Last active
November 8, 2024 16:07
-
-
Save stephenmcgruer/e0f70dc6b37465fa68f26d61a4d2401d to your computer and use it in GitHub Desktop.
Proposed shape for BBK at credential creation time
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const publicKey = { | |
| // The challenge should be created by the bank server and sent to the iframe. | |
| challenge: new Uint8Array([21,31,105 /* 29 more random bytes generated by the server */]), | |
| // Relying Party: | |
| rp: { | |
| name: "Fancy Bank", | |
| }, | |
| // User: | |
| user: { | |
| // Part of WebAuthn. This information is not required by SPC | |
| // but may be used by the bank server to identify this user in | |
| // future transactions. Inconsistent values for the same user | |
| // can result in the creation of multiple credentials for the user | |
| // and thus potential UX friction due to credential selection. | |
| id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)), | |
| name: "[email protected]", | |
| displayName: "Jane Doe", | |
| }, | |
| // In this example the Relying Party accepts either an ES256 or RS256 | |
| // credential, but prefers an ES256 credential. | |
| pubKeyCredParams: [ | |
| { | |
| type: "public-key", | |
| alg: -7 // "ES256" | |
| }, | |
| { | |
| type: "public-key", | |
| alg: -257 // "RS256" | |
| } | |
| ], | |
| authenticatorSelection: { | |
| userVerification: "required", | |
| residentKey: "required", | |
| authenticatorAttachment: "platform", | |
| }, | |
| timeout: 360000, // 6 minutes | |
| extensions: { | |
| "payment": { | |
| isPayment: true, | |
| } | |
| } | |
| }; | |
| const publicKeyCredential = await navigator.credentials.create({ publicKey }); | |
| const clientDataJSON = base64Decode(publicKeyCredential.toJSON().response.clientDataJSON); | |
| /** | |
| clientDataJSON = { | |
| "type": "webauthn.create", | |
| "challenge": "RW5yb2xsbWVudCBjaGFsbGVuZ2U", | |
| "origin": "https://issuer.example", | |
| "crossOrigin": false, | |
| "payment": { | |
| "bbk_public_key": "abcd1234", | |
| }, | |
| }; | |
| */ | |
| const paymentExtensionOutputs = publicKeyCredential.getClientExtensionResults()['payment']; | |
| /** | |
| // Fields are decoded for ease of reading. They would likely be ArrayBuffers in practice, | |
| // using the same encoding that WebAuthn does. | |
| paymentExtensionOutputs = { | |
| // Uses the same *encoding* as publicKeyCredential.response.getPublicKey() | |
| bbk_public_key = 'abcd1234', | |
| // Signature by the BBK private key, over the ClientDataJSON. | |
| // Uses the same signing algorithm as publicKeyCredential.response.getPublicKeyAlgorithm() | |
| // | |
| // TODO: This might not be useful during create(), and could be omitted? | |
| bbk_signature = 'BE491...', | |
| }; | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment