WebAuthn
QNSP supports WebAuthn for passwordless authentication.
WebAuthn
QNSP supports WebAuthn for passwordless authentication.
Configuration
From apps/auth-service/src/config/env.ts:
| Setting | Environment Variable | Default |
|---|---|---|
| Relying Party Name | WEBAUTHN_RP_NAME |
QNSP |
| Relying Party ID | WEBAUTHN_RP_ID |
localhost |
| Origin | WEBAUTHN_ORIGIN |
https://localhost |
Registration Flow
-
Request challenge:
POST /auth/webauthn/register/start Content-Type: application/json {"userId": "<user_uuid>", "tenantId": "<tenant_uuid>"} -
Client creates credential with platform/roaming authenticator
-
Verify and store:
POST /auth/webauthn/register/complete Content-Type: application/json {"userId": "<user_uuid>", "tenantId": "<tenant_uuid>", "challengeId": "<challenge_uuid>", "response": {}}
Authentication Flow
-
Request challenge:
POST /auth/webauthn/authenticate/start Content-Type: application/json {"tenantId": "<tenant_uuid>", "email": "user@example.com"} -
Client signs with authenticator
-
Verify and get tokens:
POST /auth/webauthn/authenticate/complete Content-Type: application/json {"tenantId": "<tenant_uuid>", "email": "user@example.com", "challengeId": "<challenge_uuid>", "response": {}}
Supported Authenticators
- Platform: Touch ID, Windows Hello, Face ID
- Roaming: YubiKey, Titan Security Key
- Passkeys: Synced credentials (iCloud, Google)
Credential Management
Users can:
- Register multiple credentials per account
- Name credentials for identification
- Revoke individual credentials
Security
- Credentials bound to
WEBAUTHN_ORIGIN - Attestation optional (enterprise recommended)
- User verification required for sensitive operations