Implement login with WebAuthn API
This describes how to implement WebAuthn login scenarios using Mosaic's WebAuthn API authentication method.
For all scenarios:
- WebAuthn credentials should only be registered to verified users
- Integrate using the relevant quickstart ( Web or iOS ), adapted for your scenario as described below
-
You can manage the user profile as needed, for example, using the user ID (
user_id
) or external user ID (external_user_id
) if set.
For users managed via Transmit
Scenario: You're using Mosaic to both manage and authenticate users.
Before a user registers WebAuthn credentials:
- Authenticate the user using a Mosaic login method. If they're registering WebAuthn credentials for the first time, it must be a different login method that will verify the user (e.g., email magic link).
- Register WebAuthn credentials on the device for the verified username.
- Register WebAuthn credentials in Mosaic for the logged-in user using the user access token from their Mosaic login.
For users managed externally
Scenario: You're managing your users externally, such as using an external identity provider or your own solution
Before a user registers WebAuthn credentials:
- Make sure the user has already been verified using an external verification process .
- Register WebAuthn credentials on the device for the verified username using the Platform SDK.
- Register WebAuthn credentials in Mosaic for the logged-out user (logged out of Mosaic, not the website) using a client access token and an external identifier of the user in your system. This will create a new user in the Mosaic system if no existing user with the external user ID is found; otherwise the credentials are registered to the existing user.
Note
- To register credentials for new users to your Mosaic application, public sign-up must be enabled.
- If the user already exists for your Mosaic application (e.g., by authenticating using a different Mosaic login method) but an external user ID wasn't set for this user, this flow will create a new user when they register credentials for the first time.
For users migrated to Transmit
Scenario: You're migrating users to Mosaic from an external system, such as an external identity provider
Since these users have already been verified using an external process, you may not want to ask them to verify again. In this case, you can register credentials for these users using the flow described above for externally-managed users.