Mobile DPoP FIDO Authn
A design for a first party mobile application that leverages dynamic client registration (DCR), DPoP access tokens, and FIDO user authenticaiton. In Jans Auth Server, we would end up having three entries: one for the person, one for the device (client), and one for the FIDO credential.
title Mobile Authentication with DPoP and FIDO
actor Person
participant App
participant Device
participant Device Keystore
participant Auth Server
participant Fido2 Server
participant API
participant App Store
fontfamily mono
critical Download App
Person->App Store: Search for App
Device<->App Store: Install App
end
critical Dynamic Client Registration
Person->App: Start App
App<->Device: Get Device info
Device<->Device Keystore: generate keys
Device->Auth Server: /register : Send public key
Auth Server->App: client_id
end
alt Enrollment (First time using app)
Person<->App: uid / pw\n(future: NFC card,\n or verifiable credential)
App<->Auth Server: /token : ROPC call
App<->Fido2 Server: FIDO biometric enrollment
end
alt Call API
App->Auth Server: /token?id_token=__&grant_type=fido2 : client authn = private key
Auth Server->Auth Server: id_token\nvalid?
loop authn required because id_token invalid
Auth Server->App: 401/Unauthorized\nWWW-Authenticate: fido
App->Device: FIDO API
Person<->Device: present biometric
App->Fido2 Server: /fido 2: find user by keyHandle+RP, check fido2 response signature
Fido2 Server-> App: issue unique fido2 token (ref_id) (token with grant type fido2)
App->Auth Server: /authorize&display=fido&state=ref_id
Auth Server->Auth Server: Verify ref_id
Auth Server->App: id_token
end
Auth Server->App: issue DPoP access_token
App->API: access_token
end
See also: https://github.com/JanssenProject/jans/issues/5403