Understanding the process of webauthn assertions and their responses

What happened?

I am attempting to use the webauthn go package to send a challenge to a Yubikey registered to an org using Okta. I am reaching out in regards to how to correctly implement this process using the pomerium package.

What did you expect to happen?

I have a challenge token from Okta that I want to use with your package to receive the AuthenticatorAssertionResponse see here

How’d it happen?

So far my efforts have fallen short of understanding how to implement the package.

What’s your environment like?

  • Golang version 1.19.4 darwin/arm64

Additional context

Unsure if this is the correct place to post, did not want to go directly into the Slack for me not understanding the package.

Hi Barkley101,

The webauthn package is modeled on the RFC which describes two “ceremonies” for registering and authenticating devices. It can be pretty confusing. I’ve not tried it with a Yubikey but I have tried it with a Google Titan security key.

An example can be found in our verify app:

And the frontend:

The AuthenticatorAssertionResponse comes from the Web Credentials API: AuthenticatorAssertionResponse - Web APIs | MDN