Passwordless auth method (API)
Last updated
Last updated
The passwordless and username-less auth method is provides by the custom auth plugin vault_plugin_auth_passkeys and needs to be registered in the plugin catalog before usage.
This documentation assumes the passkey method is mounted at the /auth/passkey path in Vault. Since it is possible to enable auth methods at any location, please update your API calls accordingly.
A policy according to Passwordless is created and named passkey_policy.
The passkey configuration is needed to set up the origins, the relying party ID, the relying party displayname and attached policies.
Returns the set up configuration.
| Method | Path |
|---|---|
Set up the configuration to enable users to authenticate.
policies (Array<string>) - Array of all policies which will be attached to each authenticated user.
rp_displayname (string) - A human readable Displayname for your project or website. It is used to enhance user experience and has not technical importance.
rp_id ( string) - The ID of the relying party. This must be set to your domain without scheme and port (e.g. vault-passkeys.com). It will be checked technically by the browser and the auth mechanism. The RP ID is used to identify entries in the authenticator.
rp_origins (Array<string>) - An origin must be a Fully Qualified Domain Name (FQDN). Only request from this URL are allowed. The origin is technically checked and must be set correctly.
A user object needs to be either created by an administrator and the one-time-password has to be supplied to the user or an already authenticated user (e.g. via userpass) may use the /create endpoint for self-registration.
List all users that are created at the plugin.
Retrieve user object information like the one-time-password needed for registration.
username (string: <required>) - Name of the user.
Create a pending user object for a user to register with a one-time-password.
username (string: <required>) - Name of the user.
Delete a user object.
This endpoint is used to reset the one-time-password and timestamp of the validation time.
username (string: <required>) - Name of the user.
minutes (number) - Number of minutes that determine how long it is possible to use the one-time-password.
These endpoints operate one a challenge and response sequenze. First the ceremony needs to be started at the Vault system and the returned information must be used to make the WebAuthn API calls at the client. All data used for the WebAuthn calls are url safe encoded via Base64 (-_ are used instead of +/) for transmission. The values must be decoded into ArrayBuffer for the WebAuthn API calls.
Since a browser is needed for the WebAuthn API calls, the samples only show responses.
operation (string: "init") - The operation must be set to init to initiate the registration ceremony.
otp (string: <required>) - The valid one-time-password provided by an administrator.
username (string: <required>) - Name of the user provided by an administrator.
The response data must be decoded and passed to the navigator.credentials.create() as parameter. The response of this call needs to be encoded and sent back to the Vault endpoint.
operation (string: "finish") - The operation must be set to finish to finalzie the registration ceremony.
otp (string: <required>) - The valid one-time-password provided by an administrator.
username (string: <required>) - Name of the user provided by an administrator.
credentialData (object: <required>) - This is the response from the authenticator, containing information like the public key of the newly created key pair.
After successful registration the user is logged in and the client token is returned.
operation (string: "init") - The operation must be set to init to initiate the login ceremony.
The response data must be decoded and passed to the navigator.credentials.get() as parameter. The response of this call needs to be encoded and sent back to the Vault endpoint.
operation (string: "finish") - The operation must be set to finish to finalzie the login ceremony.
credentialData (object: <required>) - This is the response from the authenticator, containing information like the signature which will be validated by the plugin with the stored public key.
After successful validation the user is logged in and the client token is returned.
The self-registration can be performed to create a passkey account without administrator interaction. The user must be authenticated in Vault and needs the permission for this endpoint to use.
The administrator should merge the newly created passkey entitiy/alias with the one which is used to create the passkey user account.
These endpoints operate one a challenge and response sequenze. First the ceremony needs to be started at the Vault system and the returned information must be used to make the WebAuthn API calls at the client. All data used for the WebAuthn calls are url safe encoded via Base64 (-_ are used instead of +/) for transmission. The values must be decoded into ArrayBuffer for the WebAuthn API calls.
Since a browser is needed for the WebAuthn API calls, the samples only show responses.
operation (string: "init") - The operation must be set to init to initiate the registration ceremony.
username (string: <required>) - A unique username must be provided to create a new account.
The response data must be decoded and passed to the navigator.credentials.create() as parameter. The response of this call needs to be encoded and sent back to the Vault endpoint.
operation (string: "finish") - The operation must be set to finish to finalize the registration ceremony.
username (string: <required>) - A unique username must be provided to create a new account.
credentialData (object: <required>) - This is the response from the authenticator, containing information like the public key of the newly created key pair.
After successful registration the newly created passkey can be used and an Vault entitiy will be created at first login.
A user may add or delete passkeys or rename them on the server side for simplified identifiability.
Many authenticators only support one passkey for one relying party. If a new passkey is created the old one may be deleted on the authenticator side.
username (string: <required>) - The users existing username.
operation (string: "init") - The operation must be set to init to initiate the registration ceremony.
The response data must be decoded and passed to the navigator.credentials.create() as parameter. The response of this call needs to be encoded and sent back to the Vault endpoint.
username (string: <required>) - The users existing username.
operation (string: "finish") - The operation must be set to finish to finalize the registration ceremony.
credentialData (object: <required>) - This is the response from the authenticator, containing information like the public key of the newly created key pair.
A user may delete its registered passkeys at the plugin.
username (string: <required>) - The users existing username.
credentialID (string: <required>) - The ID of the passkey entry.
Displaynames of passkeys are not synced between clients and servers.
username (string: <required>) - The users existing username.
credentialID (string: <required>) - The ID of the passkey entry.
displayName (string: <required>) - The new name of the passkey entry.
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
| Method | Path |
|---|---|
GET
/auth/passkey/config
POST
/auth/passkey/config
LIST
/auth/passkey/users
GET
/auth/passkey/users/:username
POST
/auth/passkey/users/:username
DELETE
/auth/passkey/users/:username
POST
/auth/passkey/users/:username/reset
POST
/auth/passkey/register
POST
/auth/passkey/register
POST
/auth/passkey/login
POST
/auth/passkey/login
POST
/auth/passkey/create
POST
/auth/passkey/create
POST
/auth/passkey/:username/credentials
POST
/auth/passkey/:username/credentials
DELETE
/auth/passkey/:username/credentials/:credentialID
POST
/auth/passkey/:username/credentials/:credentialID