PasswordLessAuth Information Flow

PasswordLessAuth.

This flow allows a user to retrieve information about the authentication setup of the server. This flow is used for the clients of a service to know about the type of setting that the server accepts for authentication. The information retrieved includes the following elements:

- accepted_keys: type(s) and length(s) of keys that the server accepts, as an array of objects containing the key types associated to an array of possible key lengths. PasswordLessAuth has been designed to work in many different scenarios, from mobile apps to web frameworks, desktop applications and more, so the authentication service must specify which kinds of keys it’s able to process and accept. See “Types of Keys Allowed” below for a detailed explanation on accepted keys.

- authentication_mode: a string indicating the type of authentication that the server requires for its clients. Valid values are “strict” and “lax”. Strict authentication requires the client to ask for a biometric identification for all sign operations. This has been specified in the flow diagrams with an icon of a hand touching a sensor. Lax authentication doesn’t rely on biometric sensors, so the device is responsible for keeping the key-pair (specially the private key) securely stored.

- accepts_nonce: this is a boolean specifying if the server accepts being sent a security nonce by some requests from the clients in order for them to verify the identity of the server. If set to true, the server must be ready to sign and respond with the signed security nonces in some flows as specified in the previous section.

Alongside the server accepted settings, the response includes the key of the server, including all information needed to manage it. Thus, the clients always can check that they are communicating with the right authentication service.

The “key” object contains the following information:

- public_key: The data for the public key, base64 encoded.

- key_type: The type of key (one of “ec”, “rsa” or “raw”).

- key_length: Length of the key (256, 384, 1024, 2048, 4096…).

- server_signature_algorithm: The signature algorithm the server is using for signing the nonces and other information used to verify its identity. This algorithm must be taken into account by the clients in order to verify the signatures sent by the authentication service.

- certificate: the public certificate of the server.

The flow is simple, the user’s device sends a GET /pwless/info request to the authentication service. This request doesn’t need any authentication.

Request and Response

GET /pwless/info
{}

Response: 200 OK
{
   “success”: true, 
   “code”: “success”,
   “settings”: {
      “accepted_keys”: {
        “rsa” : {“key_length”: [2048, 4096], “signature_algorithm”: [“SHA1”]},
        “ec” : {“key_length”: [256], “signature_algorithm”: [“ecdsa-with-SHA1”]}
      },
      “authentication_mode”: “strict”,
      “accepts_nonce”: true,
  },
   “public_key”: {
      “key_data”: “87wcqw07yqw078dmqwkvh7d98fs98dnfvaa98uvs9w738vj==”,
      “key_type”: “rsa”,
      “key_length”: 2048,
      “signature_algorithm”: “sha1”,
      “certificate”: “ndskjgndkjfgnsdfgs..as4k2dj234fh287a==”
   }
}
Back to Flows

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too