WebAuthnRegistrationNode2
Realm Operations
Resource path:
/realm-config/authentication/authenticationtrees/nodes/WebAuthnRegistrationNode/2.0
Resource version: 3.0
create
Usage
am> create WebAuthnRegistrationNode2 --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "relyingPartyName" : { "title" : "Relying party", "description" : "The name of the Relying Party to present, this could be the name of the organisation, realm, etc.", "propertyOrder" : 10, "type" : "string", "exampleValue" : "" }, "fidoCertificationLevel" : { "title" : "FIDO Certification Level", "description" : "The minimum FIDO certification level that the device's certification status must satisfy during a registration flow. If set to OFF, no metadata service checks are performed. NOTE: To enforce a FIDO-certified check, the WebAuthN Metadata Service must be configured appropriately for the realm.", "propertyOrder" : 180, "type" : "string", "exampleValue" : "" }, "generateRecoveryCodes" : { "title" : "Generate recovery codes", "description" : "If enabled, the success outcome's transient state will contain a set of recovery codes. If this success outcome is passed into a Recovery Code Display Node, these codes will be presented to the user. A user may use recovery codes to bypass the WebAuthn authentication node in the event they have lost their authenticator. A set of recovery codes is shared among all registered WebAuthn authenticators, with the latest-generated set being the only valid set of codes. This will not occur if the option to store the device data in the transient state is also selected.", "propertyOrder" : 90, "type" : "boolean", "exampleValue" : "" }, "maxSavedDevices" : { "title" : "Maximum Saved Devices", "description" : "Specify the maximum number of WebAuthn devices to save in a user's profile. 0 for unlimited.", "propertyOrder" : 150, "type" : "integer", "exampleValue" : "" }, "authenticatorAttachment" : { "title" : "Authentication attachment", "description" : "If specified, the authenticators will be filtered out that don't match the attachment type. A PLATFORM authenticator is part of the device, and CROSS_PLATFORM authenticator can be removed from a device and used elsewhere, e.g. via USB.", "propertyOrder" : 60, "type" : "string", "exampleValue" : "" }, "origins" : { "title" : "Origin domains", "description" : "A set of fully-qualified URLs of accepted origins, e.g. http://app.example.com:443. If empty, the accepted origin is the incoming request origin.", "propertyOrder" : 25, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userVerificationRequirement" : { "title" : "User verification requirement", "description" : "If specified as REQUIRED, authenticators that don't verify user identity are filtered out and should not be selectable by the user.", "propertyOrder" : 30, "type" : "string", "exampleValue" : "" }, "attestationPreference" : { "title" : "Preferred mode of attestation", "description" : "", "propertyOrder" : 40, "type" : "string", "exampleValue" : "" }, "excludeCredentials" : { "title" : "Limit registrations", "description" : "If enabled, each authenticator may only be registered against a user's profile once.", "propertyOrder" : 80, "type" : "boolean", "exampleValue" : "" }, "timeout" : { "title" : "Timeout", "description" : "The number of seconds to wait for a valid WebAuthn authenticator to be registered before failing.", "propertyOrder" : 70, "type" : "integer", "exampleValue" : "" }, "enforceRevocationCheck" : { "title" : "Enforce revocation check", "description" : "Whether to enforce the checking of revocation entries from certificates. If this is set to true, then any attestation certificate's trust chain MUST have a CRL or OCSP entry that can be verified by AM during processing. If this is set to false, then presented certificates will not be checked for revocation. Certificates downloaded from the FIDO Metadata Service may not have a CRL/OCSP entry.", "propertyOrder" : 68, "type" : "boolean", "exampleValue" : "" }, "storeAttestationDataInTransientState" : { "title" : "Store data in transient state", "description" : "If enabled, the information provided by the device to the node will be stored in the transient state for later analysis by subsequent nodes using the key 'webauthnData'. Additionally the type of attestation achieved (BASIC, CA, SELF, etc.) will be stored using the key 'webauthnAttestationType'.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" }, "requiresResidentKey" : { "title" : "Username to device", "description" : "Requests that the username is stored by the device. Devices which do not support storing and providing the username will be unable to utilise the node while it is operating in this mode.", "propertyOrder" : 120, "type" : "boolean", "exampleValue" : "" }, "trustStoreAlias" : { "title" : "Trust Store alias", "description" : "The alias of the realm trust store which contains the secrets necessary for performing validation of a supplied attestation certificate. The alias name must only contain the characters a-z and the . symbol.", "propertyOrder" : 65, "type" : "string", "exampleValue" : "" }, "acceptedSigningAlgorithms" : { "title" : "Accepted signing algorithms", "description" : "", "propertyOrder" : 50, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "relyingPartyDomain" : { "title" : "Relying party identifier", "description" : "The domain against which to register devices, if blank AM will make a best guess at the domain.", "propertyOrder" : 20, "type" : "string", "exampleValue" : "" }, "validateFidoU2fAaguid" : { "title" : "Validate FIDO-U2F attestation AAGUID", "description" : "If enabled, the node will validate the AAGUID for any FIDO-U2F attestation type (16 bytes initialized with all zeros).", "propertyOrder" : 170, "type" : "boolean", "exampleValue" : "" }, "postponeDeviceProfileStorage" : { "title" : "Store device data in transient state", "description" : "If enabled, the device will not be stored directly to the user profile upon successful completion of the node. Rather, the device information will be placed into the transient state for later storage by subsequent nodes using the key 'webauthnDeviceData'. The provided 'WebAuthn Device Storage Node' can be used for this purpose.", "propertyOrder" : 110, "type" : "boolean", "exampleValue" : "" }, "displayNameSharedState" : { "title" : "Shared state attribute for display name", "description" : "This field determines the value of the user's displayName, used when the user's username is stored in the device. If left blank, the display name will be set to the same as the user's username. If set to a value the corresponding shared state value will be used instead. If there is no value found in the shared state for the provided key, the display name will be set to the same as the user's username.", "propertyOrder" : 130, "type" : "string", "exampleValue" : "" } }, "required" : [ "relyingPartyName", "fidoCertificationLevel", "generateRecoveryCodes", "maxSavedDevices", "authenticatorAttachment", "origins", "userVerificationRequirement", "attestationPreference", "excludeCredentials", "timeout", "enforceRevocationCheck", "storeAttestationDataInTransientState", "requiresResidentKey", "acceptedSigningAlgorithms", "validateFidoU2fAaguid", "postponeDeviceProfileStorage" ] }
delete
Usage
am> delete WebAuthnRegistrationNode2 --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getType
List information related to the node such as a name, description, tags and metadata.
Usage
am> action WebAuthnRegistrationNode2 --realm Realm --actionName getType
getUpgradedConfig
Get the upgraded configuration for the node type.
Usage
am> action WebAuthnRegistrationNode2 --realm Realm --body body --actionName getUpgradedConfig --targetVersion targetVersion
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "title" : "The current configuration of the node type." } - --targetVersion
-
=== listOutcomes
List the available outcomes for the node type.
Usage
am> action WebAuthnRegistrationNode2 --realm Realm --body body --actionName listOutcomes
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "description" : "Some configuration of the node. This does not need to be complete against the configuration schema.", "type" : "object", "title" : "Node configuration" }
query
Get the full list of instances of this collection. This query only supports _queryFilter=true filter.
Usage
am> query WebAuthnRegistrationNode2 --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read WebAuthnRegistrationNode2 --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update WebAuthnRegistrationNode2 --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "relyingPartyName" : { "title" : "Relying party", "description" : "The name of the Relying Party to present, this could be the name of the organisation, realm, etc.", "propertyOrder" : 10, "type" : "string", "exampleValue" : "" }, "fidoCertificationLevel" : { "title" : "FIDO Certification Level", "description" : "The minimum FIDO certification level that the device's certification status must satisfy during a registration flow. If set to OFF, no metadata service checks are performed. NOTE: To enforce a FIDO-certified check, the WebAuthN Metadata Service must be configured appropriately for the realm.", "propertyOrder" : 180, "type" : "string", "exampleValue" : "" }, "generateRecoveryCodes" : { "title" : "Generate recovery codes", "description" : "If enabled, the success outcome's transient state will contain a set of recovery codes. If this success outcome is passed into a Recovery Code Display Node, these codes will be presented to the user. A user may use recovery codes to bypass the WebAuthn authentication node in the event they have lost their authenticator. A set of recovery codes is shared among all registered WebAuthn authenticators, with the latest-generated set being the only valid set of codes. This will not occur if the option to store the device data in the transient state is also selected.", "propertyOrder" : 90, "type" : "boolean", "exampleValue" : "" }, "maxSavedDevices" : { "title" : "Maximum Saved Devices", "description" : "Specify the maximum number of WebAuthn devices to save in a user's profile. 0 for unlimited.", "propertyOrder" : 150, "type" : "integer", "exampleValue" : "" }, "authenticatorAttachment" : { "title" : "Authentication attachment", "description" : "If specified, the authenticators will be filtered out that don't match the attachment type. A PLATFORM authenticator is part of the device, and CROSS_PLATFORM authenticator can be removed from a device and used elsewhere, e.g. via USB.", "propertyOrder" : 60, "type" : "string", "exampleValue" : "" }, "origins" : { "title" : "Origin domains", "description" : "A set of fully-qualified URLs of accepted origins, e.g. http://app.example.com:443. If empty, the accepted origin is the incoming request origin.", "propertyOrder" : 25, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "userVerificationRequirement" : { "title" : "User verification requirement", "description" : "If specified as REQUIRED, authenticators that don't verify user identity are filtered out and should not be selectable by the user.", "propertyOrder" : 30, "type" : "string", "exampleValue" : "" }, "attestationPreference" : { "title" : "Preferred mode of attestation", "description" : "", "propertyOrder" : 40, "type" : "string", "exampleValue" : "" }, "excludeCredentials" : { "title" : "Limit registrations", "description" : "If enabled, each authenticator may only be registered against a user's profile once.", "propertyOrder" : 80, "type" : "boolean", "exampleValue" : "" }, "timeout" : { "title" : "Timeout", "description" : "The number of seconds to wait for a valid WebAuthn authenticator to be registered before failing.", "propertyOrder" : 70, "type" : "integer", "exampleValue" : "" }, "enforceRevocationCheck" : { "title" : "Enforce revocation check", "description" : "Whether to enforce the checking of revocation entries from certificates. If this is set to true, then any attestation certificate's trust chain MUST have a CRL or OCSP entry that can be verified by AM during processing. If this is set to false, then presented certificates will not be checked for revocation. Certificates downloaded from the FIDO Metadata Service may not have a CRL/OCSP entry.", "propertyOrder" : 68, "type" : "boolean", "exampleValue" : "" }, "storeAttestationDataInTransientState" : { "title" : "Store data in transient state", "description" : "If enabled, the information provided by the device to the node will be stored in the transient state for later analysis by subsequent nodes using the key 'webauthnData'. Additionally the type of attestation achieved (BASIC, CA, SELF, etc.) will be stored using the key 'webauthnAttestationType'.", "propertyOrder" : 100, "type" : "boolean", "exampleValue" : "" }, "requiresResidentKey" : { "title" : "Username to device", "description" : "Requests that the username is stored by the device. Devices which do not support storing and providing the username will be unable to utilise the node while it is operating in this mode.", "propertyOrder" : 120, "type" : "boolean", "exampleValue" : "" }, "trustStoreAlias" : { "title" : "Trust Store alias", "description" : "The alias of the realm trust store which contains the secrets necessary for performing validation of a supplied attestation certificate. The alias name must only contain the characters a-z and the . symbol.", "propertyOrder" : 65, "type" : "string", "exampleValue" : "" }, "acceptedSigningAlgorithms" : { "title" : "Accepted signing algorithms", "description" : "", "propertyOrder" : 50, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "relyingPartyDomain" : { "title" : "Relying party identifier", "description" : "The domain against which to register devices, if blank AM will make a best guess at the domain.", "propertyOrder" : 20, "type" : "string", "exampleValue" : "" }, "validateFidoU2fAaguid" : { "title" : "Validate FIDO-U2F attestation AAGUID", "description" : "If enabled, the node will validate the AAGUID for any FIDO-U2F attestation type (16 bytes initialized with all zeros).", "propertyOrder" : 170, "type" : "boolean", "exampleValue" : "" }, "postponeDeviceProfileStorage" : { "title" : "Store device data in transient state", "description" : "If enabled, the device will not be stored directly to the user profile upon successful completion of the node. Rather, the device information will be placed into the transient state for later storage by subsequent nodes using the key 'webauthnDeviceData'. The provided 'WebAuthn Device Storage Node' can be used for this purpose.", "propertyOrder" : 110, "type" : "boolean", "exampleValue" : "" }, "displayNameSharedState" : { "title" : "Shared state attribute for display name", "description" : "This field determines the value of the user's displayName, used when the user's username is stored in the device. If left blank, the display name will be set to the same as the user's username. If set to a value the corresponding shared state value will be used instead. If there is no value found in the shared state for the provided key, the display name will be set to the same as the user's username.", "propertyOrder" : 130, "type" : "string", "exampleValue" : "" } }, "required" : [ "relyingPartyName", "fidoCertificationLevel", "generateRecoveryCodes", "maxSavedDevices", "authenticatorAttachment", "origins", "userVerificationRequirement", "attestationPreference", "excludeCredentials", "timeout", "enforceRevocationCheck", "storeAttestationDataInTransientState", "requiresResidentKey", "acceptedSigningAlgorithms", "validateFidoU2fAaguid", "postponeDeviceProfileStorage" ] }