Registration, stuck at the final step

[RonaldPK]

I've followed the registration steps in the documentation, but now I'm stuck at the final step of the response verification:

$publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
    $authenticatorAttestationResponse,
    $publicKeyCredentialCreationOptions,
    'my-application.com'
);

I assume $publicKeyCredentialCreationOptions are the options that were created with PublicKeyCredentialCreationOptions, stored in the session and sent to the client. But where does $authenticatorAttestationResponse come from?

Should it be created like this?

$authenticatorAttestationResponse = AuthenticatorAttestationResponse::create(
        $collectedClientData, 
        $attestationObject
    );

If so, how to create $collectedClientData and the $attestationObject?

Any help would be appreciated.

[Spomky]

Hi,

This object comes from the authenticator. In general, it is sent from the browser using a POST request with the data as JSON body.
I is loaded by PublicKeyCredentialLoader.
See the following page for more information: https://webauthn-doc.spomky-labs.com/pure-php/authenticator-registration#creation-response

[RonaldPK]

Thanks. I think I've figured it out:

    $authenticatorAttestationResponse = AuthenticatorAttestationResponse::create(
        $publicKeyCredential->response->clientDataJSON, 
        $publicKeyCredential->response->attestationObject
    );

That step really is missing in the docs...
My full code now looks like this:

try {
    // from https://webauthn-doc.spomky-labs.com/pure-php/the-hard-way
    $attestationStatementSupportManager = AttestationStatementSupportManager::create();
    $attestationStatementSupportManager->add(NoneAttestationStatementSupport::create());
    
    $attestationObjectLoader = AttestationObjectLoader::create($attestationStatementSupportManager);
    
    $publicKeyCredentialLoader = PublicKeyCredentialLoader::create($attestationObjectLoader);
    
    // load the json posted by the client ( https://webauthn-doc.spomky-labs.com/pure-php/authenticator-registration#data-loading )
    $publicKeyCredential = $publicKeyCredentialLoader->load($json);

    // verification, https://webauthn-doc.spomky-labs.com/pure-php/authenticator-registration#response-verification
    if (!$publicKeyCredential->response instanceof AuthenticatorAttestationResponse) {
        sendJsonErrorAndDie('Invalid authenticator response type, sorry.');
    }
    
    // additional steps from https://webauthn-doc.spomky-labs.com/pure-php/the-hard-way
    $extensionOutputCheckerHandler = ExtensionOutputCheckerHandler::create();
    
    $authenticatorAttestationResponseValidator = AuthenticatorAttestationResponseValidator::create(
        $attestationStatementSupportManager, 
        null, null, $extensionOutputCheckerHandler);
    
    // missing bit
    $authenticatorAttestationResponse = AuthenticatorAttestationResponse::create(
        $publicKeyCredential->response->clientDataJSON, 
        $publicKeyCredential->response->attestationObject
    );
    
    // final verification, https://webauthn-doc.spomky-labs.com/pure-php/authenticator-registration#response-verification
    $publicKeyCredentialSource = $authenticatorAttestationResponseValidator->check(
        $authenticatorAttestationResponse,
        Session::get('PublicKeyCredentialCreationOptions'), // PublicKeyCredentialCreationOptions object
        'example.com');
    
    // store $publicKeyCredentialSource  somewhere
    // ...

    // notify the client that all's well
    echo json_encode(['verified'=>1]);
    exit;
    
} catch (Throwable $e) {
    dd($e);
}