-
Notifications
You must be signed in to change notification settings - Fork 183
Explainer: WebAuthn Large Blob Extension
A pair of registration/assertion extensions for WebAuthn that let relying parties store a small amount of data associated to a credential (spec).
Relying parties are websites, and therefore have access to servers that can store arbitrary amounts of data about a user. However, there are specific cases where a relying party might want to store some data associated to a user's account that can be used in an offline authentication context, such as a certificate. The large blob extension allows relying parties to store and retrieve such data during an assertion ceremony.
Large blobs can only be stored and retrieved at assertion time. However, relying parties should query support during registration:
const credential = await navigator.credentials.create({
publicKey: {
challenge: ...,
user: ...,
rp: ...,
authenticatorSelection: {
residentKey: "preferred", // Or "required".
},
extensions: {
largeBlob: {
support: "preferred", // Or "required".
},
},
}
});
if (!credential.getClientExtensionResults().largeBlob) {
// Large blob not supported by the user agent.
return;
}
if (credential.getClientExtensionResults().largeBlob.supported) {
// Large blob is supported for this credential.
} else {
// Large blob is not supported (this happens if support="preferred" -- the credential was still created).
}If support is set to required, the user agent will only create a credential for authenticators with large blob support, and can inform the user of that need. Otherwise, the credential will be created regardless of support, and support will be advertised by the largeBlob.support registration extension output.
Note that discoverable credential ("resident key") support is required to store a large blob on CTAP 2.1 authenticators, so it is recommended to set residentKey to preferred or required. This restriction may not apply to other (e.g. platform) authenticators.
To store a large blob on a credential that has advertised support at its creation time:
const blob = Uint8Array.from(blobBits);
const assertion = await navigator.credentials.get({
publicKey: {
challenge: ...,
allowCredentials: [{
type: "public-key",
id: credentialId, // Only a single credential is supported.
}],
extensions: {
largeBlob: {
write: blob,
},
},
}
});
if (assertion.getClientExtensionResults().largeBlob.written) {
// Success, the large blob was written.
} else {
// The large blob could not be written (e.g. because of a lack of space).
// The assertion is still valid.
}Exactly one allowCredentials entry is allowed for writing a large blob.
To read a large blob:
const assertion = await navigator.credentials.get({
publicKey: {
challenge: ...,
allowCredentials: [{
type: "public-key",
id: credentialId, // An arbitrary number of credentials is supported.
}],
extensions: {
largeBlob: {
read: true,
},
},
}
});
if (typeof assertion.getClientExtensionResults().largeBlob.read !== "undefined") {
// Reading a large blob was successful.
const blobBits = new Uint8Array(assertion.getClientExtensionResults().largeBlob.read);
} else {
// The large blob could not be read (e.g. because the data is corrupted).
// The assertion is still valid.
}When reading a large blob, any number of entries is allowed in allowCredentials (including none, for a discoverable credential request).
There are no particular privacy concerns associated with the large blob extension. Reading and writing large blobs only happens when the user consents to sharing a credential that was previously minted for a given relying party.
- Demo https://webauthn-large-blob.glitch.me/index.html
- The WebAuthn Large Blob Extension spec https://w3c.github.io/webauthn/#sctn-large-blob-extension
- Large blobs in CTAP 2.1 https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#authenticatorLargeBlobs