- 16 Oct 2024
- 1 Minute à lire
- SombreLumière
Integration of User Login with FIDO-Based Authentication
- Mis à jour le 16 Oct 2024
- 1 Minute à lire
- SombreLumière
OneSpan Cloud Authentication allows you to integrate FIDO-based authentication in your solution. It supports the following FIDO protocols:
FIDO UAF (Universal Authentication Framework)
FIDO2
For more information about the FIDO UAF and FIDO2 protocols, see FIDO-based authentication.
Prerequisites for a FIDO-based authentication
To ensure successful FIDO-based authentication, the following prerequisites must be met:
The user must exist in OneSpan Cloud Authentication.
The user must be assigned to a registered tenant.
FIDO has been configured for the relevant tenant in the Tenant Configuration service.
The user must have a registered FIDO authenticator.
A relying party instance with defined policies must have been created.
FIDO-based authentication flow
Sequence of a user login operation via FIDO-based authentication
The user starts the login operation and triggers the web server to initiate the authentication to the OneSpan Trusted Identity platform API by calling the POST users/{userID@domain}/generate-fido-authentication-request endpoint.
The OneSpan Trusted Identity platform API initializes the authentication request to the FIDO Server.
The FIDO Server retrieves the policies associated to the user and generates an authentication request that is sent to the OneSpan Trusted Identity platform API.
These policies define which authenticator is authorized to be used for authentication.
The OneSpan Trusted Identity platform API receives the request and sends it to the web server.
The web server forwards the authentication request to the app.
The app communicates with the FIDO authenticator to generate an authentication response.
The app forwards the authentication response to the web server, which forwards the response to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/login endpoint.
The OneSpan Trusted Identity platform API finalizes the authentication with the FIDO Server.
The FIDO Server verifies the authentication response that is sent to the OneSpan Trusted Identity platform API.
The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.
The web server sends this verification response to the app and with this finalizes the authentication operation.
To integrate user login with FIDO-based authentication
Issue an authentication request with the POST /users/{userID@domain}/generate-fido-authentication-request endpoint.
Payload:
fidoProtocol: UAF11, FIDO2
authenticationMessage (UAF only)
Contains a message is shown on a built-in display of an UAF authenticator.userVerification: required, preferred, discouraged (FIDO2 only)
Response body:
authenticationRequest
requestID
uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
For FIDO2, this field will return null.
Issue a login request with the POST /users/{userID@domain}/login endpoint.
Payload:
objecttype: "LoginInput"
credentials
fidoAuthenticator
authenticationResponse
requestID
Response body:
uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
For FIDO2, this field will return null.