Generating authentication options for a unknown user

[Parakoos]

I'm trying to replicate your server example for my own project, and I'm totally confused by something.

First, I'm looking at your example web page.

  <head>
    <script src="https://unpkg.com/@simplewebauthn/browser/dist/bundle/index.es5.umd.min.js"></script>
    <script>
      const { startAuthentication } = SimpleWebAuthnBrowser;
      fetch('/generate-authentication-options')
<!-- snip -->

So the very first thing that happens when the page opens is that we call the server's generate-authentication-options API. At this point, let's assume this is a unauthenticated user who wishes to log in. So... To us, it is a stranger.

What confuses me is that in the example implementation of generate-authentication-options, you seem to assume knowledge of who the user is!

// example/index.ts
app.get('/generate-authentication-options', (req, res) => {
  // You need to know the user by this point          <---- 😲
  const user = inMemoryUserDeviceDB[loggedInUserId];  <---- 😲

  const opts: GenerateAuthenticationOptionsOpts = {
    timeout: 60000,
    allowCredentials: user.devices.map(dev => ({  <---- 😲
      id: dev.credentialID,
      type: 'public-key',
      transports: dev.transports,
    })),
    userVerification: 'required',
    rpID,
  };

  const options = generateAuthenticationOptions(opts);

I must be missing something really obvious here but... I can't work it out. Should we wait for the user to fill in their user name or email address before we start this? If so, why is this being called in the <head>?

[WorldThirteen]

@Parakoos, you might be interested in a similar discussion: #318.

WebAuthn API is suitable for a wide amount of use cases. That includes (but is not limited to):

• Second Factor (after OTP or password for example)
• ReAuthentication for already active session
• Authentication with a known identifier (when a user enters email/username / etc)
• Authentication with an unknown identifier (Discoverable credentials aka resident key)

I believe it is not possible to cover all possible use cases within a single code sample. So the implementation will vary based on the use case.

In case you want to provide your users authentication with a Passkey experience without prompting them to enter their email/username. Then you can modify the sample simply by omitting the allowCredentials option.
Consider specifying the option to prefer a resident key (aka discoverable credential) for registration options. To ensure users can use created credentials without being required to specify them in allowCredentials.

I find this page https://passkeys.dev/docs/use-cases/bootstrapping useful to understand the process you are likely interested in and apply it to the usage of this library.

[Parakoos]

Ah, thank you, that link really helped a lot. And, knowing that the example was showing one of many different scenarios helped me understand that it wasn't 'wrong' of me to implement another one where I did not know the user.

After much work, I finally got this working with the following setup:

• Vue (and Nuxt) front-end
• Firebase Function (Google Cloud Functions) as the server.
• Only allowing discoverable credentials.
• A 'Create Passkey' button for logged in users (with verified email addresses).
• A conditional UI on the E-mail field for those supporting that.
• A 'Sign in with Passkey' button for all users (in case they can do discoverable passkeys but not conditional UI)

Quite happy with it. Feel free to check it out on https://sharedgametimer.com