WindowsClient fixes

examples/large_blobs.py

@@ -40,7 +40,7 @@
 client = get_client(lambda client: "largeBlobKey" in client.info.extensions)
 
 
-# LargeBlob requires UV if is it configured
+# LargeBlob requires UV if it is configured
 uv = "discouraged"
 if client.info.options.get("clientPin"):
     uv = "required"
@@ -74,14 +74,18 @@
 )
 credentials = [auth_data.credential_data]
 
+if auth_data.is_user_verified():
+    # The WindowsClient doesn't know about authenticator config until now
+    uv = "required"
+
 if not result.extension_results.get("largeBlob", {}).get("supported"):
     print("Credential does not support largeBlob, failure!")
     sys.exit(1)
 
 print("Credential created! Writing a blob...")
 
 # Prepare parameters for getAssertion
-request_options, state = server.authenticate_begin(user_verification=uv)
+request_options, state = server.authenticate_begin(credentials, user_verification=uv)
 
 # Authenticate the credential
 selection = client.get_assertion(

examples/prf.py

@@ -65,29 +65,25 @@
 auth_data = server.register_complete(
     state, result.client_data, result.attestation_object
 )
-credentials = [auth_data.credential_data]
+credential = auth_data.credential_data
 
 # PRF result:
 if not result.extension_results.get("prf", {}).get("enabled"):
     print("Failed to create credential with PRF", result.extension_results)
     sys.exit(1)
 
-credential = result.attestation_object.auth_data.credential_data
 print("New credential created, with the PRF extension.")
 
 # If created with UV, keep using UV
 if result.attestation_object.auth_data.is_user_verified():
     uv = "required"
 
-# Prepare parameters for getAssertion
-allow_list = [{"type": "public-key", "id": credential.credential_id}]
-
 # Generate a salt for PRF:
 salt = os.urandom(32)
 print("Authenticate with salt:", salt.hex())
 
-
 # Prepare parameters for getAssertion
+credentials = [credential]
 request_options, state = server.authenticate_begin(credentials, user_verification=uv)
 
 # Authenticate the credential

examples/resident_key.py

@@ -57,8 +57,12 @@
 )
 
 # Create a credential
-result = client.make_credential(create_options["publicKey"])
-
+result = client.make_credential(
+    {
+        **create_options["publicKey"],
+        "extensions": {"credProps": True},
+    }
+)
 
 # Complete registration
 auth_data = server.register_complete(
@@ -73,6 +77,10 @@
 print()
 print("CREDENTIAL DATA:", auth_data.credential_data)
 
+# credProps:
+cred_props = result.extension_results.get("credProps")
+print("CredProps", cred_props)
+
 
 # Prepare parameters for getAssertion
 request_options, state = server.authenticate_begin(user_verification=uv)

fido2/client.py

@@ -1109,13 +1109,13 @@ def make_credential(self, options, event=None):
                 client_data,
                 options.timeout or 0,
                 selection.resident_key,
-                attestation,
+                WebAuthNAuthenticatorAttachment.from_string(
+                    selection.authenticator_attachment or "any"
+                ),
                 WebAuthNUserVerificationRequirement.from_string(
                     selection.user_verification or "discouraged"
                 ),
-                WebAuthNAttestationConveyancePreference.from_string(
-                    options.attestation or "none"
-                ),
+                attestation,
                 options.exclude_credentials,
                 options.extensions,
                 event,

fido2/win_api.py

@@ -1046,6 +1046,8 @@ def make_credential(
             elif "hmacCreateSecret" in extensions and self._allow_hmac_secret:
                 resident_key = True  # Windows requires resident key for hmac-secret
                 win_extensions.append(WebAuthNExtension("hmac-secret", BOOL(True)))
+        else:
+            extensions = {}
 
         if event:
             t = CancelThread(event)