-
-
Notifications
You must be signed in to change notification settings - Fork 190
-
Hello,
I offer the user to authenticate via un IODC/AES service, then i get a persistent access token (think of it as the bank card number) that identifies the user and it's device on my service, the i offer the user to enroll with webauthn in an other site (merchant site),
the next step is request for RP to get public key for navigator.credentials.get({here})
I dont know how to store this token, it's a very sensitive data, so i was thinking of a way to get it from the device. u used this token while i created the creds as user name in UserEntity.
i was thinking also on getting creds Ids from the stored webauthen creds, those creds will be used to request (challenge ...) from the RP.
if you have any advice or suggestion i will be grateful :)
Thx
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 2 comments
-
I'm not sure what data you want to store here.
The OIDC access token is ephemeral as you just need it to acquire a bearer token from the identity provider, right? No reason to store it? Haven't implemented OIDC yet so I'm not sure here.
The public key or credential ID from the user's authenticator that you receive from navigator.credentials.create/.get? Those should be stored in their own db table to enable a one-to-many relationship, as the same user can have multiple authenticators registered, e.g. a phone FaceID and a laptop fingerprint.
However whenever the user authenticates, they have to provide their user ID to you first. FIDO2 does not identify a user, it can only authenticate them. Otherwise it would be similar to that comic where a user enters a password and the response is something like "wrong user, did you mean user123?".
Beta Was this translation helpful? Give feedback.
All reactions
-
Closing as this would make more sense as a Discussion
Beta Was this translation helpful? Give feedback.