- Registration flow:
- app redirects or submits
<form>post to/register - Clarion does key registration work with user
- Clarion redirects user back to a specified callback
- app stores the key information
- app redirects or submits
- Authentication flow:
- app requests Clarion for authentication (POST
/api/authn) - app navigates user to authentication URL presented by Clarion
- Clarion does U2F authentication work
- app polls
/api/authn/:idfor authentication result
- app requests Clarion for authentication (POST
Pro Tips: app could be anything (browser, CLI, etc) and app for registration, and app for authentication may be different.
application/json
{
"name": "alice",
"comment": "SSH logging in",
"keys": [
{
"name": "my security key",
"handle": "KEYHANDLE",
"public_key": "PUBLICKEY",
"counter": 42
}
]
}name(optional): used for consenting usercomment(optional): used for consenting user- keys: array of key objects, which is retrievable by
/registerAPIname(optional)handle(required)public_key(required)counter(optional)
Same with /api/authn/:id
:idauthn ID
{
"authn": {
"id": "bwsyJySllmJpFeIV4VuSPg9xO9Bdky905i48K1kA02Yd8l6C7-l4GlvPA8icYPLPxG4xkp9ePUp_3Onsemc",
"status": "open",
"html_url": "https://example.org/authn/bwsyJySllmJpFeIV4VuSPg9xO9Bdky905i48K1kA02Yd8l6C7-l4GlvPA8icYPLPxG4xkp9ePUp_3Onsemc",
"url": "https://example.org/api/authn/bwsyJySllmJpFeIV4VuSPg9xO9Bdky905i48K1kA02Yd8l6C7-l4GlvPA8icYPLPxG4xkp9ePUp_3Onsemc",
"created_at": "2017-12-08T01:14:41+09:00",
"expires_at": "2017-12-08T01:16:41+09:00",
"verified_at": "2017-12-08T01:15:41+09:00",
"verified_key": {
"name": "my security key",
"handle": "KEYHANDLE",
"public_key": "PUBLICKEY",
"counter": 43
}
}
}id: authn IDstatus: One of =open,verified,expired, orcancelledhtml_url: URL of authentication page for userurl: API URL to retrieve the latest authn status (/api/authn/:id)created_at: Creation time of authn, format is ISO8601expires_at: Expiration time of authn, format is ISO8601- (only available when
status == "verified")verified_at: verification time of authn, format is ISO8601.verified_key: a key object, user presented.
Navigate user to this page for key registration. Clarion redirects back to callback with registered key information.
form encoded body on POST, or query string on GET
name=NAME&comment=COMMENT&state=STATE&callback=CALLBACK&public_key=PUBKEY
NAME(optional): Used for consenting userCOMMENT(optional): Used for consenting userSTATE(optional): if given, the same string will be returned in a callbackCALLBACK(required): Callback URL- may start with
js:: Whenjs:$ORIGIN(where$ORIGINis a page origin) is specified,/registerpage will return a result using window.opener.postMessage(). - Returned message is a JavaScript object contains a property
clarion_key. It is a JavaScript object in the same format of POST callback.
- may start with
PUBKEY(required): RSA public key, in a Base64 encoded DER string.
HTML for user
callback (by redirection) that notifies key registration, with the registered key information to the app
form encoded
state=STATE&data=DATA
DATAis a JSON string{"data": "ENCRYPT_DATA_BASE64", "key": "ENCRYPTED_SHARED_KEY_BASE64"}.ENCRYPTED_SHARED_KEY_BASE64contains base64 encoded binary, which is a RSA encrypted JSON string using the given RSA public key to/register. RSA padding mode isPKCS1_OAEP_PADDING.- it decrypts like as
{"iv": "IV_BASE64", "tag": "TAG_BASE64", "key": "KEY_BASE64"}. IV_BASE64is a base64 encoded IV.TAG_BASE64is a AES-GCM auth tag.KEY_BASE64is a base64 encoded shared key used for AES-256-GCM.
- it decrypts like as
ENCRYPTED_DATA_BASE64is a base64 encoded binary, which is a AES-256-GCM encrypted JSON string. UseIV_BASE64,TAG_BASE64,KEY_BASE64to decrypt.
ENCRYPTED_DATA_BASE64 decrypted as like the following JSON string:
{
"name": "KEYNAME",
"handle": "KEYHANDLE",
"public_key": "PUBLICKEY"
}