|
Bring in the subprotocol (the same as what's used on the desktop client
for public-key authentication) to carry the relevant messages:
- AuthRequest: first step in the flow, the client sends it to signal the
intent to authenticate to the server.
- AssertCredential and AssertionFinish: server's challenge and client's
response, respectively, to finalize the flow.
- RegisterCredential and RegistrationFinish: same structure as the
above. Unlike the simple public-key auth with an out-of-band setup,
passkeys require user interaction to register. User must be
authorized.
Validate all relevant checks on the API side, and hand the data over to
the server for it to verify attestations and assertions.
Because it's a primary auth mechanism (not a second factor), require
user verification.
As we don't use any other method on web, add a passkey button as the
only sign-in interface. Passkeys are discoverable, we don't even need a
username.
|
