feat: Add CTAP 2.2 authenticatorSelection (0x0B) API, docs, sample, and tests#480
feat: Add CTAP 2.2 authenticatorSelection (0x0B) API, docs, sample, and tests#480JMarkstrom wants to merge 8 commits into
Conversation
Test Results: Windows 2 files 2 suites 43s ⏱️ Results for commit abc6cdd. ♻️ This comment has been updated with latest results. |
Test Results: Ubuntu 2 files 2 suites 1m 9s ⏱️ Results for commit abc6cdd. ♻️ This comment has been updated with latest results. |
Test Results: MacOS 4 files 4 suites 48s ⏱️ Results for commit abc6cdd. ♻️ This comment has been updated with latest results. |
|
@claude Can you address the findings/issues mentioned by @DennisDyallo and @Copilot in this PR? |
|
Claude finished @DennisDyallo's task in 2m 33s —— View job Addressed Copilot Review FindingsAll five issues raised by Copilot have been fixed in commit
|
- Continue iterating YubiKeys on InvalidCommand instead of returning early; report unsupported-firmware message only after all devices are tried - Replace hardcoded SW1 literal 0x6F with SW1Constants.NoPreciseDiagnosis in tests - Fix double space in Fido2Session.AuthenticatorSelection.cs header comment - Fix grammar: "All YubiKey" → "All YubiKeys" in fido2-commands.md - Fix typo: "ifUser" → "if User" in authenticator-selection.md Co-authored-by: Dennis Dyallo <DennisDyallo@users.noreply.github.com>
|
@equijano21 here are some doc changes and feature that might interest you :) |
|
@claude can you change the order of this, so that Reset and Exit are the last menu items? make sure to verify all code paths, What do you want to do? |
|
Claude finished @DennisDyallo's task in 3m 50s —— View job Reordered Menu Items (Reset & Exit Last)
Two files changed in commit
Since
if (menuItem >= Fido2MainMenuItem.MakeCredential
&& menuItem < Fido2MainMenuItem.AuthenticatorSelection)All other code paths ( |
…e menu Reorder Fido2MainMenuItem enum so AuthenticatorSelection (26) appears before Reset (27) and Exit (29), matching the intended UX where destructive/terminal actions are listed last. Update the "automatic authentication" banner guard in RunMenuItem to use AuthenticatorSelection as its upper bound (instead of Reset) so the banner is not shown for AuthenticatorSelection, Reset, or Exit. Co-authored-by: Dennis Dyallo <DennisDyallo@users.noreply.github.com>
- Changed section title from "Authenticator selection (CTAP `authenticatorSelection`)" to "Select an authenticator". - Updated list item from "Authenticator selection" to "Authenticator Selection".
|
I made some changes . What do you think @JMarkstrom @equijano21 ? |
The CTAP authenticatorSelection (0x0B) command is specified in CTAP 2.1 §6.9, not CTAP 2.2, and YubiKey support for it shipped in firmware 5.5.1 (2020-11-16), not the 5.7 generation. Update all user-facing and in-source references across the SDK, sample app, unit tests, and docs. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
DennisDyallo
changed the title
|
Thanks! I'll review in the next couple days. |
|
|
||
| ### Available | ||
|
|
||
| YubiKeys with FIDO2 firmware `5.5.1` or later. The underlying command, `authenticatorSelection` (0x0B), is specified in [CTAP 2.1 §6.9](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html). |
There was a problem hiding this comment.
| YubiKeys with FIDO2 firmware `5.5.1` or later. The underlying command, `authenticatorSelection` (0x0B), is specified in [CTAP 2.1 §6.9](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html). | |
| YubiKeys with FIDO2 firmware `5.5.1` or later. The underlying command, `authenticatorSelection` (0x0B), is specified in [CTAP 2.1 §6.9](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#authenticatorSelection). |
There was a problem hiding this comment.
Linking directly to section 6.9.
| /// Per the CTAP specification, after a successful selection the platform should send cancel | ||
| /// to other authenticators. This SDK does not manage multiple devices; callers orchestrate that. |
There was a problem hiding this comment.
I'm assuming this means CTAPHID_CANCEL (0x11). How does a YubiKey receive this command and what does it do after?
| /// Requests User Presence (UP) on this YubiKey so the user can select it for intended use | ||
| /// (CTAP 2.1 §6.9 <c>authenticatorSelection</c>, command byte 0x0B). Requires YubiKey firmware 5.5.1 or later. |
There was a problem hiding this comment.
| /// Requests User Presence (UP) on this YubiKey so the user can select it for intended use | |
| /// (CTAP 2.1 §6.9 <c>authenticatorSelection</c>, command byte 0x0B). Requires YubiKey firmware 5.5.1 or later. | |
| /// Requests User Presence (UP) on the connected YubiKey so the user may indicate their intention to use the YubiKey by touching it. This method can be useful in situations where a user has more than one YubiKey and the application needs to determine which key to use for a subsequent FIDO2 operation. | |
| /// (CTAP 2.1 §6.9 <c>authenticatorSelection</c>, command byte 0x0B). Requires YubiKey firmware 5.5.1 or later. |
|
|
||
| ## Authenticator selection | ||
|
|
||
| Request user presence (UP) so the user can indicate _which_ authenticator to use, for example when more than one YubiKey is connected. |
There was a problem hiding this comment.
| Request user presence (UP) so the user can indicate _which_ authenticator to use, for example when more than one YubiKey is connected. | |
| Request user presence (UP) so the user can indicate _which_ authenticator to use for a subsequent operation. This can be useful in situations where more than one YubiKey is connected. |
There was a problem hiding this comment.
Broke this into two sentences because the original read weirdly to me.
| > [!NOTE] | ||
| > On the YubiKey, the only user affordance is touch to approve, or no touch until the | ||
| > operation times out. There is no separate deny or cancel control on the security key | ||
| > itself, so when the user does not complete UP you will usually see | ||
| > `CTAP2_ERR_USER_ACTION_TIMEOUT`, not an explicit denial. `CTAP2_ERR_OPERATION_DENIED` | ||
| > may be returned if the user engages a platform dialog to cancel the request. |
There was a problem hiding this comment.
| > [!NOTE] | |
| > On the YubiKey, the only user affordance is touch to approve, or no touch until the | |
| > operation times out. There is no separate deny or cancel control on the security key | |
| > itself, so when the user does not complete UP you will usually see | |
| > `CTAP2_ERR_USER_ACTION_TIMEOUT`, not an explicit denial. `CTAP2_ERR_OPERATION_DENIED` | |
| > may be returned if the user engages a platform dialog to cancel the request. | |
| > [!NOTE] | |
| > On the YubiKey, the user can either touch the key to select it or wait for the | |
| > operation to time out—there is no separate deny or cancel control on the security key | |
| > itself. When the user does not complete UP you will usually see | |
| > `CTAP2_ERR_USER_ACTION_TIMEOUT`. However, `CTAP2_ERR_OPERATION_DENIED` | |
| > may be returned if the user engages a platform dialog to cancel the request. |
There was a problem hiding this comment.
So would the platform dialog be sending the CTAPHID_CANCEL (0x11) command?
| namespace Yubico.YubiKey.Fido2.Commands | ||
| { | ||
| /// <summary> | ||
| /// Ask the authenticator for User Presence (UP) so the user can select this YubiKey. |
There was a problem hiding this comment.
I would just use the same summary as the session method:
Requests User Presence (UP) on the connected YubiKey so the user may indicate their intention to use the YubiKey by touching it. This method can be useful in situations where a user has more than one YubiKey and the application needs to determine which key to use for a subsequent FIDO2 operation.
|
@claude Please apply @equijano21 suggestions and push. Leave her questions as pending response from team fyi @JMarkstrom |
|
Claude finished @DennisDyallo's task in 1m 52s —— View job Applied all of @equijano21's code suggestions in commit Tasks
Summary of changes
|
- fido2-commands.md: rewrite authenticator selection description as two sentences; add #authenticatorSelection anchor to CTAP 2.1 §6.9 link - apdu/authenticator-selection.md: rewrite NOTE block for clarity - Fido2Session.AuthenticatorSelection.cs: expand summary XML doc - AuthenticatorSelectionCommand.cs: align summary with session method Co-authored-by: Dennis Dyallo <DennisDyallo@users.noreply.github.com>
Minimum allowed line rate is |
Description
Adds CTAP 2.2
authenticatorSelection(command byte0x0B) for FIDO2 over the existing CTAP-via-APDU path: payload is the command byte only (no CBOR parameters).SDK
CtapConstants.CtapAuthenticatorSelectionCmdandAuthenticatorSelectionCommand/AuthenticatorSelectionResponse.Fido2Session.TryAuthenticatorSelectionusingTouchFingerprintTaskandKeyEntryRequest.TouchRequest.OPERATION_DENIEDto a dedicatedResponseStatusMessagesstring for clearer sample/UI text.FIDO2 sample
Fido2AuthenticatorSelectionhelper (HID FIDO enumeration, touch to select,InvalidCommandhandling).Fido2KeyCollectorOperationandFido2SampleKeyCollectorfor authenticator-selection touch messaging; update run wiring and YubiKey auto-pick where needed.Docs
fido2-commands.mdand addapdu/authenticator-selection.md; cross-link fromfido2-touch-notification.md.INVALID_COMMAND,OPERATION_DENIEDvsUSER_ACTION_TIMEOUT), and typical YubiKey UX (timeout vs explicit deny).Tests
Fixes: (none — add
Fixes #123if you have an issue)Type of change
How has this been tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test configuration:
Checklist:
dotnet formatto format my code