Development Overview
Info
Please also check the System Configuration Image in the service overview.
WebAPI Provided Functions
The WebAPI of YubiOn FIDO2 Server Service (hereinafter referred to as FSS) provides the following functions.
- Registration and authentication of credentials (passkeys)
- User management
- Get user
- Register user
- Edit user
- Delete user
- Credential (passkey) management
- Get credential
- Edit credential
- Delete credential
Image of Application Developer’s Implementation Scope
- FSS creates the arguments for the WebAuthn API executed on the browser and verifies the return values.
- To register or authenticate a credential, the application server makes a request to the FSS WebAPI to obtain the method arguments for the WebAuthn API. The browser calls the WebAuthn API using these arguments, and the return value is sent from the application server to the FSS WebAPI to determine the success or failure of the process.
- Communication between the application server and the FSS WebAPI is performed using HTTPS. Request and response data are sent and received in JSON format. Note that some of the arguments and return values used in the WebAuthn API include binary buffers, which are converted to Base64Url format for transmission.
- SDKs are available for some languages to handle communication between the application server and FSS.
- The application developer implements the communication processing between the browser and the application server.
- This part is assumed to be sent and received in JSON format, but some of the arguments and return values of the WebAuthn API include binary buffers. A client-side JavaScript SDK is also available to convert this data from Base64Url format to buffer format, or from buffer format to Base64Url format.
- To register or authenticate a credential, the application server makes a request to the FSS WebAPI to obtain the method arguments for the WebAuthn API. The browser calls the WebAuthn API using these arguments, and the return value is sent from the application server to the FSS WebAPI to determine the success or failure of the process.
- In addition to credential registration and verification processing, a WebAPI is available for managing user information and credential information.
- When using these, the application server also makes requests to the FSS WebAPI to manipulate and retrieve information. The client implementation for displaying this information on the user’s browser is implemented by the application developer.
Warning
FSS WebAPI requests must be made from the application server. It is not intended for FSS WebAPI requests to be made directly from the client browser. Passing the secret key required for authentication of FSS WebAPI requests to the client browser is effectively publishing the secret key on the Internet, which means the security of FSS WebAPI requests cannot be guaranteed.
SDK
- SDKs are available for some languages to access the FSS WebAPI. By using these, authentication header settings, etc. when accessing the FSS WebAPI are performed automatically, making development smoother than implementing the part that directly requests the FSS WebAPI.
- Node.js
yubion-fido2-server-sdk-js - Java
yubion-fido2-server-sdk-java
- Node.js
- We plan to add support for languages for which SDKs are not currently available in the future.
- If you have a language for which you would like an SDK to be provided, please send a request from the inquiry page.