Product Documentation
  • A successful FIDO2_0 response (accompanied by a 200 OK if using REST) will look similar to the following:

    {
        "Response": {
            "rp": {
                "name": "FIDOServer",
                "id": "strongkey.com"
            },
            "user": {
                "name": "johndoe",
                "id": "IS_cmMEf9B6qP5bCEpTzkotQ6ek9FzG7JkfnzpoRA3g",
                "displayName": "Initial Registration"
            },
            "challenge": "mvCa7PatHg-9y3jZe7hrCA",
            "pubKeyCredParams": [
                {
                    "type": "public-key",
                    "alg": -7
                },
                {
                    "type": "public-key",
                    "alg": -35
                },
                {
                    "type": "public-key",
                    "alg": -36
                },
                {
                    "type": "public-key",
                    "alg": -8
                },
                {
                    "type": "public-key",
                    "alg": -47
                },
                {
                    "type": "public-key",
                    "alg": -257
                },
                {
                    "type": "public-key",
                    "alg": -258
                },
                {
                    "type": "public-key",
                    "alg": -259
                },
                {
                    "type": "public-key",
                    "alg": -37
                },
                {
                    "type": "public-key",
                    "alg": -38
                },
                {
                    "type": "public-key",
                    "alg": -38
                }
            ],
            "excludeCredentials": [
                {
                    "type": "public-key",
                    "id": "8wfZB45Xf2hXFt5VVjtVbnmXm4BLgkiPRfji9m1g_WxvIsRG--ldheHyCMVenwevgB_vxB3NBuAIkbeW8FngAyBYOx36Fjys4QYz_dfCLtlzJeoj-yoHrC_DgH2xcFDpKRgBbHfD1LiEd56V-JzCBkHz0olHiu0TLBWp10QEoV44De_k72gxgPOP4GUwyafbqy71I7i0Ak7HdtXoV0Dmgm1vKdVYpSAiMopL7ROMm_rptQj0QPYJeT_n05AesVzQ",
                    "alg": -7
                },
                {
                    "type": "public-key",
                    "id": "djEB2mIMKt3SifYwy3ZuY7800VWpPJG8Ir_WTel2cacmze4cF8uOrCAvTc55robM9y_LbISUlEAdhvWQNI9j9fW7d_RE-p_i4qcDqtqj2-cN7j2ZWPTYk42LrwMT6bFJ3KvN3emuWZ9lmbOelbGBq0tOIh7zlQQFYI2GzK-iEOpsyePTAaoGforhYKB4LfZf1thXpQU4c6r8N8t2DNCI-dHBuiilUwkX_jtQc-ylwprfGuI-1Z2yWwPDho9dXTTe",
                    "alg": -7
                }
            ],
            "attestation": "direct"
        },
        "responseCode": "FIDO-MSG-0002",
        "skfsVersion": "4.13.0",
        "skfsFQDN": "example.strongkey.com",
        "TXID": "1-1-74-1717788283064",
        "appTXID": "exampleappTXID"
    }

 

rp Description

Value

Explanation

name

This attribute contains the name assigned by the web application to the name of the Relying Party (RP)—the company or application with whom the user is interacting.

id

This attribute contains the Domain Name System (DNS) name of the site hosting the application. This is usually a string containing the “top level domain” + “1 sub-domain”, conforming to RFC-6454.

 

user Description

Value

Explanation

name

This attribute contains the name assigned by the web application to the user account registering the FIDO credential.

id

This attribute contains the unique identifier assigned by SKFS to the user account

displayName

This attribute contains the label assigned to the unique Authenticator used by the user when registering with the SKFS.

 

Other Elements of the JSON Response

Value

Explanation

challenge

This attribute contains a Base64Url encoded random “number used once” (nonce), generated by the SKFS, to challenge the Authenticator to sign it with the newly generated Private Key of the FIDO credential.

publicKeyCredParams

This attribute contains an array of JSON objects, each of which describes the Public Key algorithm from the set of COSE Algorithms the SKFS will accept for generated keys. In the example shown, the algorithm numbers correspond to the following:

-7: ES256 or ECDSA with SHA-256 message digests

-8: EdDSA

-35: ES384 or ECDSA with SHA-384 message digests

-36: ES512 or ECDSA with SHA-512 message digests

-47: ES256K or ECDSA using secp256k1 curve and SHA-256

excludeCredentials

This attribute contains an array of JSON objects, each of which describes the credential identifiers (credentialId) the SKFS has already registered for this specific user.


The array is intended to provide notice to the Authenticator that if the Authenticator finds a match for a string with the concatenation of the rpid + credentialId from this response, the Authenticator should NOT create a duplicate credential for this user.


 A “genesis registration” will always have an empty array as shown in this response (since the user is registering their first FIDO credential with this system).

attestation

This attribute contains a value intended to provide notice to the platform (browser or app) that the SKFS requires the attestation object be conveyed through the manner specified by this value.

NOTE: At the time of writing, the Level-2 WebAuthn specification permits one of four attestation conveyance mechanisms.