Merge PR #234

examples/cred_blob.py

@@ -82,9 +82,9 @@ def request_uv(self, permissions, rd_id):
         sys.exit(1)
 
     # Prefer UV token if supported
-    if client.info.options.get("pinUvAuthToken") or client.info.options.get("uv"):
+    if client.info.options.get("uv") or client.info.options.get("bioEnroll"):
         uv = "preferred"
-        print("Authenticator supports UV token")
+        print("Authenticator is configured for User Verification")
 
 
 server = Fido2Server({"id": "example.com", "name": "Example RP"})

examples/credential.py

@@ -79,7 +79,7 @@ def request_uv(self, permissions, rd_id):
     client = Fido2Client(dev, "https://example.com", user_interaction=CliInteraction())
 
     # Prefer UV if supported and configured
-    if client.info.options.get("uv") or client.info.options.get("pinUvAuthToken"):
+    if client.info.options.get("uv") or client.info.options.get("bioEnroll"):
         uv = "preferred"
         print("Authenticator supports User Verification")
 

examples/large_blobs.py

@@ -88,9 +88,9 @@ def request_uv(self, permissions, rd_id):
         sys.exit(1)
 
     # Prefer UV token if supported
-    if client.info.options.get("pinUvAuthToken") or client.info.options.get("uv"):
+    if client.info.options.get("uv") or client.info.options.get("bioEnroll"):
         uv = "preferred"
-        print("Authenticator supports UV token")
+        print("Authenticator is configured for User Verification")
 
 
 server = Fido2Server({"id": "example.com", "name": "Example RP"})

examples/prf.py

@@ -33,6 +33,7 @@
 from fido2.hid import CtapHidDevice
 from fido2.server import Fido2Server
 from fido2.client import Fido2Client, WindowsClient, UserInteraction
+from fido2.utils import websafe_encode
 from getpass import getpass
 import ctypes
 import sys
@@ -119,6 +120,10 @@ def request_uv(self, permissions, rd_id):
 credential = result.attestation_object.auth_data.credential_data
 print("New credential created, with the PRF extension.")
 
+# If created with UV, keep using UV
+if result.attestation_object.auth_data.is_user_verified():
+    uv = "required"
+
 # Prepare parameters for getAssertion
 allow_list = [{"type": "public-key", "id": credential.credential_id}]
 
@@ -144,18 +149,30 @@ def request_uv(self, permissions, rd_id):
 output1 = result.extension_results["prf"]["results"]["first"]
 print("Authenticated, secret:", output1.hex())
 
-# Authenticate again, using two salts to generate two secrets:
+# Authenticate again, using two salts to generate two secrets.
+
+# This time we will use evalByCredential, which can be used if there are multiple
+# credentials which use different salts. Here it is not needed, but provided for
+# completeness of the example.
 
 # Generate a second salt for PRF:
 salt2 = os.urandom(32)
 print("Authenticate with second salt:", salt2.hex())
-
 # The first salt is reused, which should result in the same secret.
 
 result = client.get_assertion(
     {
         **request_options["publicKey"],
-        "extensions": {"prf": {"eval": {"first": salt, "second": salt2}}},
+        "extensions": {
+            "prf": {
+                "evalByCredential": {
+                    websafe_encode(credential.credential_id): {
+                        "first": salt,
+                        "second": salt2,
+                    }
+                }
+            }
+        },
     }
 )
 

examples/resident_key.py

@@ -83,9 +83,9 @@ def request_uv(self, permissions, rd_id):
         sys.exit(1)
 
     # Prefer UV if supported and configured
-    if client.info.options.get("uv") or client.info.options.get("pinUvAuthToken"):
+    if client.info.options.get("uv") or client.info.options.get("bioEnroll"):
         uv = "preferred"
-        print("Authenticator supports User Verification")
+        print("Authenticator is configured for User Verification")
 
 server = Fido2Server({"id": "example.com", "name": "Example RP"}, attestation="direct")