Shared Structures

This chapter describes all attributes that are shared among the different operations and services.

The attributes refer to various types or structures of information (for example, some attributes define the (operation) header; others define the channel binding). All attributes belonging to the same information type or structure are listed in one dictionary (e.g., the OperationHeader Dictionary or the ChannelBinding Dictionary).

Version

The Version attributes refer to the UAF protocol version.

Attribute	Type	Description	Optional
major	number	Major version, must be 1.	false
minor	number	Minor version, must be 1.	false

info

nevisFIDO only supports the FIDO UAF protocol version 1.1.

Operation Header

The Operation Header attributes define the operation header of UAF request and response messages.

Attribute	Type	Description	Optional
upv	Version	Refers to the UAF protocol version. For details, see the Version dictionary.	false
op	String	Name of the FIDO operation this message relates to.	false
appID	String	The application identifier that the relying party would like to assert.	true
serverData	String	A session identifier created by the relying party.	true
exts	Extension[]	Defines a list of UAF message extensions. For details, see the Extension dictionary.	true

Extension

The Extension attributes define (UAF) extensions to the operation header. The extension attributes are set in the operation header attribute exts (see also the Operation Header dictionary).

Attribute	Type	Description	Optional
id	String	Identifies the extension.	false
data	String	Contains arbitrary data with semantics agreed between the server and client. Binary data is base64url-encoded. This field may be empty.	false
fail_if_unknown	Boolean	Indicates whether unknown extensions must be ignored (false) or must lead to an error (true).	false

Proprietary Extensions

Currently, there is one proprietary extension, the Session ID Extension. This extension contains a unique session identifier. This unique session identifier can be used to query the current authentication status of the FIDO session through the Status Service.

The Session ID Extension has the following settings:

id ch.nevis.auth.fido.uaf.sessionid

data \<unique session identifier>

fail_if_unknown false

Example:

{
  "id": "ch.nevis.auth.fido.uaf.sessionid",
  "data": "d61e461e-c597-4ed3-9d71-12d1c0e3556c",
  "fail_if_unknown": false
}

Final Challenge Parameters

The Final Challenge parameters (or attributes) define all information required for the server to verify the final challenge. For a description of the final challenge parameters, see the FinalChallengeParams dictionary below.

The final challenge parameters are sent in the request messages of the Registration and Authentication Response Services, as a base64url-encoded UTF-8 string. The corresponding attribute is fcParams. For more information, see the chapters Registration Response Service and Authentication Response Service.

Attribute	Type	Description	Optional
appID	String	The application ID. The value must be taken from the appID field/attribute of the operation header (see also Operation Header dictionary).	false
challenge	String	The challenge. The value must be taken from the challenge field/attribute of the request (e.g., RegistrationRequest.challenge, AuthenticationRequest.challenge - see also Registration Request dictionary and Authentication Request dictionary).	false
facetID	String	The facet ID. The value is determined by the FIDO client and depends on the calling application.	false
channelBinding	ChannelBinding	This attribute contains the TLS information that the FIDO client must send to the FIDO server. The server needs this information to bind the TLS channel to the FIDO operation. The value of this attribute is defined by the Channel Binding attributes. For more information on the channel binding attributes, see Channel Binding dictionary.	false

Channel Binding

The Channel Binding attributes specify the binding of the TLS channel to the FIDO operation. For a description of the channel binding attributes, see the ChannelBinding dictionary below.

The channel binding information is part of the final challenge information. The channel binding attributes are set in the final challenge parameter channelBinding.

Attribute	Type	Description	Optional
serverEndPoint	String	If the TLS server certificate is available, the attribute serverEndPoint must be set to the base64url-encoded hash of the certificate. If the certificate is not available or the hash cannot be determined, the attribute must be absent.	true
tlsServerCertificate	String	The attribute tlsServerCertificate is set to the base64url-encoded, DER-encoded TLS server certificate. If this data is not available to the FIDO Client, the attribute must be absent.	true
tlsUnique	String	The attribute tlsUnique is set to the base64url-encoded TLS channel Finished structure. If this data is not available to the FIDO client, the attribute must be absent.	true
cid_pubkey	String	The attribute cid_pubkey is set to the base64url-encoded serialized JwkKey structure using UTF-8 encoding. Set the attribute to "unused", if the TLS ChannelID information is supported by the client-side TLS stack but has not been signaled by the TLS (web) server. The attribute must be absent, if the client TLS stack does not provide TLS ChannelID information at all to the processing entity (e.g., the web browser or client application).	true

UAF Status Codes

The UAF status codes indicate the result of the UAF operation at the FIDO server side. They are included in the response messages.

The table below describes the UAF status codes.

Code	Meaning
1200	OK Operation completed.
1202	Accepted Message accepted, but not completed at this time.
1400	Bad Request The server did not understand the message.
1401	Unauthorized The username must be authenticated to perform this operation, or the key ID is not associated with this username.
1403	Forbidden The username is not allowed to perform this operation. The client should not retry.
1404	Not Found
1408	Request Timeout
1480	Unknown AAID The server was unable to locate authoritative metadata for the AAID (Authenticator Attestation ID).
1481	Unknown Key ID The server was unable to locate a registration for the given username and key ID combination. This error indicates that there is an invalid registration on the user’s device. When this error occurs, it is recommended that the FIDO client deletes the key from the local device.
1490	Channel Binding Refused The server refused to service the request due to missing or mismatched channel binding(s).
1491	Request Invalid The server refused to service the request because the request message nonce was unknown, expired or the server has previously serviced a message with the same nonce and username.
1492	Unacceptable Authenticator The authenticator is not acceptable according to the server’s policy, for example because the capability registry used by the server reported different capabilities than those reported at the client-side discovery.
1493	Revoked Authenticator The authenticator is considered revoked by the server.
1494	Unacceptable Key The used key is unacceptable, for example because it is on a list of known weak keys or uses insecure parameter choices.
1495	Unacceptable Algorithm The server believes the authenticator to be capable of using a stronger mutually-agreeable algorithm than was presented in the request.
1496	Unacceptable Attestation The attestation(s) provided were not accepted by the server.
1497	Unacceptable Client Capabilities The server was unable or unwilling to use required capabilities provided supplementary to the authenticator by the client software.
1498	Unacceptable Content There was a problem with the contents of the message and the server was unwilling or unable to process it.
1500	Internal Server Error

Client Error Codes

info

The client error codes are generated by the FIDO UAF client, which is not part of the nevisFIDO product. This means that also these client error codes are not part of nevisFIDO. Therefore, the following descriptions of the client error codes are based on the client error code descriptions in the official FIDO UAF documentation (and do not come from our own developers). For more information, refer to FIDO UAF client error codes .

The client error codes show the result of an UAF operation on the FIDO client side. The client error codes are included in the SendUAFResponse sent by the client to the FIDO server. They are exposed by the Status Service.

The table below describes the client error codes.

Code	Meaning
0	No Error The operation has been completed without encountering any error condition.
1	Wait User Action Waiting for the user to perform a certain action, for example, to select an authenticator in the FIDO client user interface, to perform verification, or to complete an enrollment step with an authenticator.
2	Insecure Transport Indicates that the transport is insecure. For example, the value of the window.location.protocol object is not "HTTPS", or the Document Object Model DOM contains insecure mixed content.
3	User Cancelled The user declined any part of the interaction necessary to complete the registration.
4	Unsupported Version The UAF message does not include a protocol version supported by this FIDO UAF client.
5	No Suitable Authenticator There is no authenticator available that matches the authenticator policy specified in the UAF message. Another possibility is that the user declined to consent to the use of a suitable authenticator.
6	Protocol Error A violation of the UAF protocol occurred. For example, the interaction may have timed out, the origin associated with the message may not match the origin of the calling DOM context, or the protocol message may be malformed or tampered with.
7	Untrusted Facet ID The client declined to process the operation. This is because the caller’s calculated facet identifier was missing from the list of trusted application identifiers specified in the request message.
9	Key Disappeared Permanently Indicates that the UAuth key disappeared from the authenticator and cannot be restored.
12	Authenticator Access Denied The authenticator denied access to the resulting request.
13	Invalid Transaction Content Transaction content cannot be rendered. For example, the format does not fit the authenticator’s need.
14	User Not Responsive The user took too long to follow an instruction. For example, the user did not swipe the finger within the accepted time frame.
15	Insufficient Authenticator Resources Indicates that the authenticator has not enough resources to perform the requested task.
16	User Lockout If a user produces too many failed verification attempts, he/she will be locked. Usually, the user must perform an unlock operation to re-enable the main verification method. Such an unlock operation could be, for example, an alternative password authentication. This error code indicates that either such an unlock operation does not exist, or that the ASM/authenticator cannot automatically trigger it. The error code will be reported.
17	User Not Enrolled The operation failed because the user is not enrolled, and the authenticator cannot automatically trigger user enrollment.
255	Unknown Indicates an error condition not described by the above-listed codes.

ASM Status Codes

info

The ASM status codes are generated by the authenticator module of the FIDO UAF client, which is not part of the nevisFIDO product. This means that also these ASM status codes are not part of nevisFIDO. Therefore, the following descriptions of the ASM status codes are based on the ASM status code descriptions in the official FIDO UAF documentation (and do not come from our own developers). For more information, refer to FIDO UAF ASM status codes .

The ASM status codes show the result of an UAF operation at the FIDO client side, on the level of the authenticator module (ASM = authenticator-specific module). The ASM status codes are included in the SendUAFResponse object sent by the client to the FIDO server. They are exposed by the Status Service.

The table below describes the ASM status codes.

Code	Meaning
0	OK No error condition encountered.
1	Error An unknown error has been encountered during the processing.
2	Access Denied Access to this request is denied.
3	User Cancelled Indicates that the user explicitly canceled the request.
4	Cannot Render Transaction Content Transaction content cannot be rendered. For example, the format does not fit the authenticator’s need.
9	Key Disappeared Permanently Indicates that the UAuth key disappeared from the authenticator and cannot be restored.
11	Authenticator Disconnected Indicates that the authenticator is no longer connected to the ASM.
14	User not Responsive The user took too long to follow an instruction. For example, the user did not swipe the finger within the accepted time frame.
15	Insufficient Authentication Resources The authenticator has not enough resources to perform the requested task.
16	User Lockout If a user produces too many failed verification attempts, he/she will be locked. Usually, the user must perform an unlock operation to re-enable the main verification method. Such an unlock operation could be, for example, an alternative password authentication. This error code indicates that either such an unlock operation does not exist, or that the ASM/authenticator cannot automatically trigger it. The error code will be reported.
17	User not Enrolled The operation failed because the user is not enrolled, and the authenticator cannot automatically trigger user enrollment.

Authenticators

The Authenticator attributes contain information about the authenticators.

• In the case of a successfully completed registration or authentication, the Authenticator attributes refer to the authenticators used to generate the validated assertions.
• In the case of deregistration, the Authenticator attributes refer to the deregistered authenticators.

This information is exposed by the Status Service.

Attribute	Type	Description	Optional
aaid	String	The AAID of the authenticator used to generate the assertions.	false