What are PublicKeyCredentialRequestOptions in WebAuthn?

What are PublicKeyCredentialRequestOptions?#

PublicKeyCredentialRequestOptions is an important object in the WebAuthn standard, used during the login with a credential. They are essential for the navigator.credential.get() function, providing the necessary data to generate an authentication assertion.

Example:#

{
  "publicKeyCredentialRequestOptions": {
    "challenge": "pT7HMA-…dFPHk",
    "timeout": 500,
    "rpId": "passkeys.eu",
    "userVerification": "preferred",
    "allowCredentials": [],
    "extensions": []
  }
}

Continue reading for a full breakdown of the components and workings of PublicKeyCredentialRequestOptions.

Key Takeaways#

PublicKeyCredentialRequestOptions play a crucial role in generating authentication assertions in WebAuthn.
They necessitate a cryptographic challenge and allow for optional parameters like timeout and rpId.
They support a flexible approach to authenticator selection and user verification.

Relevance in WebAuthn#

The Login Process in WebAuthn requires the publicKeyCredentialRequestOptions

As shown in the flowchart for the login process, passing publicKeyCredentialRequestOptions to the Frontend is the first step by the Backend during authentication.‍ A crucial part is the cryptographic challenge that is later signed by the authenticator.

Technical breakdown#

Here's a quick explanation of all attributes, as specified in the WebAuthn specification.

challenge#

    "challenge": "pT7HMA-…dFPHk",

The cryptographic challenge is a randomly generated base64URL encoded BufferSource that needs to be signed by the authenticator.

timeout#

    "timeout": 500,

timeout is an optional value for the time (in milliseconds) the client should wait for the call to complete

rpId#

    "rpId": "passkeys.eu"

rpId is the identifier of the Relying Party for the assertion request, usually its domain. Read more in this blog.

userVerification#

    "userVerification": "preferred",

userVerification is an optional value to specify requirements for user verification during the operation. Possible values are “preferred” (default), “required” or “discouraged”.

allowCredentials#

    "allowCredentials": [],

allowCredentials is an optional list of credentials that are allowed for authentication, indicating the caller’s preference by descending order. This list would be filled with PublicKeyCredentialDescriptors, as you can see in this article.

extensions#

    "extensions": []

extensions contains optional request(s) for additional processing, such as specific return values. e.g.
- credProbs requests information on whether the created credential is discoverable
- prf allows the Relying Party to use outputs from a pseudo-random function (PRF) associated with a credential ‍

PublicKeyCredentialRequestOptions FAQs#

How do PublicKeyCredentialRequestOptions facilitate user authentication in WebAuthn?#

They provide essential data for generating authentication assertions, including a mandatory cryptographic challenge and optional user verification requirements.

What is the significance of the challenge member in PublicKeyCredentialRequestOptions?#

The challenge is a critical security feature that ensures the authenticity of the authentication process and guards against replay attacks.

Can PublicKeyCredentialRequestOptions be customized for specific authentication needs?#

Yes, they offer flexibility with optional parameters like timeout and rpId, allowing customization based on specific authentication requirements.

What’s the difference between PublicKeyCredentialRequestOptions and PublicKeyCredentialCreationOptions?#

They both are objects sent by the Backend including a challenge for authentication, but differ regarding their use case. PublicKeyCredentialCreationOptions are used for creating a new credentials, while PublicKeyCredentialRequestOptions are used for the authentication process with an existing credential