feat: session v2 passkey authentication (#5952)

2025-08-12 00:47:33 +00:00 · 2023-06-07 17:28:42 +02:00
parent f7157b65f4
commit f456168a74
39 changed files with 1261 additions and 162 deletions
--- a/internal/api/grpc/admin/information_integration_test.go
+++ b/internal/api/grpc/admin/information_integration_test.go
@@ -30,7 +30,6 @@ func TestMain(m *testing.M) {
 }

 func TestServer_Healthz(t *testing.T) {
-	client := admin.NewAdminServiceClient(Tester.GRPCClientConn)
-	_, err := client.Healthz(context.TODO(), &admin.HealthzRequest{})
+	_, err := Tester.Client.Admin.Healthz(context.TODO(), &admin.HealthzRequest{})
 	require.NoError(t, err)
 }
--- a/internal/api/grpc/fields.go
+++ b/internal/api/grpc/fields.go
@@ -30,7 +30,9 @@ func AllFieldsSet(t testing.TB, msg protoreflect.Message, ignoreTypes ...protore
 		}

 		if fd.Kind() == protoreflect.MessageKind {
-			AllFieldsSet(t, msg.Get(fd).Message(), ignoreTypes...)
+			if m, ok := msg.Get(fd).Interface().(protoreflect.Message); ok {
+				AllFieldsSet(t, m, ignoreTypes...)
+			}
 		}
 	}
 }
--- a/internal/api/grpc/session/v2/session.go
+++ b/internal/api/grpc/session/v2/session.go
@@ -3,11 +3,13 @@ package session
 import (
 	"context"

+	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/query"
 	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
@@ -43,7 +45,9 @@ func (s *Server) CreateSession(ctx context.Context, req *session.CreateSessionRe
 	if err != nil {
 		return nil, err
 	}
-	set, err := s.command.CreateSession(ctx, checks, metadata)
+	challengeResponse, cmds := s.challengesToCommand(req.GetChallenges(), checks)
+
+	set, err := s.command.CreateSession(ctx, cmds, metadata)
 	if err != nil {
 		return nil, err
 	}
@@ -51,6 +55,7 @@ func (s *Server) CreateSession(ctx context.Context, req *session.CreateSessionRe
 		Details:      object.DomainToDetailsPb(set.ObjectDetails),
 		SessionId:    set.ID,
 		SessionToken: set.NewToken,
+		Challenges:   challengeResponse,
 	}, nil
 }

@@ -59,7 +64,9 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest)
 	if err != nil {
 		return nil, err
 	}
-	set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), checks, req.GetMetadata())
+	challengeResponse, cmds := s.challengesToCommand(req.GetChallenges(), checks)
+
+	set, err := s.command.UpdateSession(ctx, req.GetSessionId(), req.GetSessionToken(), cmds, req.GetMetadata())
 	if err != nil {
 		return nil, err
 	}
@@ -70,6 +77,7 @@ func (s *Server) SetSession(ctx context.Context, req *session.SetSessionRequest)
 	return &session.SetSessionResponse{
 		Details:      object.DomainToDetailsPb(set.ObjectDetails),
 		SessionToken: set.NewToken,
+		Challenges:   challengeResponse,
 	}, nil
 }

@@ -104,13 +112,13 @@ func sessionToPb(s *query.Session) *session.Session {

 func factorsToPb(s *query.Session) *session.Factors {
 	user := userFactorToPb(s.UserFactor)
-	pw := passwordFactorToPb(s.PasswordFactor)
-	if user == nil && pw == nil {
+	if user == nil {
 		return nil
 	}
 	return &session.Factors{
 		User:     user,
-		Password: pw,
+		Password: passwordFactorToPb(s.PasswordFactor),
+		Passkey:  passkeyFactorToPb(s.PasskeyFactor),
 	}
 }

@@ -123,6 +131,15 @@ func passwordFactorToPb(factor query.SessionPasswordFactor) *session.PasswordFac
 	}
 }

+func passkeyFactorToPb(factor query.SessionPasskeyFactor) *session.PasskeyFactor {
+	if factor.PasskeyCheckedAt.IsZero() {
+		return nil
+	}
+	return &session.PasskeyFactor{
+		VerifiedAt: timestamppb.New(factor.PasskeyCheckedAt),
+	}
+}
+
 func userFactorToPb(factor query.SessionUserFactor) *session.UserFactor {
 	if factor.UserID == "" || factor.UserCheckedAt.IsZero() {
 		return nil
@@ -180,7 +197,7 @@ func idsQueryToQuery(q *session.IDsQuery) (query.SearchQuery, error) {
 	return query.NewSessionIDsSearchQuery(q.Ids)
 }

-func (s *Server) createSessionRequestToCommand(ctx context.Context, req *session.CreateSessionRequest) ([]command.SessionCheck, map[string][]byte, error) {
+func (s *Server) createSessionRequestToCommand(ctx context.Context, req *session.CreateSessionRequest) ([]command.SessionCommand, map[string][]byte, error) {
 	checks, err := s.checksToCommand(ctx, req.Checks)
 	if err != nil {
 		return nil, nil, err
@@ -188,7 +205,7 @@ func (s *Server) createSessionRequestToCommand(ctx context.Context, req *session
 	return checks, req.GetMetadata(), nil
 }

-func (s *Server) setSessionRequestToCommand(ctx context.Context, req *session.SetSessionRequest) ([]command.SessionCheck, error) {
+func (s *Server) setSessionRequestToCommand(ctx context.Context, req *session.SetSessionRequest) ([]command.SessionCommand, error) {
 	checks, err := s.checksToCommand(ctx, req.Checks)
 	if err != nil {
 		return nil, err
@@ -196,12 +213,12 @@ func (s *Server) setSessionRequestToCommand(ctx context.Context, req *session.Se
 	return checks, nil
 }

-func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([]command.SessionCheck, error) {
+func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([]command.SessionCommand, error) {
 	checkUser, err := userCheck(checks.GetUser())
 	if err != nil {
 		return nil, err
 	}
-	sessionChecks := make([]command.SessionCheck, 0, 2)
+	sessionChecks := make([]command.SessionCommand, 0, 3)
 	if checkUser != nil {
 		user, err := checkUser.search(ctx, s.query)
 		if err != nil {
@@ -212,9 +229,38 @@ func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([
 	if password := checks.GetPassword(); password != nil {
 		sessionChecks = append(sessionChecks, command.CheckPassword(password.GetPassword()))
 	}
+	if passkey := checks.GetPasskey(); passkey != nil {
+		sessionChecks = append(sessionChecks, s.command.CheckPasskey(passkey.GetCredentialAssertionData()))
+	}
+
 	return sessionChecks, nil
 }

+func (s *Server) challengesToCommand(challenges []session.ChallengeKind, cmds []command.SessionCommand) (*session.Challenges, []command.SessionCommand) {
+	if len(challenges) == 0 {
+		return nil, cmds
+	}
+	resp := new(session.Challenges)
+	for _, c := range challenges {
+		switch c {
+		case session.ChallengeKind_CHALLENGE_KIND_UNSPECIFIED:
+			continue
+		case session.ChallengeKind_CHALLENGE_KIND_PASSKEY:
+			passkeyChallenge, cmd := s.createPasskeyChallengeCommand()
+			resp.Passkey = passkeyChallenge
+			cmds = append(cmds, cmd)
+		}
+	}
+	return resp, cmds
+}
+
+func (s *Server) createPasskeyChallengeCommand() (*session.Challenges_Passkey, command.SessionCommand) {
+	challenge := &session.Challenges_Passkey{
+		PublicKeyCredentialRequestOptions: new(structpb.Struct),
+	}
+	return challenge, s.command.CreatePasskeyChallenge(domain.UserVerificationRequirementRequired, challenge.PublicKeyCredentialRequestOptions)
+}
+
 func userCheck(user *session.CheckUser) (userSearch, error) {
 	if user == nil {
 		return nil, nil
--- a/internal/api/grpc/session/v2/session_integration_test.go
+++ b/internal/api/grpc/session/v2/session_integration_test.go
@@ -0,0 +1,270 @@
+//go:build integration
+
+package session_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+var (
+	CTX    context.Context
+	Tester *integration.Tester
+	Client session.SessionServiceClient
+	User   *user.AddHumanUserResponse
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, errCtx, cancel := integration.Contexts(time.Hour)
+		defer cancel()
+
+		Tester = integration.NewTester(ctx)
+		defer Tester.Done()
+		Client = Tester.Client.SessionV2
+
+		CTX, _ = Tester.WithSystemAuthorization(ctx, integration.OrgOwner), errCtx
+		User = Tester.CreateHumanUser(CTX)
+		Tester.RegisterUserPasskey(CTX, User.GetUserId())
+		return m.Run()
+	}())
+}
+
+func verifyCurrentSession(t testing.TB, id, token string, sequence uint64, window time.Duration, metadata map[string][]byte, factors ...wantFactor) (s *session.Session) {
+	require.NotEmpty(t, id)
+	require.NotEmpty(t, token)
+
+retry:
+	for {
+		resp, err := Client.GetSession(CTX, &session.GetSessionRequest{
+			SessionId:    id,
+			SessionToken: &token,
+		})
+		if err == nil {
+			s = resp.GetSession()
+			break retry
+		}
+		if status.Convert(err).Code() == codes.NotFound {
+			select {
+			case <-CTX.Done():
+				t.Fatal(CTX.Err(), err)
+			case <-time.After(time.Second):
+				t.Log("retrying GetSession")
+				continue
+			}
+		}
+		require.NoError(t, err)
+	}
+
+	assert.Equal(t, id, s.GetId())
+	assert.WithinRange(t, s.GetCreationDate().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+	assert.WithinRange(t, s.GetChangeDate().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+	assert.Equal(t, sequence, s.GetSequence())
+	assert.Equal(t, metadata, s.GetMetadata())
+	verifyFactors(t, s.GetFactors(), window, factors)
+	return s
+}
+
+type wantFactor int
+
+const (
+	wantUserFactor wantFactor = iota
+	wantPasswordFactor
+	wantPasskeyFactor
+)
+
+func verifyFactors(t testing.TB, factors *session.Factors, window time.Duration, want []wantFactor) {
+	for _, w := range want {
+		switch w {
+		case wantUserFactor:
+			uf := factors.GetUser()
+			assert.NotNil(t, uf)
+			assert.WithinRange(t, uf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+			assert.Equal(t, User.GetUserId(), uf.GetId())
+		case wantPasswordFactor:
+			pf := factors.GetPassword()
+			assert.NotNil(t, pf)
+			assert.WithinRange(t, pf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+		case wantPasskeyFactor:
+			pf := factors.GetPasskey()
+			assert.NotNil(t, pf)
+			assert.WithinRange(t, pf.GetVerifiedAt().AsTime(), time.Now().Add(-window), time.Now().Add(window))
+		}
+	}
+}
+
+func TestServer_CreateSession(t *testing.T) {
+	tests := []struct {
+		name        string
+		req         *session.CreateSessionRequest
+		want        *session.CreateSessionResponse
+		wantErr     bool
+		wantFactors []wantFactor
+	}{
+		{
+			name: "empty session",
+			req: &session.CreateSessionRequest{
+				Metadata: map[string][]byte{"foo": []byte("bar")},
+			},
+			want: &session.CreateSessionResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+		},
+		{
+			name: "with user",
+			req: &session.CreateSessionRequest{
+				Checks: &session.Checks{
+					User: &session.CheckUser{
+						Search: &session.CheckUser_UserId{
+							UserId: User.GetUserId(),
+						},
+					},
+				},
+				Metadata: map[string][]byte{"foo": []byte("bar")},
+			},
+			want: &session.CreateSessionResponse{
+				Details: &object.Details{
+					ResourceOwner: Tester.Organisation.ID,
+				},
+			},
+			wantFactors: []wantFactor{wantUserFactor},
+		},
+		{
+			name: "password without user error",
+			req: &session.CreateSessionRequest{
+				Checks: &session.Checks{
+					Password: &session.CheckPassword{
+						Password: "Difficult",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "passkey without user error",
+			req: &session.CreateSessionRequest{
+				Challenges: []session.ChallengeKind{
+					session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.CreateSession(CTX, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+
+			verifyCurrentSession(t, got.GetSessionId(), got.GetSessionToken(), got.GetDetails().GetSequence(), time.Minute, tt.req.GetMetadata(), tt.wantFactors...)
+		})
+	}
+}
+
+func TestServer_CreateSession_passkey(t *testing.T) {
+	// create new session with user and request the passkey challenge
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
+		Checks: &session.Checks{
+			User: &session.CheckUser{
+				Search: &session.CheckUser_UserId{
+					UserId: User.GetUserId(),
+				},
+			},
+		},
+		Challenges: []session.ChallengeKind{
+			session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+		},
+	})
+	require.NoError(t, err)
+	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil)
+
+	assertionData, err := Tester.WebAuthN.CreateAssertionResponse(createResp.GetChallenges().GetPasskey().GetPublicKeyCredentialRequestOptions())
+	require.NoError(t, err)
+
+	// update the session with passkey assertion data
+	updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
+		SessionId:    createResp.GetSessionId(),
+		SessionToken: createResp.GetSessionToken(),
+		Checks: &session.Checks{
+			Passkey: &session.CheckPasskey{
+				CredentialAssertionData: assertionData,
+			},
+		},
+	})
+	require.NoError(t, err)
+	verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, wantUserFactor, wantPasskeyFactor)
+}
+
+func TestServer_SetSession_flow(t *testing.T) {
+	var wantFactors []wantFactor
+
+	// create new, empty session
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
+	require.NoError(t, err)
+	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+	sessionToken := createResp.GetSessionToken()
+
+	t.Run("check user", func(t *testing.T) {
+		wantFactors = append(wantFactors, wantUserFactor)
+		resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
+			SessionId:    createResp.GetSessionId(),
+			SessionToken: sessionToken,
+			Checks: &session.Checks{
+				User: &session.CheckUser{
+					Search: &session.CheckUser_UserId{
+						UserId: User.GetUserId(),
+					},
+				},
+			},
+		})
+		require.NoError(t, err)
+		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+		sessionToken = resp.GetSessionToken()
+	})
+
+	t.Run("check passkey", func(t *testing.T) {
+		resp, err := Client.SetSession(CTX, &session.SetSessionRequest{
+			SessionId:    createResp.GetSessionId(),
+			SessionToken: sessionToken,
+			Challenges: []session.ChallengeKind{
+				session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+			},
+		})
+		require.NoError(t, err)
+		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+		sessionToken = resp.GetSessionToken()
+
+		wantFactors = append(wantFactors, wantPasskeyFactor)
+		assertionData, err := Tester.WebAuthN.CreateAssertionResponse(resp.GetChallenges().GetPasskey().GetPublicKeyCredentialRequestOptions())
+		require.NoError(t, err)
+
+		resp, err = Client.SetSession(CTX, &session.SetSessionRequest{
+			SessionId:    createResp.GetSessionId(),
+			SessionToken: sessionToken,
+			Checks: &session.Checks{
+				Passkey: &session.CheckPasskey{
+					CredentialAssertionData: assertionData,
+				},
+			},
+		})
+		require.NoError(t, err)
+		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
+	})
+}
--- a/internal/api/grpc/session/v2/session_test.go
+++ b/internal/api/grpc/session/v2/session_test.go
@@ -49,7 +49,7 @@ func Test_sessionsToPb(t *testing.T) {
 			},
 			Metadata: map[string][]byte{"hello": []byte("world")},
 		},
-		{ // no factor
+		{ // password factor
 			ID:            "999",
 			CreationDate:  now,
 			ChangeDate:    now,
@@ -57,11 +57,36 @@ func Test_sessionsToPb(t *testing.T) {
 			State:         domain.SessionStateActive,
 			ResourceOwner: "me",
 			Creator:       "he",
+			UserFactor: query.SessionUserFactor{
+				UserID:        "345",
+				UserCheckedAt: past,
+				LoginName:     "donald",
+				DisplayName:   "donald duck",
+			},
 			PasswordFactor: query.SessionPasswordFactor{
 				PasswordCheckedAt: past,
 			},
 			Metadata: map[string][]byte{"hello": []byte("world")},
 		},
+		{ // passkey factor
+			ID:            "999",
+			CreationDate:  now,
+			ChangeDate:    now,
+			Sequence:      123,
+			State:         domain.SessionStateActive,
+			ResourceOwner: "me",
+			Creator:       "he",
+			UserFactor: query.SessionUserFactor{
+				UserID:        "345",
+				UserCheckedAt: past,
+				LoginName:     "donald",
+				DisplayName:   "donald duck",
+			},
+			PasskeyFactor: query.SessionPasskeyFactor{
+				PasskeyCheckedAt: past,
+			},
+			Metadata: map[string][]byte{"hello": []byte("world")},
+		},
 	}

 	want := []*session.Session{
@@ -94,12 +119,36 @@ func Test_sessionsToPb(t *testing.T) {
 			ChangeDate:   timestamppb.New(now),
 			Sequence:     123,
 			Factors: &session.Factors{
+				User: &session.UserFactor{
+					VerifiedAt:  timestamppb.New(past),
+					Id:          "345",
+					LoginName:   "donald",
+					DisplayName: "donald duck",
+				},
 				Password: &session.PasswordFactor{
 					VerifiedAt: timestamppb.New(past),
 				},
 			},
 			Metadata: map[string][]byte{"hello": []byte("world")},
 		},
+		{ // passkey factor
+			Id:           "999",
+			CreationDate: timestamppb.New(now),
+			ChangeDate:   timestamppb.New(now),
+			Sequence:     123,
+			Factors: &session.Factors{
+				User: &session.UserFactor{
+					VerifiedAt:  timestamppb.New(past),
+					Id:          "345",
+					LoginName:   "donald",
+					DisplayName: "donald duck",
+				},
+				Passkey: &session.PasskeyFactor{
+					VerifiedAt: timestamppb.New(past),
+				},
+			},
+			Metadata: map[string][]byte{"hello": []byte("world")},
+		},
 	}

 	out := sessionsToPb(sessions)
@@ -107,7 +156,7 @@ func Test_sessionsToPb(t *testing.T) {

 	for i, got := range out {
 		if !proto.Equal(got, want[i]) {
-			t.Errorf("session %d got:\n%v\nwant:\n%v", i, got, want)
+			t.Errorf("session %d got:\n%v\nwant:\n%v", i, got, want[i])
 		}
 	}
 }
--- a/internal/api/grpc/user/v2/email_integration_test.go
+++ b/internal/api/grpc/user/v2/email_integration_test.go
@@ -3,9 +3,7 @@
 package user_test

 import (
-	"fmt"
 	"testing"
-	"time"

 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
@@ -16,31 +14,8 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 )

-func createHumanUser(t *testing.T) *user.AddHumanUserResponse {
-	resp, err := Client.AddHumanUser(CTX, &user.AddHumanUserRequest{
-		Organisation: &object.Organisation{
-			Org: &object.Organisation_OrgId{
-				OrgId: Tester.Organisation.ID,
-			},
-		},
-		Profile: &user.SetHumanProfile{
-			FirstName: "Mickey",
-			LastName:  "Mouse",
-		},
-		Email: &user.SetHumanEmail{
-			Email: fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()),
-			Verification: &user.SetHumanEmail_ReturnCode{
-				ReturnCode: &user.ReturnEmailVerificationCode{},
-			},
-		},
-	})
-	require.NoError(t, err)
-	require.NotEmpty(t, resp.GetUserId())
-	return resp
-}
-
 func TestServer_SetEmail(t *testing.T) {
-	userID := createHumanUser(t).GetUserId()
+	userID := Tester.CreateHumanUser(CTX).GetUserId()

 	tests := []struct {
 		name    string
@@ -158,7 +133,7 @@ func TestServer_SetEmail(t *testing.T) {
 }

 func TestServer_VerifyEmail(t *testing.T) {
-	userResp := createHumanUser(t)
+	userResp := Tester.CreateHumanUser(CTX)
 	tests := []struct {
 		name    string
 		req     *user.VerifyEmailRequest
--- a/internal/api/grpc/user/v2/passkey.go
+++ b/internal/api/grpc/user/v2/passkey.go
@@ -3,6 +3,9 @@ package user
 import (
 	"context"

+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/structpb"
+
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/domain"
@@ -42,16 +45,24 @@ func passkeyRegistrationDetailsToPb(details *domain.PasskeyRegistrationDetails,
 	if err != nil {
 		return nil, err
 	}
+	options := new(structpb.Struct)
+	if err := protojson.Unmarshal(details.PublicKeyCredentialCreationOptions, options); err != nil {
+		return nil, caos_errs.ThrowInternal(err, "USERv2-Dohr6", "Errors.Internal")
+	}
 	return &user.RegisterPasskeyResponse{
 		Details:                            object.DomainToDetailsPb(details.ObjectDetails),
 		PasskeyId:                          details.PasskeyID,
-		PublicKeyCredentialCreationOptions: details.PublicKeyCredentialCreationOptions,
+		PublicKeyCredentialCreationOptions: options,
 	}, nil
 }

 func (s *Server) VerifyPasskeyRegistration(ctx context.Context, req *user.VerifyPasskeyRegistrationRequest) (*user.VerifyPasskeyRegistrationResponse, error) {
 	resourceOwner := authz.GetCtxData(ctx).ResourceOwner
-	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), resourceOwner, req.GetPasskeyName(), "", req.GetPublicKeyCredential())
+	pkc, err := protojson.Marshal(req.GetPublicKeyCredential())
+	if err != nil {
+		return nil, caos_errs.ThrowInternal(err, "USERv2-Pha2o", "Errors.Internal")
+	}
+	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, req.GetUserId(), resourceOwner, req.GetPasskeyName(), "", pkc)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/user/v2/passkey_integration_test.go
+++ b/internal/api/grpc/user/v2/passkey_integration_test.go
@@ -10,19 +10,18 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/zitadel/internal/integration"
-	"github.com/zitadel/zitadel/internal/webauthn"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+	"google.golang.org/protobuf/types/known/structpb"
 )

 func TestServer_RegisterPasskey(t *testing.T) {
-	userID := createHumanUser(t).GetUserId()
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
 	reg, err := Client.CreatePasskeyRegistrationLink(CTX, &user.CreatePasskeyRegistrationLinkRequest{
 		UserId: userID,
 		Medium: &user.CreatePasskeyRegistrationLinkRequest_ReturnCode{},
 	})
 	require.NoError(t, err)
-	client := webauthn.NewClient(Tester.Config.WebAuthNName, Tester.Config.ExternalDomain, "https://"+Tester.Host())

 	type args struct {
 		ctx context.Context
@@ -125,7 +124,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
 			if tt.want != nil {
 				assert.NotEmpty(t, got.GetPasskeyId())
 				assert.NotEmpty(t, got.GetPublicKeyCredentialCreationOptions())
-				_, err := client.CreateAttestationResponse(got.GetPublicKeyCredentialCreationOptions())
+				_, err = Tester.WebAuthN.CreateAttestationResponse(got.GetPublicKeyCredentialCreationOptions())
 				require.NoError(t, err)
 			}
 		})
@@ -133,7 +132,7 @@ func TestServer_RegisterPasskey(t *testing.T) {
 }

 func TestServer_VerifyPasskeyRegistration(t *testing.T) {
-	userID := createHumanUser(t).GetUserId()
+	userID := Tester.CreateHumanUser(CTX).GetUserId()
 	reg, err := Client.CreatePasskeyRegistrationLink(CTX, &user.CreatePasskeyRegistrationLinkRequest{
 		UserId: userID,
 		Medium: &user.CreatePasskeyRegistrationLinkRequest_ReturnCode{},
@@ -147,8 +146,7 @@ func TestServer_VerifyPasskeyRegistration(t *testing.T) {
 	require.NotEmpty(t, pkr.GetPasskeyId())
 	require.NotEmpty(t, pkr.GetPublicKeyCredentialCreationOptions())

-	client := webauthn.NewClient(Tester.Config.WebAuthNName, Tester.Config.ExternalDomain, "https://"+Tester.Host())
-	attestationResponse, err := client.CreateAttestationResponse(pkr.GetPublicKeyCredentialCreationOptions())
+	attestationResponse, err := Tester.WebAuthN.CreateAttestationResponse(pkr.GetPublicKeyCredentialCreationOptions())
 	require.NoError(t, err)

 	type args struct {
@@ -167,7 +165,7 @@ func TestServer_VerifyPasskeyRegistration(t *testing.T) {
 				ctx: CTX,
 				req: &user.VerifyPasskeyRegistrationRequest{
 					PasskeyId:           pkr.GetPasskeyId(),
-					PublicKeyCredential: []byte(attestationResponse),
+					PublicKeyCredential: attestationResponse,
 					PasskeyName:         "nice name",
 				},
 			},
@@ -195,10 +193,12 @@ func TestServer_VerifyPasskeyRegistration(t *testing.T) {
 			args: args{
 				ctx: CTX,
 				req: &user.VerifyPasskeyRegistrationRequest{
-					UserId:              userID,
-					PasskeyId:           pkr.GetPasskeyId(),
-					PublicKeyCredential: []byte("attestationResponseattestationResponseattestationResponse"),
-					PasskeyName:         "nice name",
+					UserId:    userID,
+					PasskeyId: pkr.GetPasskeyId(),
+					PublicKeyCredential: &structpb.Struct{
+						Fields: map[string]*structpb.Value{"foo": {Kind: &structpb.Value_StringValue{StringValue: "bar"}}},
+					},
+					PasskeyName: "nice name",
 				},
 			},
 			wantErr: true,
@@ -219,7 +219,7 @@ func TestServer_VerifyPasskeyRegistration(t *testing.T) {
 }

 func TestServer_CreatePasskeyRegistrationLink(t *testing.T) {
-	userID := createHumanUser(t).GetUserId()
+	userID := Tester.CreateHumanUser(CTX).GetUserId()

 	type args struct {
 		ctx context.Context
--- a/internal/api/grpc/user/v2/passkey_test.go
+++ b/internal/api/grpc/user/v2/passkey_test.go
@@ -7,10 +7,13 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/zitadel/zitadel/internal/api/grpc"
 	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
 )
@@ -51,9 +54,10 @@ func Test_passkeyRegistrationDetailsToPb(t *testing.T) {
 		err     error
 	}
 	tests := []struct {
-		name string
-		args args
-		want *user.RegisterPasskeyResponse
+		name    string
+		args    args
+		want    *user.RegisterPasskeyResponse
+		wantErr error
 	}{
 		{
 			name: "an error",
@@ -61,6 +65,23 @@ func Test_passkeyRegistrationDetailsToPb(t *testing.T) {
 				details: nil,
 				err:     io.ErrClosedPipe,
 			},
+			wantErr: io.ErrClosedPipe,
+		},
+		{
+			name: "unmarshall error",
+			args: args{
+				details: &domain.PasskeyRegistrationDetails{
+					ObjectDetails: &domain.ObjectDetails{
+						Sequence:      22,
+						EventDate:     time.Unix(3000, 22),
+						ResourceOwner: "me",
+					},
+					PasskeyID:                          "123",
+					PublicKeyCredentialCreationOptions: []byte(`\\`),
+				},
+				err: nil,
+			},
+			wantErr: caos_errs.ThrowInternal(nil, "USERv2-Dohr6", "Errors.Internal"),
 		},
 		{
 			name: "ok",
@@ -72,7 +93,7 @@ func Test_passkeyRegistrationDetailsToPb(t *testing.T) {
 						ResourceOwner: "me",
 					},
 					PasskeyID:                          "123",
-					PublicKeyCredentialCreationOptions: []byte{1, 2, 3},
+					PublicKeyCredentialCreationOptions: []byte(`{"foo": "bar"}`),
 				},
 				err: nil,
 			},
@@ -85,16 +106,20 @@ func Test_passkeyRegistrationDetailsToPb(t *testing.T) {
 					},
 					ResourceOwner: "me",
 				},
-				PasskeyId:                          "123",
-				PublicKeyCredentialCreationOptions: []byte{1, 2, 3},
+				PasskeyId: "123",
+				PublicKeyCredentialCreationOptions: &structpb.Struct{
+					Fields: map[string]*structpb.Value{"foo": {Kind: &structpb.Value_StringValue{StringValue: "bar"}}},
+				},
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := passkeyRegistrationDetailsToPb(tt.args.details, tt.args.err)
-			require.ErrorIs(t, err, tt.args.err)
-			assert.Equal(t, tt.want, got)
+			require.ErrorIs(t, err, tt.wantErr)
+			if !proto.Equal(tt.want, got) {
+				t.Errorf("Not equal:\nExpected\n%s\nActual:%s", tt.want, got)
+			}
 			if tt.want != nil {
 				grpc.AllFieldsSet(t, got.ProtoReflect())
 			}
--- a/internal/api/grpc/user/v2/user_integration_test.go
+++ b/internal/api/grpc/user/v2/user_integration_test.go
@@ -42,7 +42,7 @@ func TestMain(m *testing.M) {
 		defer Tester.Done()

 		CTX, ErrCTX = Tester.WithSystemAuthorization(ctx, integration.OrgOwner), errCtx
-		Client = user.NewUserServiceClient(Tester.GRPCClientConn)
+		Client = Tester.Client.UserV2
 		return m.Run()
 	}())
 }