Logging into a server, using an existing passkey, is a lot simpler than creating a new account and passkey.
Prerequisite
You can only login, using a passkey, if one has already been established, through the creation process.
It is assumed that the server has properly stored at least the Public Key, and the Credential ID for the passkey. These were provided by the client, during creation.
It is also assumed that the client has the original passkey that is reflected in the server. Assuming we used the Authentication Services SDK to produce the key, as defined by the previous pages, then we’re sorted.
The Process
Step One: The Client Requests a Challenge From the Server
When the client app has its “Login” button selected, it requests a challenge from the server. This is very simple; just a random string of bytes.
Step Two: The Server Responds With the Challenge Data
The server generates the string, and sends it to the client.
Step Three: The Client Authenticates, signs the WebAuthn credentials, and Sends Them to the Server
At this point, the client uses the Authentication Services SDK to sign a credential data package (including the challenge, sent from the server). It first presents GUI to the user, asking for authorization.
It then sends this signed data packet to the server,
Step Four: The Server Validates the Client Credentials, and Logs In the Client
The server validates the signed data packet, using its stored Public Key, and also verifies the challenge. If all is good, it logs in the user, and returns a success indication (in our case, a bearer token).
Now that we know the basic process, let’s walk through the code that implements it.