Factors API, factorType: webauthn, provider: FIDO

I am trying to use the Factors API to enroll different factors for my tenant. I have been successful with many of the factors, but am stuck on ‘Security Key or Built-in Authenticator’.

I am able to use Okta’s Settings page to enroll my device. When I make an API call to see my factors, the factor is listed as factorType: webauthn with provider: FIDO.

I can’t find that factorType anywhere in the Factors API.

Can someone please point me in the right direction?

image

Some factors are yet to be supported through the api.

What kind of security key are you using?

I do see that Web Authentication (FIDO2) is an ‘Early Access’ feature. But I was hoping there was still someway of using the API, maybe the U2F flow?

I am using a couple of different YubiKeys.

I believe YubiKeys can be done by the API if you explore the postman collection (Factor’s lifecycle options) you can enroll the user by passing the body below:

{
“factorType”: “token:hardware”,
“provider”: “YUBICO”,
“verify”: {
“passCode”: “cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji”
}
}

FIDO2 is not yet possible.

Yes, YubiKeys can be done that way. But it also requires quite a bit of setup to use the YubiKey in that way. We may have 10k keys in use, and no one wants to plug all of them in, one at a time, to get them setup.

I’m sorry but that is kinda of the point of YubiKeys. You could try to contact Yubico to see if they offer a service to set them up for you but it will also require them getting someone to plug in the YubiKeys one at a time to set them up.

You could allow your users to setup the Yubikeys themselves which should help however there is no way to do this without plugging in each one.

Finally figured this one out. Here is how you do it:

First you enroll with a POST to the factors endpoint.

POST /api/v1/users/:uid/factors
{
     “factorType”: "webauthn",
     “provider”: "FIDO"
}

This will return a response that will include: response._embedded.activation that you will need for your call to navigator.credentials.create()

Use the credential that is returned from navigator.credentials.create() in your POST to the activate endpoint.

credential.response.attestationObject will be sent as “registrationData”
credential.response.clientDataJSON will be sent as “clientData”

So something like this:

POST /api/v1/users/:uid/factors/:factorid/lifecycle/activate
{
     "registrationData":credential.response.attestationObject,
     "clientData":credential.response.clientDataJSON
}
1 Like

Hi,
I have been trying to do the same i.e. do webauthn enrollment using Okta api. As per the webauthn documentation, origin is verified and if the enrollment is done using something other than Okta url, did it work for you?

1 Like

I am also trying to figure out how to enroll users in webauthn with the Factors API. There is little to no documentation about what to do with the response from the Factors API. The response I get is something like below. What do I do with it to enroll users in webauthn? snip

After you send the request to enroll the factor, you next need to activate it. See how the status in the response above shows the transaction is in the PENDING_ACTIVATION state.

You likely want to check out our Factors API doc to see how to finish activating this factor.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.