Skip to content

docs: add DeviceAuthn enrollment and login sequence diagrams #2572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gaultier merged 5 commits into from
May 22, 2026
+36 −0
Merged

docs: add DeviceAuthn enrollment and login sequence diagrams #2572

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7ba831b
add deviceauthn sequence diagrams
gaultier May 21, 2026
46be280
add diagram source in code comment
gaultier May 21, 2026
65cc059
fix comment garbled by formatting
gaultier May 21, 2026
811459a
rm garbled comments
gaultier May 21, 2026
7fe38a2
render sequence diagrams inline with the Mermaid component
gaultier May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .prettierignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,4 @@ vendor
code-examples/sdk/typescript/src/**/*.hbs
**/.dart_tool
**/*.jsonc
.claude/
4 changes: 4 additions & 0 deletions docs/kratos/passwordless/08_deviceauthn.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -797,6 +797,8 @@ And the Flutter code gets this result back: `iOS 26.2.1` (for example).

At this point the key is enrolled for the identity.

[![DeviceAuthn enrollment sequence](https://mermaid.ink/img/eyJjb2RlIjogInNlcXVlbmNlRGlhZ3JhbVxuICAgIHBhcnRpY2lwYW50IEMgYXMgQ2xpZW50IChtb2JpbGUgYXBwKVxuICAgIHBhcnRpY2lwYW50IEggYXMgRGV2aWNlIGhhcmR3YXJlIChURUUvVFBNKVxuICAgIHBhcnRpY2lwYW50IFMgYXMgS3JhdG9zIHNlcnZlclxuICAgIEMtPj5TOiBQT1NUIC9zZWxmLXNlcnZpY2Uvc2V0dGluZ3MvYXBpICh4U2Vzc2lvblRva2VuKVxuICAgIFMtLT4+QzogMjAwIHNldHRpbmdzIGZsb3cge25vbmNlLCBleGlzdGluZ19rZXlzfVxuICAgIEMtPj5IOiBnZW5lcmF0ZUtleShub25jZSlcbiAgICBILS0+PkM6IHtjbGllbnRfa2V5X2lkLCBjZXJ0X2NoYWlufVxuICAgIEMtPj5TOiBQVVQgL3NlbGYtc2VydmljZS9zZXR0aW5ncz9mbG93PS4uLiB7bWV0aG9kOiBkZXZpY2VhdXRobiwgYWRkOiB7ZGV2aWNlX25hbWUsIGNsaWVudF9rZXlfaWQsIGNlcnRfY2hhaW4gb3IgYXR0ZXN0YXRpb25faW9zfX1cbiAgICBOb3RlIG92ZXIgUzogVmVyaWZ5IGNlcnQgY2hhaW4gdnMgQXBwbGUvR29vZ2xlIHJvb3QgQ0FzPGJyLz5DaGVjayBDUkxzPGJyLz5NYXRjaCBjaGFsbGVuZ2UgdG8gc3RvcmVkIG5vbmNlPGJyLz5SZWplY3Qgc29mdHdhcmUvZW11bGF0ZWQga2V5czxici8+U3RvcmUgcHVia2V5LCBlcmFzZSBjaGFsbGVuZ2VcbiAgICBTLS0+PkM6IDIwMCB1cGRhdGVkIHNldHRpbmdzIGZsb3ciLCAibWVybWFpZCI6IHsidGhlbWUiOiAiZGVmYXVsdCJ9fQ==)](https://mermaid.live/edit#eyJjb2RlIjogInNlcXVlbmNlRGlhZ3JhbVxuICAgIHBhcnRpY2lwYW50IEMgYXMgQ2xpZW50IChtb2JpbGUgYXBwKVxuICAgIHBhcnRpY2lwYW50IEggYXMgRGV2aWNlIGhhcmR3YXJlIChURUUvVFBNKVxuICAgIHBhcnRpY2lwYW50IFMgYXMgS3JhdG9zIHNlcnZlclxuICAgIEMtPj5TOiBQT1NUIC9zZWxmLXNlcnZpY2Uvc2V0dGluZ3MvYXBpICh4U2Vzc2lvblRva2VuKVxuICAgIFMtLT4+QzogMjAwIHNldHRpbmdzIGZsb3cge25vbmNlLCBleGlzdGluZ19rZXlzfVxuICAgIEMtPj5IOiBnZW5lcmF0ZUtleShub25jZSlcbiAgICBILS0+PkM6IHtjbGllbnRfa2V5X2lkLCBjZXJ0X2NoYWlufVxuICAgIEMtPj5TOiBQVVQgL3NlbGYtc2VydmljZS9zZXR0aW5ncz9mbG93PS4uLiB7bWV0aG9kOiBkZXZpY2VhdXRobiwgYWRkOiB7ZGV2aWNlX25hbWUsIGNsaWVudF9rZXlfaWQsIGNlcnRfY2hhaW4gb3IgYXR0ZXN0YXRpb25faW9zfX1cbiAgICBOb3RlIG92ZXIgUzogVmVyaWZ5IGNlcnQgY2hhaW4gdnMgQXBwbGUvR29vZ2xlIHJvb3QgQ0FzPGJyLz5DaGVjayBDUkxzPGJyLz5NYXRjaCBjaGFsbGVuZ2UgdG8gc3RvcmVkIG5vbmNlPGJyLz5SZWplY3Qgc29mdHdhcmUvZW11bGF0ZWQga2V5czxici8+U3RvcmUgcHVia2V5LCBlcmFzZSBjaGFsbGVuZ2VcbiAgICBTLS0+PkM6IDIwMCB1cGRhdGVkIHNldHRpbmdzIGZsb3ciLCAibWVybWFpZCI6IHsidGhlbWUiOiAiZGVmYXVsdCJ9fQ==)

### Proof of device enrollment

1. When the user creates the login flow with the DeviceAuthn strategy, the client receives a server challenge.
Expand All @@ -809,6 +811,8 @@ At this point the key is enrolled for the identity.
1. Erases the challenge value in the database to prevent re-use.
1. Replies with 200 with a fresh session token and a higher AAL e.g. AAL2 or AAL3

[![DeviceAuthn login sequence](https://mermaid.ink/img/eyJjb2RlIjogInNlcXVlbmNlRGlhZ3JhbVxuICAgIHBhcnRpY2lwYW50IEMgYXMgQ2xpZW50IChtb2JpbGUgYXBwKVxuICAgIHBhcnRpY2lwYW50IEggYXMgRGV2aWNlIGhhcmR3YXJlIChURUUvVFBNKVxuICAgIHBhcnRpY2lwYW50IFMgYXMgS3JhdG9zIHNlcnZlclxuICAgIEMtPj5TOiBQT1NUIC9zZWxmLXNlcnZpY2UvbG9naW4vYXBpIHthYWw6IGFhbDIsIHJlZnJlc2g6IGZhbHNlfVxuICAgIFMtLT4+QzogMjAwIGxvZ2luIGZsb3cge25vbmNlfVxuICAgIEMtPj5IOiBzaWduKG5vbmNlLCBjbGllbnRfa2V5X2lkKVxuICAgIE5vdGUgcmlnaHQgb2YgSDogYmlvbWV0cmljL1BJTiBwcm9tcHQ8YnIvPnByaXZhdGUga2V5IG5ldmVyIGxlYXZlcyBoYXJkd2FyZVxuICAgIEgtLT4+QzogRUNEU0Egc2lnbmF0dXJlXG4gICAgQy0+PlM6IFBVVCAvc2VsZi1zZXJ2aWNlL2xvZ2luP2Zsb3c9Li4uIHttZXRob2Q6IGRldmljZWF1dGhuLDxici8+Y2xpZW50X2tleV9pZCwgc2lnbmF0dXJlfVxuICAgIE5vdGUgb3ZlciBTOiBWZXJpZnkgc2lnbmF0dXJlIHdpdGggc3RvcmVkIHB1YmtleTxici8+Q2hlY2sgbm8gQ0EgaW4gY2hhaW4gaXMgcmV2b2tlZDxici8+RXJhc2UgY2hhbGxlbmdlXG4gICAgUy0tPj5DOiAyMDAge3Nlc3Npb25fdG9rZW4sIGFhbDogYWFsMn0iLCAibWVybWFpZCI6IHsidGhlbWUiOiAiZGVmYXVsdCJ9fQ==)](https://mermaid.live/edit#eyJjb2RlIjogInNlcXVlbmNlRGlhZ3JhbVxuICAgIHBhcnRpY2lwYW50IEMgYXMgQ2xpZW50IChtb2JpbGUgYXBwKVxuICAgIHBhcnRpY2lwYW50IEggYXMgRGV2aWNlIGhhcmR3YXJlIChURUUvVFBNKVxuICAgIHBhcnRpY2lwYW50IFMgYXMgS3JhdG9zIHNlcnZlclxuICAgIEMtPj5TOiBQT1NUIC9zZWxmLXNlcnZpY2UvbG9naW4vYXBpIHthYWw6IGFhbDIsIHJlZnJlc2g6IGZhbHNlfVxuICAgIFMtLT4+QzogMjAwIGxvZ2luIGZsb3cge25vbmNlfVxuICAgIEMtPj5IOiBzaWduKG5vbmNlLCBjbGllbnRfa2V5X2lkKVxuICAgIE5vdGUgcmlnaHQgb2YgSDogYmlvbWV0cmljL1BJTiBwcm9tcHQ8YnIvPnByaXZhdGUga2V5IG5ldmVyIGxlYXZlcyBoYXJkd2FyZVxuICAgIEgtLT4+QzogRUNEU0Egc2lnbmF0dXJlXG4gICAgQy0+PlM6IFBVVCAvc2VsZi1zZXJ2aWNlL2xvZ2luP2Zsb3c9Li4uIHttZXRob2Q6IGRldmljZWF1dGhuLDxici8+Y2xpZW50X2tleV9pZCwgc2lnbmF0dXJlfVxuICAgIE5vdGUgb3ZlciBTOiBWZXJpZnkgc2lnbmF0dXJlIHdpdGggc3RvcmVkIHB1YmtleTxici8+Q2hlY2sgbm8gQ0EgaW4gY2hhaW4gaXMgcmV2b2tlZDxici8+RXJhc2UgY2hhbGxlbmdlXG4gICAgUy0tPj5DOiAyMDAge3Nlc3Npb25fdG9rZW4sIGFhbDogYWFsMn0iLCAibWVybWFpZCI6IHsidGhlbWUiOiAiZGVmYXVsdCJ9fQ==)

### Key Revocation

- The user can revoke a key themselves (e.g. because the device is stolen, lost, broken, etc) using the settings flow. This action
Expand Down
Loading