Deregistration Request Service
By calling the Deregistration Request Service and requesting a DeregistrationRequest object from the FIDO server, the user/FIDO client initiates the FIDO deregistration process. This chapter describes the request and response messages between the FIDO client and Server when calling the Deregistration Request Service.
It is recommended to protect this service using a SecToken.
Base URL
All URLs referenced in this section have the following base:
https://fido.siven.ch/nevisfido/uaf/1.1/request/deregistration
HTTP Methods
POST is the only supported HTTP method.
Request Headers
The following request headers are mandatory:
| Name | Description |
|---|---|
Accept | Accept header, must be application/fido+uaf. |
Content-Type | Content type header, must be application/fido+uaf;charset=UTF-8. |
Request Body
The Deregistration Request Service requires from the FIDO client a JSON payload with a GetUAFRequest object as defined in the FIDO UAF HTTP Transport Specificationn t The GetUAFRequest object has the following structure:
| Attribute | Type | Description | Optional |
|---|---|---|---|
op | String | The request operation, must be set to Dereg. | false |
previousRequest | String | If the application is requesting a new UAF request message because the previous one expired, the previous one could be sent to the server. | true |
context | String | The contextual information must be a stringified JSON object that conforms to the Deregistration Context. | false |
The previousRequest parameter is ignored and not handled.
Context
The client must provide the credentials to be deregistered for a specific user in the context part of the GetUAFRequest object. The following three options are available and can be configured via the mode attribute.
- Deregister all credentials associated with the user. The
modeattribute value isusername. - Deregister all credentials associated with the user and with any of the provided AAIDs. The
modeattribute value isaaid. - Deregister all credentials associated with the user and with any of the provided tuples of AAID and Key ID. The
modeattribute value isaaid_and_keyid.
The Context dictionary below lists all attributes that can be included in the context part of the GetUAFRequest object.
| Attribute | Type | Description | Optional |
|---|---|---|---|
mode | String | The deregistration mode. The value is either username, aaid or aaid_and_keyid. | false |
aaid | String[] | The AAIDs of the credentials to be deregistered. | false (if the deregistration mode is aaid) |
aaid_and_keyid | AaidAndKeyId[] (see AAID and Key ID dictionary for details) | The AAID and KeyID tuples of the credentials to be deregistered. | false (if the deregistration mode is aaid_and_keyid) |
username | String | Identity information regarding the user on whose behalf the FIDO client is operating. In the case of the idm credential repository, the accepted type of username (loginId, email, etc.) depends on how the username mapper of the credential repository is configured. | false |
AAID And Key ID Dictionary
| Attribute | Type | Description | Optional |
|---|---|---|---|
aaid | String | The AAID of the credential to be deregistered. | false |
keyid | String | The base64url-encoded value of the key ID of the credential to be deregistered. | false |
Response Headers
The following response headers will be set:
| Name | Description |
|---|---|
Content-Type | Content type header, fixed to application/fido+uaf;charset=UTF-8. |
Response Body
The Deregistration Request Service returns a JSON body with a ReturnUAFRequest object as defined in the FIDO UAF HTTP Transport Specification
. The ReturnUAFRequest
object has the following structure:
| Attribute | Type | Description |
|---|---|---|
statusCode | Number | UAF status code for the operation. |
uafRequest | String | The new UAF request message if the server decides to issue one. |
op | String | Hint to the client regarding the operation type of the message, must be set to Dereg. |
The uafRequest part of the ReturnUAFRequest object contains the DeregistrationRequest object. The DeregistrationRequest dictionary includes the attributes that define a DeregistrationRequest object. The following table describes the DeregistrationRequest dictionary:
| Attribute | Type | Description | Optional |
|---|---|---|---|
| header | OperationHeader | The header defines the operation header of the UAF messages coming from the Deregistration Request Service. Within the header, the operation header attributes are specified. For a description of these attributes, see Request Header. Note that the attribute header.op must be set to "Dereg". | false |
| authenticators | DeregisterAuthenticator[] | List of authenticators to be deregistered. | false |
nevisFIDO follows the Deregistration Request Generation Rules for FIDO Server:
It will return empty strings in the authenticators attribute of the DeregistrationRequest when the aaid or the username deregistration modes are used.
Example Request Using aaid_and_keyid Mode
POST /nevisfido/uaf/1.1/request/deregistration HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/fido+uaf;charset=UTF-8
Host: fido.siven.ch
Content-Length: 168
{
"context" : "{\"username\":\"jeff\",\"mode\":\"aaid_and_keyid\",\"aaid_and_keyid\":[{\"aaid\":\"1234#ABCD\",\"keyID\":\"a2V5SWRJbkJhc2U2NA\"}]}",
"op" : "Dereg"
}
cURL:
$ curl 'https://fido.siven.ch/nevisfido/uaf/1.1/request/deregistration' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/fido+uaf;charset=UTF-8' \
-d '{
"context" : "{\"username\":\"jeff\",\"mode\":\"aaid_and_keyid\",\"aaid_and_keyid\":[{\"aaid\":\"1234#ABCD\",\"keyID\":\"a2V5SWRJbkJhc2U2NA\"}]}",
"op" : "Dereg"
}'
Example Response Using aaid_and_keyid Mode
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:55 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 384
{
"statusCode" : 1200,
"uafRequest" : "[{\"header\":{\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Dereg\",\"appID\":\"https://www.siven.ch/appID\",\"exts\":[{\"id\":\"ch.nevis.auth.fido.uaf.sessionid\",\"data\":\"58a5a35e-fd22-4321-86ed-ad022b97a818\",\"fail_if_unknown\":false}]},\"authenticators\":[{\"aaid\":\"1234#ABCD\",\"keyID\":\"a2V5SWRJbkJhc2U2NA\"}]}]",
"op" : "Dereg"
}
Example Request Using username Mode
POST /nevisfido/uaf/1.1/request/deregistration HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/fido+uaf;charset=UTF-8
Host: fido.siven.ch
Content-Length: 83
{
"context" : "{\"username\":\"jeff\",\"mode\":\"username\"}",
"op" : "Dereg"
}
cURL:
$ curl 'https://fido.siven.ch/nevisfido/uaf/1.1/request/deregistration' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/fido+uaf;charset=UTF-8' \
-d '{
"context" : "{\"username\":\"jeff\",\"mode\":\"username\"}",
"op" : "Dereg"
}'
Example Response Using username Mode
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:57 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 357
{
"statusCode" : 1200,
"uafRequest" : "[{\"header\":{\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Dereg\",\"appID\":\"https://www.siven.ch/appID\",\"exts\":[{\"id\":\"ch.nevis.auth.fido.uaf.sessionid\",\"data\":\"dd934cda-1fdc-4a80-9449-683a4de6ff0d\",\"fail_if_unknown\":false}]},\"authenticators\":[{\"aaid\":\"\",\"keyID\":\"\"}]}]",
"op" : "Dereg"
}
HTTP Status Codes
The following HTTP status codes are returned by the Deregistration Request Service:
| HTTP Code | Description |
|---|---|
| 200 | OK The server processed the request successfully. A ReturnUAFRequest JSON object containing a DeregistrationRequest object is returned. |
| 405 | Method Not Allowed The method of the received request was not POST. |
| 406 | Not Acceptable The Accept header is not properly set to application/fido+uaf. |
| 415 | Unsupported Media Type The Content-Type header is not properly set to application/fido+uaf;charset=UTF-8. |