diff --git a/examples/large_blobs.py b/examples/large_blobs.py index eb510bb..7ed4da2 100644 --- a/examples/large_blobs.py +++ b/examples/large_blobs.py @@ -40,7 +40,7 @@ client = get_client(lambda client: "largeBlobKey" in client.info.extensions) -# LargeBlob requires UV if is it configured +# LargeBlob requires UV if it is configured uv = "discouraged" if client.info.options.get("clientPin"): uv = "required" @@ -74,6 +74,10 @@ ) credentials = [auth_data.credential_data] +if auth_data.is_user_verified(): + # The WindowsClient doesn't know about authenticator config until now + uv = "required" + if not result.extension_results.get("largeBlob", {}).get("supported"): print("Credential does not support largeBlob, failure!") sys.exit(1) @@ -81,7 +85,7 @@ print("Credential created! Writing a blob...") # Prepare parameters for getAssertion -request_options, state = server.authenticate_begin(user_verification=uv) +request_options, state = server.authenticate_begin(credentials, user_verification=uv) # Authenticate the credential selection = client.get_assertion( diff --git a/examples/prf.py b/examples/prf.py index 26f2144..a10cbc5 100644 --- a/examples/prf.py +++ b/examples/prf.py @@ -65,29 +65,25 @@ auth_data = server.register_complete( state, result.client_data, result.attestation_object ) -credentials = [auth_data.credential_data] +credential = auth_data.credential_data # PRF result: if not result.extension_results.get("prf", {}).get("enabled"): print("Failed to create credential with PRF", result.extension_results) sys.exit(1) -credential = result.attestation_object.auth_data.credential_data print("New credential created, with the PRF extension.") # If created with UV, keep using UV if result.attestation_object.auth_data.is_user_verified(): uv = "required" -# Prepare parameters for getAssertion -allow_list = [{"type": "public-key", "id": credential.credential_id}] - # Generate a salt for PRF: salt = os.urandom(32) print("Authenticate with salt:", salt.hex()) - # Prepare parameters for getAssertion +credentials = [credential] request_options, state = server.authenticate_begin(credentials, user_verification=uv) # Authenticate the credential diff --git a/examples/resident_key.py b/examples/resident_key.py index ede5722..06f77ba 100644 --- a/examples/resident_key.py +++ b/examples/resident_key.py @@ -57,8 +57,12 @@ ) # Create a credential -result = client.make_credential(create_options["publicKey"]) - +result = client.make_credential( + { + **create_options["publicKey"], + "extensions": {"credProps": True}, + } +) # Complete registration auth_data = server.register_complete( @@ -73,6 +77,10 @@ print() print("CREDENTIAL DATA:", auth_data.credential_data) +# credProps: +cred_props = result.extension_results.get("credProps") +print("CredProps", cred_props) + # Prepare parameters for getAssertion request_options, state = server.authenticate_begin(user_verification=uv) diff --git a/fido2/client.py b/fido2/client.py index c8576a7..6f6b4d4 100644 --- a/fido2/client.py +++ b/fido2/client.py @@ -1109,7 +1109,9 @@ def make_credential(self, options, event=None): client_data, options.timeout or 0, selection.resident_key, - attestation, + WebAuthNAuthenticatorAttachment.from_string( + selection.authenticator_attachment or "any" + ), WebAuthNUserVerificationRequirement.from_string( selection.user_verification or "discouraged" ), diff --git a/fido2/win_api.py b/fido2/win_api.py index 57fb154..1c96868 100644 --- a/fido2/win_api.py +++ b/fido2/win_api.py @@ -1046,6 +1046,8 @@ def make_credential( elif "hmacCreateSecret" in extensions and self._allow_hmac_secret: resident_key = True # Windows requires resident key for hmac-secret win_extensions.append(WebAuthNExtension("hmac-secret", BOOL(True))) + else: + extensions = {} if event: t = CancelThread(event)