Skip to content

requireResidentKey for Legacy Support #757

New issue
New issue
Closed
Feature
#761
Closed
requireResidentKey for Legacy Support#757
Feature
#761
Labels
enhancementNew feature or request
Milestone
5.3.0
@j4ceee

Description

@j4ceee
j4ceee
opened on Nov 12, 2025

Version(s) affected

5.2.2

Description

While requireResidentKey is deprecated in the official spec, for backwards compatibility it would make sense to still include it in the serialized options. Here is an example on web.dev

How to reproduce

$authenticatorSelectionCriteria = AuthenticatorSelectionCriteria::create(
    AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
    AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_REQUIRED,
    AuthenticatorSelectionCriteria::RESIDENT_KEY_REQUIREMENT_REQUIRED,
);

$extensions = AuthenticationExtensions::create([
    AuthenticationExtension::create('credProps', true)
]);

$this->creationOptions = PublicKeyCredentialCreationOptions::create(
    $this->rpEntity,
    $this->userEntity,
    $challenge,
    $publicKeyCredentialParametersList,
    $authenticatorSelectionCriteria,
    PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
    $this->credentialExcludeList,
    600000, // timeout in ms (10 minutes)
    $extensions
);

This will result in:

{
    "challenge": "S2XcdsDhZjAVkRtdvXB30kE4tWLqpcVClUKi1ejgfps",
    "timeout": 600000,
    "extensions": {
        "credProps": true
    },
    "rp": {
        "id": "kunde.wisotel.de.test",
        "icon": null,
        "name": "Wisotel"
    },
    "user": {
        "id": "xxx",
        "name": "test",
        "displayName": "Test"
    },
    "pubKeyCredParams": [
        {
            "type": "public-key",
            "alg": -46
        },
        {
            "type": "public-key",
            "alg": -7
        },
        {
            "type": "public-key",
            "alg": -257
        },
        {
            "type": "public-key",
            "alg": -37
        },
        {
            "type": "public-key",
            "alg": -260
        }
    ],
    "authenticatorSelection": {
        "authenticatorAttachment": null,
        "userVerification": "required",
        "residentKey": "required"
    },
    "attestation": "none",
    "excludeCredentials": []
}

Meanwhile webauthn.io gives back these options for similar settings:

{
    "rp": {
        "name": "webauthn.io",
        "id": "webauthn.io"
    },
    "user": {
        "id": "xxx",
        "name": "test_pixel",
        "displayName": "test_pixel"
    },
    "challenge": "a_tHiY_M20eaudPI67OyHTThm1LYsLxfQQaOq51NvK2hLPrDBNcfg2WyNeTxT_FN0sLz21q8jCqxSLdOoaGBaQ",
    "pubKeyCredParams": [
        {
            "type": "public-key",
            "alg": -8
        },
        {
            "type": "public-key",
            "alg": -7
        },
        {
            "type": "public-key",
            "alg": -257
        }
    ],
    "timeout": 60000,
    "excludeCredentials": [],
    "authenticatorSelection": {
        "residentKey": "required",
        "requireResidentKey": true,
        "userVerification": "required"
    },
    "attestation": "none",
    "hints": [],
    "extensions": {
        "credProps": true
    }
}

note the "requireResidentKey": true, line in the authenticatorSelection.

On Firefox for Android Google Password Manager will always create a non-resident key even with "residentKey": "required", set. Adding "requireResidentKey": true, manually fixes this. This was tested with the SimpleWebAuthn Browser library

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    Feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions