[COSEAlgorithmIdentifier.Name, COSEAlgorithmIdentifier.Value]]): This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used. If the algorithms do not match, then this key object MUST NOT be used to perform the cryptographic operation. Note that the same key can be in a different key structure with a different or no algorithm specified, however this is considered to be a poor security practice.

key_ops (Optional[: Sequence[Union[COSEKeyOperation.Name, COSEKeyOperation.Value]]]): This parameter is defined to restrict the set of operations that a key is to be used for. Algorithms define the values of key ops that are permitted to appear and are required for specific operations.

base_IV¶

his parameter is defined to carry the base portion of an IV. This field provides the ability to associate a partial IV with a key that is then modified on a per message basis with the partial IV. Extreme care needs to be taken when using a Base IV in an application. Many encryption algorithms lose security if the same IV is used twice.

Type: Optional[bytes]

x¶

The Elliptic Curve X Coordinate.

Type: bytes

y¶

The Elliptic Curve Y Coordinate.

Type: bytes

crv¶

The Elliptic Curve Identifier.

Type: Union[EC2Curve.Name, EC2Curve.Value]

References

class webauthn_rp.types.EC2Curve(value: Union[int, str])¶

Bases: object

A metaclass for the EC2Curve Name and Value Enums.

Both the Name and Value Enums share the following documentation.

P_256¶: NIST P-256 also known as secp256r1.

P_384¶: NIST P-384 also known as secp384r1.

P_521¶: NIST P-521 also known as secp521r1.

References

https://cose-wg.github.io/cose-spec/#rfc.section.13.1

class Name(value)¶

Bases: enum.Enum

An enumeration.

P_256 = 'P-256'¶

P_384 = 'P-384'¶

P_521 = 'P-521'¶

class Value(value)¶

Bases: enum.Enum

An enumeration.

P_256 = 1¶

P_384 = 2¶

P_521 = 3¶

webauthn_rp.types.EC2PrivateKey¶: alias of cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey

webauthn_rp.types.EC2PublicKey¶: alias of cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey

class webauthn_rp.types.ExtensionIdentifier(value)¶

Bases: enum.Enum

The string identifier of supported extensions.

APPID¶

This extension allows WebAuthn Relying Parties that have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion. The FIDO APIs use an alternative identifier for Relying Parties called an AppID [FIDO-APPID], and any credentials created using those APIs will be scoped to that identifier. Without this extension, they would need to be re-registered in order to be scoped to an RP ID.

This extension does not allow FIDO-compatible credentials to be created. Thus, credentials created with WebAuthn are not backwards compatible with the FIDO JavaScript APIs.

Type: str

TX_AUTH_SIMPLE¶

This extension allows for a simple form of transaction authorization. A Relying Party can specify a prompt string, intended for display on a trusted device on the authenticator.

Type: str

TX_AUTH_GENERIC¶

This extension allows images to be used as transaction authorization prompts as well. This allows authenticators without a font rendering engine to be used and also supports a richer visual appearance.

Type: str

AUTHN_SEL¶

This extension allows a WebAuthn Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential. It is intended primarily for Relying Parties that wish to tightly control the experience around credential creation.

Type: str

EXTS¶

This extension enables the WebAuthn Relying Party to determine which extensions the authenticator supports.

Type: str

UVI¶

This extension enables use of a user verification index.

Type: str

LOC¶

This extension provides the authenticator’s current location to the WebAuthn Relying Party.

Type: str

UVM¶

This extension enables use of a user verification method.

Type: str

BIOMETRIC_PERF_BOUNDS¶

This extension allows WebAuthn Relying Parties to specify the desired performance bounds for selecting biometric authenticators as candidates to be employed in a registration ceremony.

Type: str

References

https://w3.org/TR/webauthn/#sctn-defined-extensions

APPID = 'appid'¶

AUTHN_SEL = 'authnSel'¶

BIOMETRIC_PERF_BOUNDS = 'biometricPerfBounds'¶

EXTS = 'exts'¶

LOC = 'loc'¶

TX_AUTH_GENERIC = 'txAuthGeneric'¶

TX_AUTH_SIMPLE = 'txAuthSimple'¶

UVI = 'uvi'¶

UVM = 'uvm'¶

property key¶

class webauthn_rp.types.FIDOU2FAttestationStatement(*, sig: bytes, x5c: Sequence[bytes])¶

Bases: webauthn_rp.types.AttestationStatement

The FIDO U2F Attestation Statement.

sig¶

The attestation signature. The signature was calculated over the (raw) U2F registration response message received by the client from the authenticator.

Type: bytes

x5c¶

A single element array containing the attestation certificate in X.509 format.

Type: Sequence[bytes]

References

class webauthn_rp.types.NoneAttestationStatement(*, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, sig: Optional[bytes] = None)¶

Bases: webauthn_rp.types.AttestationStatement

The None Attestation Statement. Consists of an empty object.

References

https://w3.org/TR/webauthn/#none-attestation

class webauthn_rp.types.OKPCredentialPublicKey(*, kty: Union[webauthn_rp.types.COSEKeyType.Name, webauthn_rp.types.COSEKeyType.Value], kid: Optional[bytes] = None, alg: Optional[Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value]] = None, key_ops: Optional[Sequence[Union[webauthn_rp.types.COSEKeyOperation.Name, webauthn_rp.types.COSEKeyOperation.Value]]] = None, base_IV: Optional[bytes] = None, crv: Union[webauthn_rp.types.OKPCurve.Name, webauthn_rp.types.OKPCurve.Value], x: bytes)¶

Bases: webauthn_rp.types.CredentialPublicKey

The Octet Key Pair (OKP) credential public key encoded in COSE_Key format.

kty¶

This parameter is used to identify the family of keys for this structure, and thus the set of key type specific parameters to be found. This parameter MUST be present in a key object. Implementations MUST verify that the key type is appropriate for the algorithm being processed. The key type MUST be included as part of the trust decision process.

Type: Union[COSEKeyType.Name, COSEKeyType.Value]

kid¶

This parameter is used to give an identifier for a key. The identifier is not structured and can be anything from a user provided string to a value computed on the public portion of the key. This field is intended for matching against a ‘kid’ parameter in a message in order to filter down the set of keys that need to be checked.

Type: Optional[bytes]

alg (Optional[: Union[COSEAlgorithmIdentifier.Name, COSEAlgorithmIdentifier.Value]]): This parameter is used to restrict the algorithm that is used with the key. If this parameter is present in the key structure, the application MUST verify that this algorithm matches the algorithm for which the key is being used. If the algorithms do not match, then this key object MUST NOT be used to perform the cryptographic operation. Note that the same key can be in a different key structure with a different or no algorithm specified, however this is considered to be a poor security practice.

key_ops (Optional[: Sequence[Union[COSEKeyOperation.Name, COSEKeyOperation.Value]]]): This parameter is defined to restrict the set of operations that a key is to be used for. Algorithms define the values of key ops that are permitted to appear and are required for specific operations.

base_IV¶

his parameter is defined to carry the base portion of an IV. This field provides the ability to associate a partial IV with a key that is then modified on a per message basis with the partial IV. Extreme care needs to be taken when using a Base IV in an application. Many encryption algorithms lose security if the same IV is used twice.

Type: Optional[bytes]

x¶

The Elliptic Curve X Coordinate.

Type: bytes

y¶

The Elliptic Curve Y Coordinate.

Type: bytes

crv¶

The Elliptic Curve Identifier.

Type: Union[OKPCurve.Name, OKPCurve.Value]

References

class webauthn_rp.types.OKPCurve(value: Union[int, str])¶

Bases: object

A metaclass for the OKPCurve Name and Value Enums.

Both the Name and Value Enums share the following documentation.

ED25519¶: Ed25519 for use with EdDSA only.

ED448¶: Ed448 for use with EdDSA only.

References

https://cose-wg.github.io/cose-spec/#rfc.section.13.1

class Name(value)¶

Bases: enum.Enum

An enumeration.

ED25519 = 'Ed25519'¶

ED448 = 'Ed448'¶

class Value(value)¶

Bases: enum.Enum

An enumeration.

ED25519 = 6¶

ED448 = 7¶

class webauthn_rp.types.Origin(scheme: str, hostname: str, port: int)¶

Bases: tuple

An origin as defined by the standard.

References

https://www.w3.org/TR/html53/browsers.html#concept-cross-origin

Create new instance of Origin(scheme, hostname, port)

property hostname¶: Alias for field number 1

property port¶: Alias for field number 2

property scheme¶: Alias for field number 0

class webauthn_rp.types.PackedAttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes)¶

Bases: webauthn_rp.types.AttestationStatement

The Packed Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

References

class webauthn_rp.types.PackedECDAAAttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ecdaa_key_id: bytes)¶

Bases: webauthn_rp.types.PackedAttestationStatement

The Packed ECDAA Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

ecdaa_key_id¶

The identifier of the ECDAA-Issuer public key. This is the BigNumberToB encoding of the component “c” of the ECDAA-Issuer public key.

Type: bytes

References

class webauthn_rp.types.PackedX509AttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, x5c: Sequence[bytes])¶

Bases: webauthn_rp.types.PackedAttestationStatement

The Packed X.509 Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

x5c¶

The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate MUST be the first element in the array.

Type: Sequence[bytes]

References

class webauthn_rp.types.PublicKeyCredential(*, id: str, type: str, raw_id: bytes, response: webauthn_rp.types.AuthenticatorResponse)¶

Bases: webauthn_rp.types.Credential

PublicKeyCredential inherits from Credential, and contains the attributes that are returned to the caller when a new credential is created, or a new assertion is requested.

id¶

The credential’s identifier. The requirements for the identifier are distinct for each type of credential. It might represent a username for username/password tuples, for example.

Type: str

type¶

Specifies the credential type represented by this object.

Type: str

raw_id¶

This attribute is the raw credential id.

Type: bytes

response¶

This attribute contains the authenticator’s response to the client’s request to either create a public key credential, or generate an authentication assertion. If the PublicKeyCredential is created in response to navigator.credentials.create(), this attribute’s value will be an AuthenticatorAttestationResponse, otherwise, the PublicKeyCredential was created in response to navigator.credentials.get(), and this attribute’s value will be an AuthenticatorAssertionResponse.

Type: AuthenticatorResponse

References

class webauthn_rp.types.PublicKeyCredentialCreationOptions(*, rp: webauthn_rp.types.PublicKeyCredentialRpEntity, user: webauthn_rp.types.PublicKeyCredentialUserEntity, challenge: bytes, pub_key_cred_params: Sequence[webauthn_rp.types.PublicKeyCredentialParameters], timeout: Optional[int] = None, authenticator_selection: Optional[webauthn_rp.types.AuthenticatorSelectionCriteria] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, attestation: webauthn_rp.types.AttestationConveyancePreference = <AttestationConveyancePreference.NONE: 'none'>, exclude_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None)¶

Bases: object

Options for Credential Creation

rp¶

This member contains data about the Relying Party responsible for the request.

Type: PublicKeyCredentialRpEntity

user¶

This member contains data about the user account for which the Relying Party is requesting attestation.

Type: PublicKeyCredentialUserEntity

challenge¶

This member contains a challenge intended to be used for generating the newly created credential’s attestation object.

Type: bytes

pub_key_cred_params¶

This member contains information about the desired properties of the credential to be created. The sequence is ordered from most preferred to least preferred. The client makes a best-effort to create the most preferred credential that it can.

Type: Sequence[PublicKeyCredentialParameters]

timeout¶

This member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and MAY be overridden by the client.

Type: int

authenticator_selection¶

This member is intended for use by Relying Parties that wish to select the appropriate authenticators to participate in the navigator.credentials.create() operation (on the client side).

Type: AuthenticatorSelectionCriteria

extensions¶

This member contains additional parameters requesting additional processing by the client and authenticator. For example, the caller may request that only authenticators with certain capabilities be used to create the credential, or that particular information be returned in the attestation object.

Type: AuthenticationExtensionsClientInputs

attestation¶

This member is intended for use by Relying Parties that wish to express their preference for attestation conveyance.

Type: AttestationConveyancePreference

exclude_credentials¶

This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator. The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.

Type: Sequence[PublicKeyCredentialDescriptor]

References

https://w3.org/TR/webauthn/#dictdef-publickeycredentialcreationoptions

class webauthn_rp.types.PublicKeyCredentialDescriptor(*, type: webauthn_rp.types.PublicKeyCredentialType, id: bytes, transports: Optional[Sequence[webauthn_rp.types.AuthenticatorTransport]] = None)¶

Bases: object

The PublicKeyCredentialDescriptor contains the attributes that are specified by a caller when referring to a public key credential as an input parameter to the navigator.credentials.create() or navigator.credentials.get() methods (on the client side). It mirrors the fields of the PublicKeyCredential object returned by the latter methods.

type¶

This member contains the type of the public key credential the caller is referring to.

Type: PublicKeyCredentialType

id¶

This member contains the credential ID of the public key credential the caller is referring to.

Type: bytes

transports¶

This OPTIONAL member contains a hint as to how the client might communicate with the managing authenticator of the public key credential the caller is referring to.

Type: Optional[Sequence[AuthenticatorTransport]]

References

https://w3.org/TR/webauthn/#dictdef-publickeycredentialdescriptor

class webauthn_rp.types.PublicKeyCredentialEntity(*, name: str, icon: Optional[str] = None)¶

Bases: object

The PublicKeyCredentialEntity describes a user account, or a WebAuthn Relying Party, which a public key credential is associated with or scoped to, respectively.

name¶

A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:

When inherited by PublicKeyCredentialRpEntity it is a human-palatable identifier for the Relying Party, intended only for display.
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.

Type: str

icon¶

A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party’s logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be “data” to avoid fetches of the URL, at the cost of needing more storage.

Type: str

References

https://w3.org/TR/webauthn/#dictdef-publickeycredentialentity

class webauthn_rp.types.PublicKeyCredentialParameters(*, type: webauthn_rp.types.PublicKeyCredentialType, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value])¶

Bases: object

PublicKeyCredentialParameters is used to supply additional parameters when creating a new credential.

type¶

This member specifies the type of credential to be created.

Type: PublicKeyCredentialType

alg¶

This member specifies the cryptographic signature algorithm with which the newly generated credential will be used, and thus also the type of asymmetric key pair to be generated, e.g., RSA or Elliptic Curve.

Type: COSEAlgorithmIdentifier

References

https://w3.org/TR/webauthn/#dictdef-publickeycredentialparameters

class webauthn_rp.types.PublicKeyCredentialRequestOptions(*, challenge: bytes, timeout: Optional[int] = None, rp_id: Optional[str] = None, extensions: Optional[webauthn_rp.types.AuthenticationExtensionsClientInputs] = None, allow_credentials: Optional[Sequence[webauthn_rp.types.PublicKeyCredentialDescriptor]] = None, user_verification: Optional[webauthn_rp.types.UserVerificationRequirement] = <UserVerificationRequirement.PREFERRED: 'preferred'>)¶

Bases: object

The PublicKeyCredentialRequestOptions object supplies navigator.credentials.get() with the data it needs to generate an assertion (on the client side). Its challenge member MUST be present, while its other members are OPTIONAL.

challenge¶

This member represents a challenge that the selected authenticator signs, along with other data, when producing an authentication assertion.

Type: bytes

timeout¶

This OPTIONAL member specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. The value is treated as a hint, and MAY be overridden by the client.

Type: Optional[int]

rp_id¶

This OPTIONAL member specifies the relying party identifier claimed by the caller. If omitted, its value will be the CredentialsContainer object’s relevant settings object’s origin’s effective domain.

Type: Optional[str]

extensions¶

Type: AuthenticationExtensionsClientInputs

allow_credentials¶

This OPTIONAL member contains a list of PublicKeyCredentialDescriptor objects representing public key credentials acceptable to the caller, in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list).

Type: Optional[Sequence[PublicKeyCredentialDescriptor]]

user_verification¶

This OPTIONAL member describes the Relying Party’s requirements regarding user verification for the navigator.credentials.get() operation (on the client side). Eligible authenticators are filtered to only those capable of satisfying this requirement.

Type: Optional[UserVerificationRequirement]

References

https://w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions

class webauthn_rp.types.PublicKeyCredentialRpEntity(*, name: str, icon: Optional[str] = None, id: str)¶

Bases: webauthn_rp.types.PublicKeyCredentialEntity

The PublicKeyCredentialRpEntity is used to supply additional Relying Party attributes when creating a new credential.

name¶

A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:

When inherited by PublicKeyCredentialRpEntity it is a human-palatable identifier for the Relying Party, intended only for display.
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.

Type: str

icon¶

A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party’s logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be “data” to avoid fetches of the URL, at the cost of needing more storage.

Type: str

id¶

A unique identifier for the Relying Party entity. By default, the RP ID for a WebAuthn operation is set to the caller’s origin’s effective domain. This default MAY be overridden by the caller, as long as the caller-specified RP ID value is a registrable domain suffix of or is equal to the caller’s origin’s effective domain.

Type: str

References

class webauthn_rp.types.PublicKeyCredentialType(value)¶

Bases: enum.Enum

This enumeration defines the valid credential types. It is an extension point; values can be added to it in the future, as more credential types are defined. The values of this enumeration are used for versioning the Authentication Assertion and attestation structures according to the type of the authenticator.

PUBLIC_KEY¶

The only credential type.

Type: str

References

https://w3.org/TR/webauthn/#enumdef-publickeycredentialtype

PUBLIC_KEY = 'public-key'¶

class webauthn_rp.types.PublicKeyCredentialUserEntity(*, name: str, icon: Optional[str] = None, id: bytes, display_name: str)¶

Bases: webauthn_rp.types.PublicKeyCredentialEntity

The PublicKeyCredentialUserEntity is used to supply additional user account attributes when creating a new credential.

name¶

A human-palatable name for the entity. Its function depends on what the PublicKeyCredentialEntity represents:

When inherited by PublicKeyCredentialRpEntity it is a human-palatable identifier for the Relying Party, intended only for display.
When inherited by PublicKeyCredentialUserEntity, it is a human-palatable identifier for a user account. It is intended only for display, i.e., aiding the user in determining the difference between user accounts with similar displayNames.

Type: str

icon¶

A serialized URL which resolves to an image associated with the entity. For example, this could be a user’s avatar or a Relying Party’s logo. This URL MUST be an a priori authenticated URL. Authenticators MUST accept and store a 128-byte minimum length for an icon member’s value. Authenticators MAY ignore an icon member’s value if its length is greater than 128 bytes. The URL’s scheme MAY be “data” to avoid fetches of the URL, at the cost of needing more storage.

Type: str

id¶

The user handle of the user account entity. To ensure secure operation, authentication and authorization decisions MUST be made on the basis of this id member, not the displayName nor name members.

Since the user handle (id) is not considered personally identifying information, the Relying Party SHOULD NOT include personally identifying information, e.g., e-mail addresses or usernames, in the user handle. This includes hash values of personally identifying information, unless the hash function is salted with salt values private to the Relying Party, since hashing does not prevent probing for guessable input values. It is RECOMMENDED to let the user handle be 64 random bytes, and store this value in the user’s account.

Type: bytes

display_name¶

A human-palatable name for the user account, intended only for display. The Relying Party SHOULD let the user choose this, and SHOULD NOT restrict the choice more than necessary.

Type: str

References

class webauthn_rp.types.TPMAttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ver: str, cert_info: bytes, pub_area: bytes)¶

Bases: webauthn_rp.types.AttestationStatement

The TPM Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

ver¶

The version of the TPM specification to which the signature conforms.

Type: str

cert_info¶

The TPMS_ATTEST structure over which the above signature was computed.

Type: bytes

pub_area¶

The TPMT_PUBLIC structure used by the TPM to represent the credential public key.

Type: bytes

References

class webauthn_rp.types.TPMECDAAAttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ver: str, cert_info: bytes, pub_area: bytes, ecdaa_key_id: bytes)¶

Bases: webauthn_rp.types.TPMAttestationStatement

The TPM ECDAA Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

ver¶

The version of the TPM specification to which the signature conforms.

Type: str

cert_info¶

The TPMS_ATTEST structure over which the above signature was computed.

Type: bytes

pub_area¶

The TPMT_PUBLIC structure used by the TPM to represent the credential public key.

Type: bytes

ecdaa_key_id¶

The identifier of the ECDAA-Issuer public key. This is the BigNumberToB encoding of the component “c” of the ECDAA-Issuer public key.

Type: bytes

References

class webauthn_rp.types.TPMX509AttestationStatement(*, alg: Union[webauthn_rp.types.COSEAlgorithmIdentifier.Name, webauthn_rp.types.COSEAlgorithmIdentifier.Value], sig: bytes, ver: str, cert_info: bytes, pub_area: bytes, x5c: Sequence[bytes])¶

Bases: webauthn_rp.types.TPMAttestationStatement

The TPM X.509 Attestation Statement.

alg¶

A COSEAlgorithmIdentifier containing the identifier of the algorithm used to generate the attestation signature.

Type: COSEAlgorithmIdentifier

sig¶

A byte string containing the attestation signature.

Type: bytes

ver¶

The version of the TPM specification to which the signature conforms.

Type: str

cert_info¶

The TPMS_ATTEST structure over which the above signature was computed.

Type: bytes

pub_area¶

The TPMT_PUBLIC structure used by the TPM to represent the credential public key.

Type: bytes

x5c¶

The elements of this array contain the attestation certificate and its certificate chain, each encoded in X.509 format. The attestation certificate MUST be the first element in the array.

Type: Sequence[bytes]

References

class webauthn_rp.types.TokenBinding(*, status: webauthn_rp.types.TokenBindingStatus, id: Optional[str] = None)¶

Bases: object

TokenBinding contains information about the state of the Token Binding protocol used when the client was communicating with the Relying Party.

status¶

The status of the Token Binding.

Type: TokenBindingStatus

id¶

This member MUST be present if status is present, and MUST be a base64url encoding of the Token Binding ID that was used when the client was communicating with the Relying Party.

Type: str

References

https://w3.org/TR/webauthn/#dictdef-tokenbinding

class webauthn_rp.types.TokenBindingStatus(value)¶

Bases: enum.Enum

The status of a Token Binding.

SUPPORTED¶

Indicates the client supports token binding, but it was not negotiated when communicating with the Relying Party.

Type: str

PRESENT¶

Indicates token binding was used when communicating with the Relying Party. In this case, the id member MUST be present.

Type: str

References

https://w3.org/TR/webauthn/#enumdef-tokenbindingstatus

PRESENT = 'present'¶

SUPPORTED = 'supported'¶

class webauthn_rp.types.TxAuthGenericArg(*, content_type: str, content: bytes)¶

Bases: object

The input type of the txAuthGeneric extension.

content_type¶

MIME-Type of the content, e.g., “image/png”

Type: str

content¶

The byte string data.

Type: bytes

References

https://w3.org/TR/webauthn/#sctn-generic-txauth-extension

class webauthn_rp.types.UserVerificationRequirement(value)¶

Bases: enum.Enum

A WebAuthn Relying Party may require user verification for some of its operations but not for others, and may use this type to express its needs.

REQUIRED¶

This value indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set.

Type: str

PREFERRED¶

This value indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.

Type: str

DISCOURAGED¶

This value indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).

Type: str

References

https://w3.org/TR/webauthn/#enumdef-userverificationrequirement

DISCOURAGED = 'discouraged'¶

PREFERRED = 'preferred'¶

REQUIRED = 'required'¶

webauthn_rp.utils module¶

webauthn_rp.utils.camel_to_snake_case(s: str) → str¶

Convert a camel cased string into snake case.

Parameters: s (str) – A camel cased string.
Returns: The snake case converted string.

webauthn_rp.utils.curve_coordinate_byte_length(crv: Union[types.EC2Curve.Name, types.EC2Curve.Value, types.OKPCurve.Name, types.OKPCurve.Value]) → int¶

Get the fixed number of bytes that an elliptic curve coordinate takes.

Parameters

(Union['types.EC2Curve.Name' (crv) – ‘types.OKPCurve.Name’, ‘types.OKPCurve.Value’]): The elliptic curve.
'types.EC2Curve.Value' – ‘types.OKPCurve.Name’, ‘types.OKPCurve.Value’]): The elliptic curve.

:param : ‘types.OKPCurve.Name’, ‘types.OKPCurve.Value’]): The elliptic curve.

Returns: The byte length.

webauthn_rp.utils.ec2_hash_algorithm(alg: Union[types.COSEAlgorithmIdentifier.Name, types.COSEAlgorithmIdentifier.Value]) → cryptography.hazmat.primitives.hashes.HashAlgorithm¶

Get a HashAlgorithm instance from an algorithm identifier.

Parameters: (Union['types.COSEAlgorithmIdentifier.Name' (alg) – ‘types.COSEAlgorithmIdentifier.Value’]): A cryptography HashAlgorithm instance for the given algorithm.

:param‘types.COSEAlgorithmIdentifier.Value’]): A cryptography HashAlgorithm: instance for the given algorithm.

Returns: A HashAlgorithm instance.

webauthn_rp.utils.snake_to_camel_case(s: str) → str¶

Convert a snake cased string into camel case.

Parameters: s (str) – A snake cased string.
Returns: The camel case converted string.

webauthn_rp.utils.url_base64_decode(s: str) → bytes¶

Base64 decode a string using URL semantics.

Parameters: s (str) – The string to decode.
Returns: The base64-decoded bytes.

References

https://tools.ietf.org/html/rfc4648#section-5

webauthn_rp.utils.url_base64_encode(b: bytes) → bytes¶

Base64 encode raw bytes using URL semantics.

Parameters: b (bytes) – The raw bytes to encode.
Returns: The base64-encoded bytes.

References

https://tools.ietf.org/html/rfc4648#section-5

webauthn_rp.validators module¶

webauthn_rp.validators.validate(credential_public_key: webauthn_rp.types.CredentialPublicKey) → None¶

webauthn_rp.validators.validate(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → None

webauthn_rp.validators.validate(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → None

Validate the format of a CredentialPublicKey.

Parameters

credential_public_key (CredentialPublicKey) – The credential public key to validate.

Raises

ValidationError – If the given credential public key is invalid.
UnimplementedError – If the logic to validate the given type of key is not implemented.

webauthn_rp.validators.validate_ec2_public_key(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey) → None¶

Validate the format of an EC2CredentialPublicKey.

Parameters

credential_public_key (EC2CredentialPublicKey) – The credential public key to validate.

Raises

ValidationError – If the given credential public key is invalid.
UnimplementedError – If the logic to validate the given type of key is not implemented.

webauthn_rp.validators.validate_okp_public_key(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey) → None¶

Validate the format of an OKPCredentialPublicKey.

Parameters

credential_public_key (OKPCredentialPublicKey) – The credential public key to validate.

Raises

ValidationError – If the given credential public key is invalid.
UnimplementedError – If the logic to validate the given type of key is not implemented.

webauthn_rp.verifiers module¶

webauthn_rp.verifiers.verify(credential_public_key: webauthn_rp.types.CredentialPublicKey, signature: bytes, data: bytes) → None¶

webauthn_rp.verifiers.verify(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey, signature: bytes, data: bytes) → None

webauthn_rp.verifiers.verify(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey, signature: bytes, data: bytes) → None

Verify a signature over data using a CredentialPublicKey.

Parameters

credential_public_key (CredentialPublicKey) – The credential public key to use for verification.
signature (bytes) – The signature to verify.
data (bytes) – The data over which to compute the signature.

Raises

VerificationError – If the provided signature is not correct.
UnimplementedError – If the logic to verify using the given type of key is not implemented.

webauthn_rp.verifiers.verify_ec2_public_key(credential_public_key: webauthn_rp.types.EC2CredentialPublicKey, signature: bytes, data: bytes) → None¶

Verify the a signature over data using an EC2CredentialPublicKey.

Parameters

credential_public_key (EC2CredentialPublicKey) – The credential public key to use for verification.
signature (bytes) – The signature to verify.
data (bytes) – The data over which to compute the signature.

Raises

VerificationError – If the provided signature is not correct.
UnimplementedError – If the logic to verify using the given type of key is not implemented.

webauthn_rp.verifiers.verify_okp_public_key(credential_public_key: webauthn_rp.types.OKPCredentialPublicKey, signature: bytes, data: bytes) → None¶

Verify the a signature over data using an OKPCredentialPublicKey.

Parameters

credential_public_key (OKPCredentialPublicKey) – The credential public key to use for verification.
signature (bytes) – The signature to verify.
data (bytes) – The data over which to compute the signature.

Raises

VerificationError – If the provided signature is not correct.
UnimplementedError – If the logic to verify using the given type of key is not implemented.

webauthn_rp package¶

Submodules¶

webauthn_rp.attesters module¶

webauthn_rp.backends module¶

webauthn_rp.builders module¶

webauthn_rp.converters module¶

webauthn_rp.errors module¶

webauthn_rp.parsers module¶

webauthn_rp.registrars module¶

webauthn_rp.types module¶

webauthn_rp.utils module¶

webauthn_rp.validators module¶

webauthn_rp.verifiers module¶

Module contents¶