What are PublicKeyCredentialCreationOptions in WebAuthn?
Vincent
Created: December 18, 2023
Updated: September 10, 2024
What are PublicKeyCredentialCreationOptions?#
PublicKeyCredentialCreationOptions is an important object in the WebAuthn standard, required for creating new credentials by handling the challenge-response mechanism. It is essential for the navigator.credential.create() function, providing the necessary data to generate an attestation.
Example:#
{ "PublicKeyCredentialCreationOptions": { "rp": { "id": "passkeys.eu", "name": "Corbado Passkeys Demo" }, "user": { "displayName": "john.doe", "id": "dXNyLZ….DU10Tc", "name": "john@doe.com" }, "challenge": "888fix4Bus...pHHr3Y", "pubKeyCredParams": [ { "alg": -7, "type": "public-key" }, { "alg": -257, "type": "public-key" } ], "excludeCredentials": [], "authenticatorSelection": { "authenticatorAttachment": "platform", "residentKey": "required", "userVerification": "required" }, "attestation": "none", "extensions": [] } } }
Continue reading for a full breakdown of the components and workings of PublicKeyCredentialCreationOptions.
Key Takeaways#
- PublicKeyCredentialCreationOptions is an object for creating new credentials in WebAuthn by communicating required parameters to the client
- It gets created and passed from the WebAuthn server in the Backend to communicate required parameters for creating a new credential.
- It provides options for timeout settings, exclusion of certain public key credentials, and specific authenticator selection criteria to cater to diverse security needs.
Relevance in WebAuthn#
As shown in the flowchart for the registration process, passing publicKeyCredentialCreationOptions to the Frontend is the first step by the Backend for creating a new credential. It orchestrates the registration of new credentials by encoding the required values and chosen options by the Relying Party.
Technical breakdown#
Here's a quick explanation of all attributes, as specified in the WebAuthn specification:
rp#
"rp": { "id": "passkeys.eu", "name": "Corbado Passkeys Demo" }
rp: Identifies the Relying Party (= the server looking to authenticate the user). The ID is usually the server domain, you can read more about it in this blog.
user#
"user": { "displayName": "john.doe", "id": "dXNyLZ….DU10Tc", "name": "john@doe.com" }
The user-attribute contains data about the user account requesting attestation. The ID is a byte sequence chosen by the Relying Party, that must not contain personal information. The username or e-mail address is saved instead in the name or displayName attribute.
challenge#
"challenge": "888fix4Bus...pHHr3Y"
The cryptographic challenge is a randomly generated base64URL encoded BufferSource that needs to be signed by the authenticator.
pubKeyCredParams#
"pubKeyCredParams": [ { "alg": -7, "type": "public-key" }, { "alg": -257, "type": "public-key" } ]
pubKeyCredParams specifies attributes of the credential to be created, usually the supported algorithm(s).
excludeCredentials#
"excludeCredentials": []
excludeCredentials is an optional list of disallowed credentials to limit the creation of multiple passkeys on one device. Read more about it in this article.
authenticatorSelection#
"authenticatorSelection": { "authenticatorAttachment": "platform", "residentKey": "required", "userVerification": "required" }
authenticatorSelection is an optional selection of the used authenticator for the method, e.g. whether a residentKey is required. See the this article for more information.
attestation and extensions#
"attestation": "none", "extensions": []
-
attestation can be used to request that the attestation object is passed on to the Relying Party in a specific form. Possible values are “none” (default), “indirect”, “direct” and “enterprise”
-
extensions contains optional request(s) for additional processing, such as specific return values. e.g.
- credProbs requests information on whether the created credential is discoverable
- prf allows the Relying Party to use outputs from a pseudo-random function (PRF) associated with a credential
PublicKeyCredentialCreationOptions FAQs#
What role do PublicKeyCredentialCreationOptions play in WebAuthn?#
They are essential for registering credentials, managing challenges, and ensuring secure user-device connections.
Can PublicKeyCredentialCreationOptions be customized for different authentication requirements?#
Yes, they offer extensive customization options like timeout settings and authenticator selection criteria to meet diverse security needs.
Ben Gould
Head of Engineering
I’ve built hundreds of integrations in my time, including quite a few with identity providers and I’ve never been so impressed with a developer experience as I have been with Corbado.
3,000+ devs trust Corbado & make the Internet safer with passkeys. Got questions? We’ve written 150+ blog posts on passkeys.
Join Passkeys CommunityWhat’s the difference between PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions?#
They both are objects sent by the backend including a challenge for authentication, but differ regarding their use case. PublicKeyCredentialCreationOptions are used for creating a new credentials, while PublicKeyCredentialRequestOptions are used for the authentication process with an existing credential.
Share this article
Enjoyed this read?
🤝 Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
🚀 Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free
