Add .isUserVerified() to RegistrationResult and AssertionResult

Author: emlun

NEWS

@@ -1,5 +1,9 @@
-== Version 2.4.2 (unreleased) ==
+== Version 2.5.0 (unreleased) ==
 
+New features:
+
+* Added method `.isUserVerified()` to `RegistrationResult` and `AssertionResult`
+  as a shortcut for accessing the UV flag in authenticator data.
 * Updated README and JavaDoc to use the "passkey" term and provide more guidance
   around passkey use cases.
 

README

@@ -489,6 +489,50 @@ PublicKeyCredentialCreationOptions request = rp.startRegistration(
     .build());
 ----------
 
+You can also request that user verification be used if possible, but is not required:
+
+[source,java]
+----------
+PublicKeyCredentialCreationOptions request = rp.startRegistration(
+  StartRegistrationOptions.builder()
+    .user(/* ... */)
+    .authenticatorSelection(AuthenticatorSelectionCriteria.builder()
+        .userVerification(UserVerificationRequirement.PREFERRED)
+        .build())
+    .build());
+
+AssertionRequest request = rp.startAssertion(StartAssertionOptions.builder()
+    .username("alice")
+    .userVerification(UserVerificationRequirement.PREFERRED)
+    .build());
+----------
+
+In this case
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.4.1/com/yubico/webauthn/RelyingParty.html#finishRegistration(com.yubico.webauthn.FinishRegistrationOptions)[`RelyingParty.finishRegistration(...)`]
+and
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.4.1/com/yubico/webauthn/RelyingParty.html#finishAssertion(com.yubico.webauthn.FinishAssertionOptions)[`RelyingParty.finishAssertion(...)`]
+will NOT enforce user verification,
+but instead the `isUserVerified()` method of
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.0/com/yubico/webauthn/RegistrationResult.html[`RegistrationResult`]
+and
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/2.5.0/com/yubico/webauthn/AssertionResult.html[`AssertionResult`]
+will tell whether user verification was used.
+
+For example, you could prompt for a password as the second factor if `isUserVerified()` returns `false`:
+
+[source,java]
+----------
+AssertionResult result = rp.finishAssertion(/* ... */);
+
+if (result.isSuccess()) {
+    if (result.isUserVerified()) {
+        return successfulLogin(result.getUsername());
+    } else {
+        return passwordRequired(result.getUsername());
+    }
+}
+----------
+
 User verification can be used with both discoverable credentials (passkeys) and non-discoverable credentials.
 
 

webauthn-server-core/src/main/java/com/yubico/webauthn/AssertionResult.java

@@ -31,6 +31,8 @@
 import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
 import com.yubico.webauthn.data.AuthenticatorAttachment;
 import com.yubico.webauthn.data.AuthenticatorData;
+import com.yubico.webauthn.data.AuthenticatorDataFlags;
+import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
@@ -144,6 +146,25 @@ public ByteArray getUserHandle() {
     return credential.getUserHandle();
   }
 
+  /**
+   * Check whether the <a href="https://www.w3.org/TR/webauthn/#user-verification">user
+   * verification</a> as performed during the authentication ceremony.
+   *
+   * <p>This flag is also available via <code>
+   * {@link PublicKeyCredential}.{@link PublicKeyCredential#getResponse() getResponse()}.{@link AuthenticatorResponse#getParsedAuthenticatorData() getParsedAuthenticatorData()}.{@link AuthenticatorData#getFlags() getFlags()}.{@link AuthenticatorDataFlags#UV UV}
+   * </code>.
+   *
+   * @return <code>true</code> if and only if the authenticator claims to have performed user
+   *     verification during the authentication ceremony.
+   * @see <a href="https://www.w3.org/TR/webauthn/#user-verification">User Verification</a>
+   * @see <a href="https://w3c.github.io/webauthn/#authdata-flags-uv">UV flag in §6.1. Authenticator
+   *     Data</a>
+   */
+  @JsonIgnore
+  public boolean isUserVerified() {
+    return credentialResponse.getResponse().getParsedAuthenticatorData().getFlags().UV;
+  }
+
   /**
    * Check whether the asserted credential is <a
    * href="https://w3c.github.io/webauthn/#backup-eligible">backup eligible</a>, using the <a

webauthn-server-core/src/main/java/com/yubico/webauthn/RegistrationResult.java

@@ -33,7 +33,10 @@
 import com.yubico.webauthn.data.AttestationType;
 import com.yubico.webauthn.data.AuthenticatorAttachment;
 import com.yubico.webauthn.data.AuthenticatorAttestationResponse;
+import com.yubico.webauthn.data.AuthenticatorData;
+import com.yubico.webauthn.data.AuthenticatorDataFlags;
 import com.yubico.webauthn.data.AuthenticatorRegistrationExtensionOutputs;
+import com.yubico.webauthn.data.AuthenticatorResponse;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.ClientRegistrationExtensionOutputs;
 import com.yubico.webauthn.data.PublicKeyCredential;
@@ -125,6 +128,25 @@ private static RegistrationResult fromJson(
                     .collect(Collectors.toList())));
   }
 
+  /**
+   * Check whether the <a href="https://www.w3.org/TR/webauthn/#user-verification">user
+   * verification</a> as performed during the registration ceremony.
+   *
+   * <p>This flag is also available via <code>
+   * {@link PublicKeyCredential}.{@link PublicKeyCredential#getResponse() getResponse()}.{@link AuthenticatorResponse#getParsedAuthenticatorData() getParsedAuthenticatorData()}.{@link AuthenticatorData#getFlags() getFlags()}.{@link AuthenticatorDataFlags#UV UV}
+   * </code>.
+   *
+   * @return <code>true</code> if and only if the authenticator claims to have performed user
+   *     verification during the registration ceremony.
+   * @see <a href="https://www.w3.org/TR/webauthn/#user-verification">User Verification</a>
+   * @see <a href="https://w3c.github.io/webauthn/#authdata-flags-uv">UV flag in §6.1. Authenticator
+   *     Data</a>
+   */
+  @JsonIgnore
+  public boolean isUserVerified() {
+    return credential.getResponse().getParsedAuthenticatorData().getFlags().UV;
+  }
+
   /**
    * Check whether the created credential is <a
    * href="https://w3c.github.io/webauthn/#backup-eligible">backup eligible</a>, using the <a

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala

@@ -2575,6 +2575,43 @@ class RelyingPartyAssertionSpec
             .username(user.getName)
             .build()
 
+          it("exposes isUserVerified() with the UV flag value in authenticator data.") {
+            val pkcWithoutUv =
+              TestAuthenticator.createAssertion(
+                flags = Some(new AuthenticatorDataFlags(0x00.toByte)),
+                challenge =
+                  request.getPublicKeyCredentialRequestOptions.getChallenge,
+                credentialKey = credentialKeypair,
+                credentialId = credential.getId,
+              )
+            val pkcWithUv =
+              TestAuthenticator.createAssertion(
+                flags = Some(new AuthenticatorDataFlags(0x04.toByte)),
+                challenge =
+                  request.getPublicKeyCredentialRequestOptions.getChallenge,
+                credentialKey = credentialKeypair,
+                credentialId = credential.getId,
+              )
+
+            val resultWithoutUv = rp.finishAssertion(
+              FinishAssertionOptions
+                .builder()
+                .request(request)
+                .response(pkcWithoutUv)
+                .build()
+            )
+            val resultWithUv = rp.finishAssertion(
+              FinishAssertionOptions
+                .builder()
+                .request(request)
+                .response(pkcWithUv)
+                .build()
+            )
+
+            resultWithoutUv.isUserVerified should be(false)
+            resultWithUv.isUserVerified should be(true)
+          }
+
           it("exposes isBackupEligible() with the BE flag value in authenticator data.") {
             val pkcWithoutBackup =
               TestAuthenticator.createAssertion(

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -4623,6 +4623,37 @@ class RelyingPartyRegistrationSpec
           .pubKeyCredParams(List(PublicKeyCredentialParameters.ES256).asJava)
           .build()
 
+        it("exposes isUserVerified() with the UV flag value in authenticator data.") {
+          val (pkcWithoutUv, _, _) =
+            TestAuthenticator.createUnattestedCredential(
+              flags = Some(new AuthenticatorDataFlags(0x00.toByte)),
+              challenge = request.getChallenge,
+            )
+          val (pkcWithUv, _, _) =
+            TestAuthenticator.createUnattestedCredential(
+              flags = Some(new AuthenticatorDataFlags(0x04.toByte)),
+              challenge = request.getChallenge,
+            )
+
+          val resultWithoutUv = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(request)
+              .response(pkcWithoutUv)
+              .build()
+          )
+          val resultWithUv = rp.finishRegistration(
+            FinishRegistrationOptions
+              .builder()
+              .request(request)
+              .response(pkcWithUv)
+              .build()
+          )
+
+          resultWithoutUv.isUserVerified should be(false)
+          resultWithUv.isUserVerified should be(true)
+        }
+
         it("exposes isBackupEligible() with the BE flag value in authenticator data.") {
           val (pkcWithoutBackup, _, _) =
             TestAuthenticator.createUnattestedCredential(