RapidIdentity Product Guide

FIDO Authentication

Here is an example response from the server indicating that FIDO Authentication is required as the next step:

Note

Displayed values have been truncated here for formatting purposes, but the strings listed here should represent actual, usable values when generated in a production environment.

HTTP/1.1 200 OK 
Content-Type: application/json
{
  "id": "e230e2e0-25ae-11e5-8dc9-0050b6c32ffc",
  "step": {
    "appId": "https://rapidIdentity.example.com:8443/FIDO/appId",
    "challenge": "g9WMWOFyFef8x9nNwt4zfZnJhaLHoSyKEprXT_EGPxU",
    "devices": [
      {
        "name": "FIDO Device - (ID: a28af5qa-f4r2-4271-a926-7d09537f869c)",
        "deviceId": "a24af5ca-f4f2-4171-a936-7d01567f869c",
        "keyHandle": "jwCS9L5WAxN4PjZFjIOgv-D9FE0Fze_[...]_CsCSUQtI__[...]"
      }
    ],
    "type": "authenticate",
    "userId": "8e123420-00e4-11r6-c668-005056r00008",
    "version": "U2F_V2"
  },
  "type": "fido"
}

Note that the value of the type property is fido and the step.type property is authenticate.

When responding to the FIDO Authenticate response, a value for the clientData and signatureData properties are required. These values should be generated between the FIDO device and client.

POST /idp/ws/rest/authn HTTP/1.1 
Content-Type: application/json 
Accept: application/json
{
  "id": "e230e2e0-25ae-11e5-8dc9-0050b6c32ffc",
  "step": {
    "clientData": "eyJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDoyNTE0OCIsImNpZF9wdWJrZ[...]",
    "signatureData": "AQEBAQEiYycLYY0_EHePpkSt22mTwjZJ2HMCIF9IE_gT0jmxaknCyM4cbp[...]",
    "defer": false,
    "type": "authenticate"
  },
  "type": "fido"
}

Here is an example response from the server indicating that FIDO Registration is required as the next step:

HTTP/1.1 200 OK 
Content-Type: application/json
{
  "id": "e230e2e0-25ae-11e5-8dc9-0050b6c32ffc",
  "step": {
    "appId": "https://rapidIdentity.example.com:8443/FIDO/appId",
    "challenge": "g9WMWOFyFef8x9nNwt4zfZnJhaLHoSyKEprXT_EGPxU",
    "passwordRequired": true,
    "name": "FIDO Device - (ID: a28af5ca-f4f2-4271-a946-7d09567f869c)",
    "deviceId": "a28af5ca-f4f2-4271-a946-7d09567f869c",
    "type": "register",
    "userId": "8e193920-00e4-11e6-a668-005056c00008",
    "version": "U2F_V2"
  },
  "type": "fido"
}

Note that the value of the type property is fido and the step.type property is register.

When responding to the FIDO Register response, a value for the clientData and registrationData properties are required. These values should be generated between the FIDO device and client. The password property is only required if the user has yet to enter a password or authenticate using a Pre-Auth authentication type.

POST /idp/ws/rest/authn HTTP/1.1 
Content-Type: application/json 
Accept: application/json
{
  "id": "e230e2e0-25re-11s5-8da9-0050b6c32ffc",
  "step": {
    "clientData": "eyJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDoyNTE0OCIsImNpZF9wdWJrZXki[...]",
    "registrationData": "BQQtRU22R6qjdGYw3d1JWg5dxy7W2Y8_YXxbYLyn_NzXV6SNhabfaoSzkDwsoheJ[...]",
    "password": "p@$$w0rd",
    "type": "register"
  },
  "type": "fido"
}
In this section: