arazzo: 1.0.1
info:
  title: Microsoft Windows 10 Windows Hello Enroll Key Credential
  summary: Confirm Windows Hello is available, create a passwordless key credential, and retrieve its TPM attestation for server registration.
  description: >-
    A passwordless enrollment flow built on the Windows.Security.Credentials
    KeyCredentialManager. The workflow checks whether Windows Hello is supported,
    branches on availability, creates a new public/private key credential whose
    private key is bound to the device (TPM where available), and then fetches a
    key attestation buffer and certificate chain that a relying party can use to
    verify the key was generated in a secure environment. Every step inlines its
    request and documents the status it keys on.
  version: 1.0.0
sourceDescriptions:
- name: helloApi
  url: ../openapi/microsoft-windows-10-hello-openapi.yml
  type: openapi
workflows:
- workflowId: enroll-key-credential
  summary: Create a Windows Hello key credential and obtain its attestation.
  description: >-
    Verifies Windows Hello availability, creates a key credential for the
    supplied account, and retrieves the attestation result for server-side
    verification.
  inputs:
    type: object
    required:
    - accountId
    properties:
      accountId:
        type: string
        description: Unique account identifier the credential is created for.
      keyCreationOption:
        type: string
        description: Whether to replace an existing credential or fail if one exists.
        enum:
        - ReplaceExisting
        - FailIfExists
        default: ReplaceExisting
  steps:
  - stepId: checkAvailability
    description: >-
      Confirm Windows Hello is supported on this device before attempting to
      create a credential.
    operationId: checkHelloAvailability
    successCriteria:
    - condition: $statusCode == 200
    - context: $response.body
      condition: $.isSupported == true
      type: jsonpath
    outputs:
      isSupported: $response.body#/isSupported
      availableMethods: $response.body#/availableMethods
    onSuccess:
    - name: supported
      type: goto
      stepId: createCredential
      criteria:
      - context: $response.body
        condition: $.isSupported == true
        type: jsonpath
  - stepId: createCredential
    description: >-
      Create a new Windows Hello key credential for the account, generating a
      device-bound key pair and returning the public key.
    operationId: createKeyCredential
    requestBody:
      contentType: application/json
      payload:
        accountId: $inputs.accountId
        keyCreationOption: $inputs.keyCreationOption
    successCriteria:
    - condition: $statusCode == 201
    - context: $response.body
      condition: $.status == "Success"
      type: jsonpath
    outputs:
      accountId: $response.body#/accountId
      publicKey: $response.body#/publicKey
      status: $response.body#/status
  - stepId: getAttestation
    description: >-
      Retrieve the attestation buffer and certificate chain for the newly
      created credential so a server can verify it was generated in a TPM.
    operationId: getKeyAttestation
    parameters:
    - name: accountId
      in: query
      value: $steps.createCredential.outputs.accountId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      attestationStatus: $response.body#/status
      attestationBuffer: $response.body#/attestationBuffer
      certificateChainBuffer: $response.body#/certificateChainBuffer
  outputs:
    accountId: $steps.createCredential.outputs.accountId
    publicKey: $steps.createCredential.outputs.publicKey
    attestationStatus: $steps.getAttestation.outputs.attestationStatus
    attestationBuffer: $steps.getAttestation.outputs.attestationBuffer