Movatterモバイル変換

[0]ホーム
URL:

  1. Web
  2. Web APIs
  3. AuthenticatorResponse
  4. clientDataJSON

AuthenticatorResponse: clientDataJSON property

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨September 2021⁩.

Secure context: This feature is available only insecure contexts (HTTPS), in some or allsupporting browsers.

TheclientDataJSON property of theAuthenticatorResponse interface stores aJSON string in anArrayBuffer, representing the client data that was passed tonavigator.credentials.create() ornavigator.credentials.get(). This property is only accessed on one of the child objects ofAuthenticatorResponse, specificallyAuthenticatorAttestationResponse orAuthenticatorAssertionResponse.

Value

AnArrayBuffer.

Instance properties

After theclientDataJSON object is converted from anArrayBuffer to a JavaScript object, it will have the following properties:

challenge

Thebase64urlencoded version of the cryptographic challenge sent from the relying party's server.The original value are passed as thechallenge option inCredentialsContainer.get() orCredentialsContainer.create().

crossOriginOptional

A boolean. If set totrue, it means that the calling context is an<iframe> that is not same origin with its ancestor frames.

origin

The fully qualified origin of the relying party which has been given by theclient/browser to the authenticator. We should expect therelying party'sid to be a suffix of this value.

tokenBindingOptionalDeprecated

An object describing the state ofthe token binding protocol for the communication with the relying party. It has two properties:

  • status: A string which is either"supported" whichindicates the client support token binding but did not negotiate with the relyingparty or"present" when token binding was used already
  • id: A string which is thebase64urlencoding of the token binding ID which was used for the communication.

Should this property be absent, it would indicate that the client does not supporttoken binding.

Note:tokenBinding is deprecated as of Level 3 of the spec, but the field is reserved so that it won't be reused for a different purpose.

topOriginOptional

Contains the fully qualified top-level origin of the relying party. It is set only if itcrossOrigin istrue.

type

A string which is either"webauthn.get" when an existing credential isretrieved or"webauthn.create" when a new credential is created.

Examples

js
function arrayBufferToStr(buf) {  return String.fromCharCode.apply(null, new Uint8Array(buf));}// pk is a PublicKeyCredential that is the result of a create() or get() Promiseconst clientDataStr = arrayBufferToStr(pk.response.clientDataJSON);const clientDataObj = JSON.parse(clientDataStr);console.log(clientDataObj.type); // "webauthn.create" or "webauthn.get"console.log(clientDataObj.challenge); // base64 encoded String containing the original challengeconsole.log(clientDataObj.origin); // the window.origin

Specifications

Specification
Web Authentication: An API for accessing Public Key Credentials - Level 3
# dom-authenticatorresponse-clientdatajson

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on byMDN contributors.

[8]ページ先頭
©2009-2025 Movatter.jp