nextAuth Server⚓︎
The nextAuth Server will broadcast to the following topics when changes are made to its data models.
One of the nextAuth Server’s core entities is the account, optionally linked to a user, which is created during enrolment or headless registration. It persists a number of public keys which are used for authentication and transaction data, the related Message Center account, and includes details about the device it’s running on.
Accounts are grouped in virtual servers, which specify session lifetimes and settings related to second factor verification.
Clients start sessions when creating and using their accounts, either interactively (enrol and login, respectively) or headlessly (register and autheadlessly (register and authenticate).
Finally, the nextAuth Server implements a transaction mechanism, which makes it possible to request that the user reviews some data. During this process, a set of strong evidence is collected.
nextauth-ns-account-status⚓︎
v1⚓︎
Note
Currently, only events with type com.nextauth.ns.account.v1.updated and subjects change_pin, change_bio, use_pin or use_bio are issued.
Attributes⚓︎
| Attribute | Value | Comment |
|---|---|---|
| id | UUID | |
| source | urn:itsme:nextauth/ns | |
| type | com.nextauth.ns.account.v1.created | |
| com.nextauth.ns.account.v1.updated | ||
| com.nextauth.ns.account.v1.deleted | ||
| subject | Subject is not set for events of type com.nextauth.ns.account.v1.deleted. |
|
| register | The account was created without user interaction. | |
| enrol | The account was created after scanning a barcode or clicking on a universal link. | |
| authenticate | The account established a headless session with the nextAuth Server. | |
| login | The account established an interactive session with the nextAuth Server. | |
| set_login_key | The account was upgraded with a login key. | |
| set_transaction_key | The account was upgraded with a transaction signing key. | |
| provoke | Login confirmation was pushed to the account. | |
| change_pin | The user changed their PIN code. | |
| change_bio | Biometrics were toggled by the user. | |
| use_pin | The PIN code was verified, possibly unsuccessfully. | |
| use_bio | Biometrics were presented during the second factor flow. | |
| result | Result is only set for events with subject use_pin. |
|
| success | The PIN code was verified successfully. | |
| failure | The PIN code failed to verify. | |
| time | Timestamp of the event that triggered the message. |
Payload⚓︎
| Attribute | Description | Comment | Example |
|---|---|---|---|
| app_instance_id | Identifies the app installation. | String-encoded, RFC 3339. The same identifier is communicated to the Message Center and Second Factor Server. It is retained when the Mobile SDK is reset. | |
| server | Virtual server holding the account. | Server | |
| user | Optional user associated with this account. | User | |
| account_id | Account ID | String-encoded, unpadded Base64URL. | |
| public_key_hw | Hardware-backed public key used to authenticate to the server. | String-encoded, unpadded Base64URL. | |
| public_key_hw_recovery | Hardware-backed public key to recover from scenarios where public_key_hw becomes unavailable. |
String-encoded, unpadded Base64URL. | |
| public_key_login | Public key used when establishing an interactive session. | String-encoded, unpadded Base64URL. | |
| public_key_transaction | Public key used for signing transactions. | String-encoded, unpadded Base64URL. | |
| description | Description of the account (e.g., device name). | ||
| display_name | Name which was forwarded to the client for this account. | ||
| device_data | Device Data | ||
| last_login_at | Timestamp of the last interactive session. | String-encoded, RFC 3339. | |
| last_provoke_at | Timestamp of the last push notification request. | String-encoded, RFC 3339. | |
| sfs_server_id | Second Factor Server ID | ||
| sfs_instance | Second Factor Server Instance | SFS Instance |
Server⚓︎
{
"server_id": "",
"public_key": "",
"name": null,
"logo": null,
"sigmai_uri": "",
"websocket_uri": "",
"flags": [""],
"grace_time_ping": "0s",
"grace_time_one_shot": "0s"
"ping_time": "0s",
"sf_timeout": "0s",
"sf_timeout_transaction": "0s",
"serial": 0,
}
User⚓︎
{
"server": {
"server_id": "",
"public_key": "",
"name": null,
"logo": null,
"sigmai_uri": "",
"websocket_uri": "",
"flags": [""],
"grace_time_ping": "0s",
"grace_time_one_shot": "0s"
"ping_time": "0s",
"sf_timeout": "0s",
"sf_timeout_transaction": "0s",
"serial": 0,
},
"username": ""
}
Device Data⚓︎
{
"attestation": [""],
"device_info": {},
"root_info": {},
"manufacturer": "",
"model": "",
"architecture": "",
"os": "",
"os_version": "",
"os_security_patch_version": "",
"app_id": "",
"app_version": "",
"app_build": "",
"sdk_version": "",
"sdk_build": "",
"core_version": "",
"core_commit": "",
"go_version": "",
"debug": true
}
SFS Instance⚓︎
{
"server": {
"server_id": "",
"public_key": "",
"public_key_attestation": "",
"name": null,
"max_fail_count": 0,
"policies": [
{
"attempt": 0,
"penalty": "0s"
}
]
},
"public_key_sfc": "",
"fail_count": 0,
"last_login_at": "",
"last_change_pin_at": "",
"last_change_bio_at": "",
"last_use_pin_at": "",
"penalised_until": "",
"subject_public_keys": [""]
}
nextauth-ns-server-status⚓︎
v1⚓︎
Note
This event has been planned, but it is not yet available today.
Attributes⚓︎
| Attribute | Value | Comment |
|---|---|---|
| id | UUID | |
| source | urn:itsme:nextauth/ns | |
| type | com.nextauth.ns.server.v1.created | |
| com.nextauth.ns.server.v1.updated | ||
| com.nextauth.ns.server.v1.deleted | ||
| subject | ||
| time | Timestamp of the event that triggered the message. |
Payload⚓︎
| Attribute | Description | Comment |
|---|---|---|
| server_id | Server ID | String-encoded, unpadded Base64URL. |
| public_key | Public key used to authenticate to clients. | String-encoded, unpadded Base64URL. |
| name | Name of the server. | |
| logo | Logo for the server. | |
| sigmai_uri | URL of the server's SIGMA-I endpoint. | |
| websocket_uri | Hardware-backed public key to recover from scenarios where public_key_hw becomes unavailable. | |
| flags | List of configuration flags influencing the server's behaviour. | |
| grace_time_ping | Time (in seconds) during which sessions are still considered valid after the last ping signal has been received from the app. | |
| grace_time_one_shot | Time (in seconds) during which one-shot sessions (i.e., when the ping mechanism has been disabled for this server) are considered active after they were started. | |
| ping_time | Time (in seconds) that the nextAuth SDK has before it needs to reply to a ping request from the nextAuth Server (continuous authentication). | |
| sf_timeout | Time (in minutes) since the last time the user entered their PIN, that they are not requested to present a PIN at login. | |
| sf_timeout_transaction | Time (in minutes) since the last time the user entered their PIN, that they are not requested to present a PIN at transaction approval. | |
| serial | Time (in seconds) that the nextAuth SDK has before it needs to reply to a ping request from the nextAuth Server (continuous authentication). |
nextauth-ns-session-status⚓︎
v1⚓︎
Note
This event has been planned, but it is not yet available today.
Attributes⚓︎
| Attribute | Value | Comment |
|---|---|---|
| id | UUID | |
| source | urn:itsme:nextauth/ns | |
| type | com.nextauth.ns.session.v1.created | |
| com.nextauth.ns.session.v1.updated | ||
| com.nextauth.ns.session.v1.deleted | ||
| subject | Subject is not set for events of type com.nextauth.ns.account.v1.created and com.nextauth.ns.account.v1.deleted. |
|
| register | The session concerns a non-interactive account registration. | |
| enrol | The session was started interactively to enrol a new account. | |
| authenticate | The session concerns a non-interactive authentication. | |
| login | The session was started interactivelt to log in with an existing account. | |
| provoke | Login confirmation was pushed to the account which was last active. | |
| time | Timestamp of the event that triggered the message. |
Payload⚓︎
| Attribute | Description | Comment | Example |
|---|---|---|---|
| server | Virtual server holding the associated account. | Server | |
| account | Account which authenticated during the session. | Account | |
| public_key_remote | Public key used by the remote to authenticate. | String-encoded, unpadded Base64URL. | |
| h_nonce | Session ID converted for public use. | String-encoded, unpadded Base64URL. | |
| last_change_at | Timestamp of the last contact with the client. | String-encoded, RFC 3339. | |
| logged_in | Whether the session is currently logged in interactively. | ||
| user_input | Additional input provided during an interactive enrol or login. | ||
| app_login | Whether the interactive session was initiated by the client. | ||
| headless | Whether this concerns a non-interactive session. |
Account⚓︎
{
"app_instance_id": "",
"server": {
"server_id": "",
"public_key": "",
"name": null,
"logo": null,
"sigmai_uri": "",
"websocket_uri": "",
"flags": [""],
"grace_time_ping": "0s",
"grace_time_one_shot": "0s"
"ping_time": "0s",
"sf_timeout": "0s",
"sf_timeout_transaction": "0s",
"serial": 0,
},
"user": {
"server": {
"server_id": "",
"public_key": "",
"name": null,
"logo": null,
"sigmai_uri": "",
"websocket_uri": "",
"flags": [""],
"grace_time_ping": "0s",
"grace_time_one_shot": "0s"
"ping_time": "0s",
"sf_timeout": "0s",
"sf_timeout_transaction": "0s",
"serial": 0,
},
"username": ""
},
"account_id": "",
"public_key_hw": "",
"public_key_hw_recovery": "",
"public_key_login": "",
"public_key_transaction": "",
"blocked": false,
"description": "",
"display_name": "",
"device_data": {
"attestation": [""],
"device_info": {},
"root_info": {},
"manufacturer": "",
"model": "",
"architecture": "",
"os": "",
"os_version": "",
"os_security_patch_version": "",
"app_id": "",
"app_version": "",
"app_build": "",
"sdk_version": "",
"sdk_build": "",
"core_version": "",
"core_commit": "",
"go_version": "",
"debug": true
},
"last_login_at": "",
"last_provoke_at": "",
"sfs_server_id": "",
"sfs_instance": null
}
nextauth-ns-transaction-status⚓︎
v1⚓︎
Note
This event has been planned, but it is not yet available today.
Attributes⚓︎
| Attribute | Value | Comment |
|---|---|---|
| id | UUID | |
| source | urn:itsme:nextauth/ns | |
| type | com.nextauth.ns.transaction.v1.created | |
| com.nextauth.ns.transaction.v1.updated | ||
| subject | Subject is not set for events of type com.nextauth.ns.transaction.v1.created. |
|
| sign | The transaction was confirmed by the user and the signature is available. | |
| time | Timestamp of the event that triggered the message. |
Payload⚓︎
| Attribute | Description | Comment | Example |
|---|---|---|---|
| transaction_id | Transaction ID | String-encoded, unpadded Base64URL. | |
| server | Virtual server holding the transaction. | Server | |
| accounts | List of accounts which are authorised to sign the transaction. | [Account] | |
| user | User who is authorised to sign the transaction. | User | |
| signed | Whether or not the transaction has been signed. | ||
| can_sign | Whether or not the transaction can still be signed. | ||
| expires_at | Timestamp after which the transaction can no longer be signed. | String-encoded, RFC 3339. | |
| transaction_data | Transaction Data | ||
| client_state | State of the transaction communicated by the client. | ||
| server_state | State of the transaction communicated through the NS. | ||
| client_additional_data | Additional data which was included in the signature by the client. | ||
| server_additional_data | Additional data which should be included in the signature. | ||
| sf_constraint | Constraint on the second factor for signing this transaction. | ||
| sf_max_age | Maximum age in minutes of the second factor verification after which users will be required to present their second factor for signing this transaction (if not required explicitly by sf_constraint). |
||
| signature | Signature | Signature |
Signature⚓︎
{
"account_id": "",
"account_public_key_hardware": "",
"account_public_key_transaction": "",
"username": "",
"device_data": {
"attestation": [""],
"device_info": {},
"root_info": {},
"manufacturer": "",
"model": "",
"architecture": "",
"os": "",
"os_version": "",
"os_security_patch_version": "",
"app_id": "",
"app_version": "",
"app_build": "",
"sdk_version": "",
"sdk_build": "",
"core_version": "",
"core_commit": "",
"go_version": "",
"debug": true
},
"screenshots": [""],
"user_input": "",
"signature_data": {
"channel_binding_server": ""
"channel_binding_client": "",
"locked_at": ""
},
"signature_hardware": "",
"signature_transaction": "",
"sf_attestation": {
"generated": "",
"sf_verification_hash": "",
"h_nonces": [""],
"merkle_root": "",
"merkle_path": {
"public_key": "",
"path_h": [""],
"path_d": ""
},
"entries": [""],
"sf_flags": [""],
"sfs_signature": "",
"sfs_public_key": ""
}
}
nextauth-ns-user-status⚓︎
v1⚓︎
Note
This event has been planned, but it is not yet available today.
Attributes⚓︎
| Attribute | Value | Comment |
|---|---|---|
| id | UUID | |
| source | urn:itsme:nextauth/ns | |
| type | com.nextauth.ns.user.v1.created | |
| com.nextauth.ns.user.v1.updated | ||
| com.nextauth.ns.user.v1.deleted | ||
| subject | Subject is not set for events of type com.nextauth.ns.user.v1.created and com.nextauth.ns.user.v1.deleted. |
|
| provoke | Login confirmation was pushed to all accounts associated with this user. | |
| time | Timestamp of the event that triggered the message. |
Payload⚓︎
| Attribute | Description | Example |
|---|---|---|
| server | Virtual server holding the user. | Server |
| username | Username |