Client Attestations
Client attestation policies define custom attestation validation behaviors that can then be used by zero or more OAuth 2.0 clients.
Client Attestation Policy Creation#
Client attestation policies are created inside the Admin UI Facilities menu, under the Client Attestations menu entry.
Admin UI → Facilities → Client Attestations
Manage client attestations
Client attestation policies are grouped by attestation type, where each type has different settings that can be customized.
- Web attestation
- HAAPI access token time-to-live.
- Disable origin verification.
- iOS attestation
- HAAPI access token time-to-live.
- iOS operation model (production or development).
- Override Certificate Chain Validation.
- Android attestation
- HAAPI access token time-to-live.
- Verify Boot State.
- Minimum Security Level (software, trusted-env, strong-box).
- Override Certificate Chain Validation.
After configuring a custom policy for a specific attestation type, that policy can then be used by zero or more clients using that specific attestation type. The attestation policy is an optional setting inside the client attestation configuration settings.
If no attestation policy is configured on a client, then a default attestation policy for the attestation type is used.
More information about the HAAPI client attestation functionality and how policies can be used to customize its behavior is present in HAAPI client attestation .
Some attestation behaviors defined via client attestation policies are not safe for production scenarios. They exist mostly for development purposes.