WebAuthn Relying Party server library for PHP

Current state

Pretty stable but the API may still change slightly until the 1.0 release.

Goal

This library aims to implement the relying party server of the WebAuthn specification in PHP. Important goals are:

• Implement the level 1 WebAuthn specification
• Good quality, secure and maintainable code
• Easy to use for the end-user

Installation

Installation via composer:

composer require madwizard/webauthn

Supported features

• PHP 7.2

• FIDO conformant library
• Attestation types:
  • FIDO U2F
  • Packed
  • TPM
  • Android SafetyNet
  • Android Key
  • Apple
  • None
  • Optional 'unsupported' type to handle future types
• Metadata service support
• Validating metadata
• Extensions:
  • appid

Usage

The library is still in development so documentation is limited. The general pattern to follow is:

1. Implement CredentialStoreInterface (you will need UserCredential or your own implementation of UserCredentialInterface)
2. Create an instance of RelyingParty and use the ServerBuilder class to build a server object:

$server = (new ServerBuilder())
    ->setRelyingParty($rp)
    ->setCredentialStore($store)
    ->build();

3. Use startRegistration/finishRegistration to register credentials. Be sure to store the temporary AttestationContext server side!
4. and startAuthentication/finishAuthentication to authenticate. Be sure to store the temporary AssertionContext server side!

Resources

WebAuthn specification