Back end

Controllers

The server part of the application requires a web layer to be implemented. In this implementation, each FIDO2 action is exposed via Spring Rest Controllers. Each controller is in charge of calling the corresponding service layer and wrapping the returning ServerResponses. The finalization method of the registration and authentication controllers accepts the TokenBinding header, which can be passed to the corresponding services if the TokenBinding extension was successfully negotiated.

Services

The sample web application includes two main services, which are responsible for the integration with the OneSpan FIDO2 SDK and invoking the SDK functions:

• RegistrationService
• AuthenticationService

Deregistration (deleting user keys) is supported through data manipulation endpoints; however, deregistration of user keys is not part of the FIDO2 SDK - it is only part of the sample web application.

RegistrationService

Registration is a two-step process for both the SDK and the sample web application. The web app calls the Registering::generatePublicKeyCredentialCreationOptions() function for the first step, the Registering::finalizeRegistration() function for the second step, and correlates these two requests in one session (see the com.onespan.tid.fido.fido2.session.RegistrationSessionData and com.onespan.tid.fido.fido2.session.InMemorySessionRepository classes in the sample web application sources).

AuthenticationService

Authentication is also a two-step process. The service calls the Authenticating.generatePublicKeyCredentialRequestOptions() function for the first step, the Authenticating::finalizeAuthentication() function for the second step, and correlates these two requests within one session (see the com.onespan.tid.fido.samplewebapp.application.session.AuthenticationSessionData and com.onespan.tid.fido.fido2.session.InMemorySessionRepository classes in the sample web application sources).