Register and Login

[ZeldaFan0225]

I just wanted to ask if the library could also verify a login since in the example https://webauthn.guide the two processes (create and login) have two different credential responses which are verified in different ways... also do I need the save the whole credential response with the public key and how can I send them to the server since it seems like json stringify does not like the uint8array.
Sorry if this is a stupid question but I couldn't find any examples that would answer these questions

[JamesCullum]

Hey there - this is a question with quite a lot of mixed sub-questions, where maybe the core concept isn't really clear.

FIDO2 is about having a trusted software (browser, OS) create a certificate for a specific domain, keeping it safe and asking the user during a login which one and if he wants to use it. This prevents a multitude of attacks and has great usability.

If you register with one software, you need to use the same software on the same device to log in (unless the software synchronizes these certificates to multiple devices). No, it is sufficient to save specific parts of the response to properly validate the login later on. You can refer to the OWASP-SSO to see it in action with examples.

[ZeldaFan0225]

Thanks for the fast response, I think I got the concept now, the main part that was confusing me was the difference between the example on https://webauthn.guide and the example code in this repo (if these two are completely different things then I'm sorry I guess I didn't get it). It is unclear to me how to send the Uint8Arrays to the server (since they can't be sent in json) and how to validate that the created (for the first time) credential/ key pair is right (because later on when let's say the user is logging in and you want to check if a pair is the same (the one saved the pubkey and credential id in a database) where you have something to compare)

TLDR I'm still having some issues "translating" the code shown in the guide to code using this library

[JamesCullum]

Yes, those are completely seperate - this one is a serverside library for validation, the guide you probably saw was for client-side requesting of certificates. Again - feel free to look at the OWASP SSO code for a practical end-to-end example.