Passkey Relying Party Server implementation questions

Question

I red a lot of articles about Passkey implementation between Mobile and own Relying Party Server, but still have some open questions:

1. When a client requests a Challenge during a registration, we send a json from the server which includes the User sub-model below. Documentation says that it’s enough to have 16 bytes for ID (all examples use 16 bytes of random string) which is a size of UUID, so question: can \ should we use UUID and can it be our foreign key for other entities not related to Auth itself but as an user id?

{ "rp": {...} , "user": { "id": "NWRjZTkzZjAtNmY2NC00MDdlLTllMjYtNDU4N2EwNGQzNTNj", "name": "[email protected]", "displayName": "[email protected]" }, challenge: "...", pubKeyCredParams: [...] }

2. Also didn’t find any information about name and displayName, is there a possibility to change \ update them later?

3. After the server creates a Challenge during a registration, is it not clear what we want to persist into our database? It seems like we should save the User entity and Challenge string but not the rest of the challenge model (json).

4. When we request a Challenge during a registration (I will use email as a user), do we need to check if User already exists (My guess would be - No, just want to double check. Because we shouldn’t expose to the wrong person this information)?

5. Because Mobile device is a trusted source, should we use Basic Auth to request a Challenge and what other options do we have?

6. Seems like for testing Passkey for example on Android it can not be done locally. Will you need some Relying Party Server deployed somewhere but not a “localhost”?

Answer 1

1. can \ should we use UUID [...] as an user id?

Basically, the user ID, also known as "user handle" may be exposed without user verification by usb security keys. It's a privacy measure to anonymize it (see https://github.com/w3c/webauthn/issues/1763)

2. Also didn’t find any information about name and displayName, is there a possibility to change \ update them later?

If you re-create a credential with the same user ID, it should be overwritten. This can be used to update name/displayName.

3. After the server creates a Challenge during a registration, is it not clear what we want to persist into our database? It seems like we should save the User entity and Challenge string but not the rest of the challenge model (json).

I find the question unclear. This might shed some light: https://passwordless.id/protocols/webauthn/2_registration

4. When we request a Challenge during a registration (I will use email as a user), do we need to check if User already exists (My guess would be - No, just want to double check. Because we shouldn’t expose to the wrong person this information)?

Again, I find the question unclear. It's up to you to decide if you allow registering multiple devices/credentials per user, or just a single one and rely on the platform's sync capability to avoid any lockout on device loss.

5. Because Mobile device is a trusted source, should we use Basic Auth to request a Challenge and what other options do we have?

The challenge is a random nonce to avoid replay attacks. It's always different, each time any user signs up/in. It's not a "protected resource".

6. Seems like for testing Passkey for example on Android it can not be done locally. Will you need some Relying Party Server deployed somewhere but not a “localhost”?

Dunno about that.