::webauthn::WebAuthn ::webauthn::WebAuthn assert_clientdata_json assert_rpidhash auth assertion_verify auth issue_options init login_url logout lookup_user_id name new_challenge origin reg attestation_verify return_err state_key store ::xo::REST ::xo::REST body expect_status_code init json_to_dict pp request typed_list_to_json typed_value_to_json with_json_result ::webauthn::WebAuthn->::xo::REST ::ms::Graph ::ms::Graph → run_donecallback application get application list async_operation_status chat get chat messages check_async_operation encode_query group deleted group get group list group member add group member list group member remove group memberof group owner add group owner list group owner remove paginated_result_list params request run_donecallback schedule_donecallback team archive team channel list team clone team create team delete team get team member add team member list team member remove team unarchive token user get user list user me user memberof ::ms::Graph->::xo::REST ::canvas::API ::canvas::API account admins account courses account get account list account permissions account settings course activities course todo course users paginated_result_list params parse_link_params parse_link_value request token ::canvas::API->::xo::REST ::xo::Authorize ::xo::Authorize decoded_state encoded_state get_required_fields login_url logout lookup_user_id name perform_login qualified record_oauth_registration redeem_code register_new_user required_fields ::xo::Authorize->::xo::REST ::nx::Object ::nx::Object ::xo::REST->::nx::Object

Class ::webauthn::WebAuthn

::webauthn::WebAuthn[i] create ... \
           [ -after_successful_login_url (default "/pvt/") ] \
           [ -client_id client_id ] \
           [ -client_secret client_secret ] \
           [ -debug:boolean (default "false") ] \
           [ -login_failure_url (default "/") ] \
           [ -pretty_name (default "Passkey") ] \
           [ -rp_id:required rp_id:required ] \
           [ -storageObj (default "::xo::WebAuthnStore::Cache") ]
rp_id: The WebAuthn Relying Party ID (domain), e.g. 'openacs.org' or 'login.example.com'; Must be a registrable domain / host that matches the site origin rules. after_successful_login_url: Where to redirect after login if no return_url exists in state. login_failure_url: Where to send users on failure if you don’t want to show debug output.
Defined in packages/webauthn/tcl/webauthn-procs.tcl

Class Relations

  • class: ::nx::Class[i]
  • superclass: ::xo::REST[i]

Methods (to be applied on instances)

  • auth assertion_verify (scripted, public)

     <instance of webauthn::WebAuthn[i]> auth assertion_verify \
    [ -st st ] [ -req req ]

    Verify a WebAuthn authentication response (assertion) against stored state. This method validates the incoming assertion from navigator.credentials.get(). It checks required fields, maps the presented credential ID to a stored credential (user_id + public key), and verifies the assertion using the pending authentication state (challenge, rpId, origin, etc.). If the credential is unknown, an error is raised. When the state contains a user_id (identifier-first flow), the error message is phrased as "no passkey for this account"; otherwise it is treated as an unknown credential in discovery mode.

    Switches:
    -st (optional)
    Authentication state dict as created by /webauthn/auth/options or auth issue_options (challenge, rpId, origin, return_url, ...).
    -req (optional)
    Parsed client response dict containing the assertion fields, including id, clientDataJSON, authenticatorData, and signature.

    Testcases:
    No testcase defined.

  • auth issue_options (scripted, public)

     <instance of webauthn::WebAuthn[i]> auth issue_options \
    [ -return_url return_url ]

    Issue WebAuthn assertion options for starting a passkey login ceremony. Generates a fresh state nonce and challenge, stores the pending authentication ceremony state in the configured store (keyed by state), and returns a dict containing: - state: the nonce to be echoed back to /webauthn/auth/verify - options: PublicKeyCredentialRequestOptions for navigator.credentials.get()

    Switches:
    -return_url (optional, defaults to "/")
    Local URL to redirect to after successful login (default: "/").

    Testcases:
    No testcase defined.

  • login_url (scripted, public)

     <instance of webauthn::WebAuthn[i]> login_url \
    [ -return_url return_url ]

    Compatibility function with other external_registry objects

    Switches:
    -return_url (optional, defaults to "/")

    Testcases:
    No testcase defined.

  • logout (scripted, public)

     <instance of webauthn::WebAuthn[i]> logout

    Compatibility function with other external_registry objects

    Testcases:
    No testcase defined.

  • name (scripted, public)

     <instance of webauthn::WebAuthn[i]> name

    compatibility with xo::Authorize

    Testcases:
    No testcase defined.

  • new_challenge (scripted, public)

     <instance of webauthn::WebAuthn[i]> new_challenge [ nbytes ]

    Generate a new cryptographically strong random challenge. The challenge is generated using ns_crypto::randombytes and returned as a base64url-encoded string suitable for use in WebAuthn request/creation options.

    Parameters:
    nbytes (optional, defaults to "32")
    Number of random bytes to generate before encoding (default: 32).

    Testcases:
    No testcase defined.

  • origin (scripted, public)

     <instance of webauthn::WebAuthn[i]> origin

    Returns the "origin" field provided to the attestation.

    Testcases:
    No testcase defined.

  • reg attestation_verify (scripted, public)

     <instance of webauthn::WebAuthn[i]> reg attestation_verify \
    [ -st st ] [ -req req ]

    Verify a WebAuthn registration response (attestation) against stored state. This method validates the incoming credential creation response from navigator.credentials.create() for the current registration ceremony. It checks required fields, verifies the clientDataJSON (type, challenge, origin), decodes and parses the attestationObject (CBOR), and extracts credential data (credential ID and public key) for subsequent storage.

    Switches:
    -st (optional)
    Registration state dict as created by /webauthn/reg/options (challenge, origin, return_url, user_id, ...).
    -req (optional)
    Parsed client response dict containing "response" fields, including clientDataJSON and attestationObject.

    Testcases:
    No testcase defined.

  • return_err (scripted, public)

     <instance of webauthn::WebAuthn[i]> return_err [ -status status ] \
    error detail

    Return a JSON error response on the current connection.

    Switches:
    -status (optional, defaults to "400")
    HTTP status code to use for the response (default: 400).
    Parameters:
    error (required)
    Short, stable error code (machine-readable).
    detail (required)
    Human-readable error message suitable for display/logging.

    Testcases:
    No testcase defined.

  • store (scripted, public)

     <instance of webauthn::WebAuthn[i]> store

    Return the backing store used for pending WebAuthn state.

    Testcases:
    No testcase defined.