Class WebAuthnClient
Modern WebAuthn / passkey client. Wraps the OS public-key credential APIs
(ASAuthorizationPlatformPublicKeyCredentialProvider on iOS 16+,
androidx.credentials.CredentialManager on Android API 28+) behind a
portable, JSON-friendly Java surface so you can talk to any relying-party
server -- your own backend, Auth0, Firebase, or one of the WebAuthn server
libraries -- with the same code.
When to reach for this class
- Your app talks to your own backend and you want to add passkeys for passwordless sign-in / step-up auth.
- You are wiring up a passkey flow against Auth0 or Firebase that those
providers' OIDC ceremonies don't already give you for free. (When the
user signs into Google / Apple / Microsoft via
OidcClient, the IdP handles the passkey on its end -- you get the resulting tokens without ever calling this class.)
Typical registration flow
// 1. Ask your server for the registration challenge JSON.
AsyncResource<String> challenge = httpPost("/passkey/register/start", body);
// 2. Hand it to the OS for the actual passkey creation.
PublicKeyCredentialCreationOptions opts =
PublicKeyCredentialCreationOptions.fromJson(challenge.get());
WebAuthnClient.getInstance().create(opts)
.ready(new SuccessCallback<PublicKeyCredential>() {
public void onSucess(PublicKeyCredential cred) {
// 3. Forward the authenticator response back to the server.
httpPost("/passkey/register/verify", cred.toJson());
}
});
Typical sign-in flow
Symmetrical: ask the server for an assertion challenge, hand to
get(PublicKeyCredentialRequestOptions), POST the response back. The
server verifies the signature and returns a session token.
What this class deliberately does NOT do
- Verify the attestation / assertion. That is the relying party's
responsibility -- it requires the server-side credential record and a
counter check that only the RP can do safely. Use a server library:
webauthn4j(Java),@simplewebauthn/server(Node),webauthn-rs(Rust), or your IdP's built-in verifier. - Conditional UI (autofill). The W3C
mediation: "conditional"UX is not currently exposed; pass a regularget(PublicKeyCredentialRequestOptions)when the user clicks a sign-in button. - Replace OIDC. Most apps using
OidcClientalready get passkey-backed sign-in for free (the IdP handles the passkey ceremony). Use this class when you specifically have your own relying party.
- Since:
- 7.0.245
-
Method Summary
Modifier and TypeMethodDescriptioncreate(PublicKeyCredentialCreationOptions options) Drives the W3Cnavigator.credentials.create()ceremony with the given options.get(PublicKeyCredentialRequestOptions options) Drives the W3Cnavigator.credentials.get()ceremony with the given options.static WebAuthnClientstatic booleantruewhen a native, OS-level passkey implementation is available on the current platform.static voidRegisters a port-suppliedWebAuthnNativeimplementation.
-
Method Details
-
getInstance
-
isSupported
public static boolean isSupported()truewhen a native, OS-level passkey implementation is available on the current platform. Whenfalse,create(PublicKeyCredentialCreationOptions)andget(PublicKeyCredentialRequestOptions)fail withWebAuthnException.NOT_IMPLEMENTEDso the caller can present a fallback UI. -
setProvider
Registers a port-suppliedWebAuthnNativeimplementation. Called at app startup by the platform port (WebAuthnNativeImpl.init()). Cn1lib authors can also call this to plug in a custom implementation (e.g. a USB-HID security-key driver). Passnullto revert to "no platform support". -
create
Drives the W3C
navigator.credentials.create()ceremony with the given options. The returnedAsyncResourcecompletes with the authenticator'sPublicKeyCredentialresponse, or errors withWebAuthnException(e.g.WebAuthnException.NOT_ALLOWEDwhen the user dismisses the OS sheet).The work is done off the EDT -- a background thread blocks on the native call. Callers can attach
.ready()and.except()listeners without worrying about thread affinity; both fire on the EDT. -
get
Drives the W3Cnavigator.credentials.get()ceremony with the given options. Symmetrical tocreate(PublicKeyCredentialCreationOptions).
-