Skip to content

Commit d084ee4

Browse files
committed
SDKS-5120: Allow configurable authenticationValidityDuration in DeviceBindingCallback and DeviceSigningVerifierCallback
1 parent da60801 commit d084ee4

6 files changed

Lines changed: 121 additions & 28 deletions

File tree

forgerock-auth/src/main/java/org/forgerock/android/auth/callback/DeviceBindingCallback.kt

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -104,6 +104,12 @@ open class DeviceBindingCallback : AbstractCallback, Binding {
104104
lateinit var attestation: Attestation
105105
private set
106106

107+
/**
108+
* The duration (in seconds) for which the generated key remains valid for user authentication.
109+
* Passed to [CryptoKey] during key generation. Defaults to 5 seconds.
110+
*/
111+
var authenticationValidityDuration: Int = 5
112+
107113
init {
108114
//If attestation is not provided, default to NONE
109115
if (!::attestation.isInitialized) {
@@ -222,7 +228,7 @@ open class DeviceBindingCallback : AbstractCallback, Binding {
222228
.build().identifier,
223229
prompt: Prompt? = null) {
224230

225-
deviceAuthenticator.initialize(userId, prompt ?: Prompt(title, subtitle, description))
231+
deviceAuthenticator.initialize(userId, authenticationValidityDuration, prompt ?: Prompt(title, subtitle, description))
226232

227233
if (deviceAuthenticator.isSupported(context, attestation).not()) {
228234
handleException(DeviceBindingException(Unsupported()))

forgerock-auth/src/main/java/org/forgerock/android/auth/callback/DeviceSigningVerifierCallback.kt

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,12 @@ open class DeviceSigningVerifierCallback : AbstractCallback, Binding {
114114
super.setValue(clientError, 1)
115115
}
116116

117+
/**
118+
* The duration (in seconds) for which the generated key remains valid for user authentication.
119+
* Passed to the underlying crypto key during key generation. Defaults to 5 seconds.
120+
*/
121+
var authenticationValidityDuration: Int = 5
122+
117123
/**
118124
* Sign the challenge with bounded device keys.
119125
*
@@ -178,7 +184,7 @@ open class DeviceSigningVerifierCallback : AbstractCallback, Binding {
178184
customClaims: Map<String, Any> = emptyMap(),
179185
prompt: Prompt? = null) {
180186

181-
deviceAuthenticator.initialize(userKey.userId, prompt?: Prompt(title, subtitle, description))
187+
deviceAuthenticator.initialize(userKey.userId, authenticationValidityDuration, prompt?: Prompt(title, subtitle, description))
182188

183189
if (deviceAuthenticator.isSupported(context).not()) {
184190
handleException(DeviceBindingException(Unsupported()))

forgerock-auth/src/main/java/org/forgerock/android/auth/devicebind/DeviceBindAuthenticators.kt

Lines changed: 26 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,10 @@ interface DeviceAuthenticator {
7272
* @param kid Generated kid from the Preference
7373
* @param userId userId received from server
7474
* @param challenge challenge received from server
75-
* @param customClaims A map of custom claims to be added to the jws payload
75+
* @param expiration token expiration time
76+
* @param attestation Attestation type to decide whether to include certificate chain in the JWS header
77+
*
78+
* @return the signed JWT as String
7679
*/
7780
fun sign(context: Context,
7881
keyPair: KeyPair,
@@ -89,7 +92,7 @@ interface DeviceAuthenticator {
8992
if (attestation !is Attestation.None) {
9093
builder.x509CertChain(getCertificateChain(userId))
9194
}
92-
val jwk = builder.build();
95+
val jwk = builder.build()
9396
val signedJWT = SignedJWT(JWSHeader.Builder(parse(getAlgorithm()))
9497
.keyID(kid).jwk(jwk).build(),
9598
JWTClaimsSet.Builder().subject(userId)
@@ -210,7 +213,16 @@ interface DeviceAuthenticator {
210213

211214
}
212215

213-
fun DeviceAuthenticator.initialize(userId: String, prompt: Prompt): DeviceAuthenticator {
216+
/**
217+
* Initialize the DeviceAuthenticator with userId, authentication validity duration and prompt
218+
* @param userId The user ID for which the keys will be generated.
219+
* @param authenticationValidityDuration The duration (in seconds) for which the generated key remains valid
220+
* for user authentication. Passed to the underlying crypto key during key generation. Defaults to 5 seconds.
221+
* @param prompt The Prompt to modify the title, subtitle, description
222+
*
223+
* @return The initialized DeviceAuthenticator instance.
224+
*/
225+
fun DeviceAuthenticator.initialize(userId: String, authenticationValidityDuration: Int, prompt: Prompt): DeviceAuthenticator {
214226

215227
//Inject objects
216228
if (this is BiometricAuthenticator) {
@@ -219,15 +231,23 @@ fun DeviceAuthenticator.initialize(userId: String, prompt: Prompt): DeviceAuthen
219231
prompt.description,
220232
deviceBindAuthenticationType = this.type()))
221233
}
222-
initialize(userId)
234+
initialize(userId, authenticationValidityDuration)
223235
this.prompt(prompt)
224236
return this
225237
}
226238

227-
fun DeviceAuthenticator.initialize(userId: String): DeviceAuthenticator {
239+
/**
240+
* Initialize the DeviceAuthenticator with userId and authentication validity duration
241+
* @param userId The user ID for which the keys will be generated.
242+
* @param authenticationValidityDuration The duration (in seconds) for which the generated key remains valid
243+
* for user authentication. Passed to the underlying crypto key during key generation. Defaults to 5 seconds.
244+
*
245+
* @return The initialized DeviceAuthenticator instance.
246+
*/
247+
fun DeviceAuthenticator.initialize(userId: String, authenticationValidityDuration: Int = 5): DeviceAuthenticator {
228248
//Inject objects
229249
if (this is CryptoAware) {
230-
this.setKey(CryptoKey(userId))
250+
this.setKey(CryptoKey(userId, authenticationValidityDuration))
231251
}
232252
return this
233253
}

0 commit comments

Comments
 (0)