What are PublicKeyCredentialRequestOptions in WebAuthn?

PublicKeyCredentialRequestOptions is an important object in the WebAuthn standard, used during the login with a credential. They are essential for the navigator.credential.get() function, providing the necessary data to generate an authentication assertion.

{
    "publicKeyCredentialRequestOptions": {
        "challenge": "pT7HMA-…dFPHk",
        "timeout": 500,
        "rpId": "passkeys.eu",
        "userVerification": "preferred",
        "allowCredentials": [],
        "extensions": []
    }
}

Continue reading for a full breakdown of the components and workings of PublicKeyCredentialRequestOptions.

As shown in the flowchart for the login process, passing publicKeyCredentialRequestOptions to the Frontend is the first step by the Backend during authentication.‍ A crucial part is the cryptographic challenge that is later signed by the authenticator.

Here's a quick explanation of all attributes, as specified in the WebAuthn specification.

    "challenge": "pT7HMA-…dFPHk",

• The cryptographic challenge is a randomly generated base64URL encoded BufferSource that needs to be signed by the authenticator.

    "timeout": 500,

• timeout is an optional value for the time (in milliseconds) the client should wait for the call to complete

    "rpId": "passkeys.eu"

• rpId is the identifier of the Relying Party for the assertion request, usually its domain. Read more in this blog.

    "userVerification": "preferred",

• userVerification is an optional value to specify requirements for user verification during the operation. Possible values are “preferred” (default), “required” or “discouraged”.

    "allowCredentials": [],

• allowCredentials is an optional list of credentials that are allowed for authentication, indicating the caller’s preference by descending order. This list would be filled with PublicKeyCredentialDescriptors, as you can see in this article.

    "extensions": []

• extensions contains optional request(s) for additional processing, such as specific return values. e.g.
  • credProbs requests information on whether the created credential is discoverable
  • prf allows the Relying Party to use outputs from a pseudo-random function (PRF) associated with a credential ‍

• They provide essential data for generating authentication assertions, including a mandatory cryptographic challenge and optional user verification requirements.

• The challenge is a critical security feature that ensures the authenticity of the authentication process and guards against replay attacks.

• Yes, they offer flexibility with optional parameters like timeout and rpId, allowing customization based on specific authentication requirements.

• They both are objects sent by the Backend including a challenge for authentication, but differ regarding their use case. PublicKeyCredentialCreationOptions are used for creating a new credentials, while PublicKeyCredentialRequestOptions are used for the authentication process with an existing credential