PM-2035: PRF Unlock (#6401)

* Initial refactor * Add WebauthnPRFOptions to syncResponse * MAYBE: Use KM owned ResponseModel? * REVERT ^- Keep using PrfUnlockOptions for simplicity This reverts commit 5a34e7dfa8. * UserDecryptionOptions: Only send one credential * format * Update UserDecryptionOptions.cs * format * Added feature flag (#6600)
2026-01-31 00:33:17 +00:00 · 2026-01-26 16:18:42 +01:00
parent c8124667ee
commit 40e293117d
7 changed files with 50 additions and 7 deletions
--- a/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
+++ b/src/Identity/IdentityServer/UserDecryptionOptionsBuilder.cs
@@ -64,8 +64,12 @@ public class UserDecryptionOptionsBuilder : IUserDecryptionOptionsBuilder
    {
        if (credential.GetPrfStatus() == WebAuthnPrfStatus.Enabled)
        {
-            _options.WebAuthnPrfOption =
-                new WebAuthnPrfDecryptionOption(credential.EncryptedPrivateKey, credential.EncryptedUserKey);
+            _options.WebAuthnPrfOption = new WebAuthnPrfDecryptionOption(
+                credential.EncryptedPrivateKey,
+                credential.EncryptedUserKey,
+                credential.CredentialId,
+                [] // Stored credentials currently lack Transports, just send an empty array for now
+            );
        }

        return this;