1# Managing System Account Credentials (for System Application Only) 2 3<!--Kit: Basic Services Kit--> 4<!--Subsystem: Account--> 5<!--Owner: @steven-q--> 6<!--Designer: @JiDong-CS1--> 7<!--Tester: @zhaimengchao--> 8<!--Adviser: @zengyawen--> 9 10Credentials can be used to authenticate users. This topic walks you through on how to add, update, obtain, and delete credentials for a system account and authenticate the system account using the enrolled credentials. 11 12## Credential Type 13 14The following types of credentials are supported for system accounts: 15 16| Name | Value| Description | 17| ----- | ----- | ---------------- | 18| PIN | 1 | PIN.| 19| FACE | 2 | Face.| 20| FINGERPRINT<sup>10+</sup> | 4 | Fingerprint.| 21 22## Credential Subtype 23 24Credential types are further classified into the following subtypes: 25 26> **NOTE**<br> 27> The credential types supported by the device depend on the hardware capability. 28 29| Name | Value| Description | 30| ---------- | ----- | ------------------ | 31| PIN_SIX | 10000 | Six-digit PIN. | 32| PIN_NUMBER | 10001 | Custom PIN.| 33| PIN_MIXED | 10002 | Custom mixed PIN.| 34| FACE_2D | 20000 | 2D face credential. | 35| FACE_3D | 20001 | 3D face credential. | 36| FINGERPRINT_CAPACITIVE<sup>10+</sup> | 30000 | Capacitive fingerprint. | 37| FINGERPRINT_OPTICAL<sup>10+</sup> | 30001 | Optical fingerprint. | 38| FINGERPRINT_ULTRASONIC<sup>10+</sup> | 30002 | Ultrasonic fingerprint. | 39 40## Before You Start 41 421. Request the following permissions. For details, see [Requesting Permissions for system_basic Applications](../../security/AccessToken/determine-application-mode.md#requesting-permissions-for-system_basic-applications). 43 - ohos.permission.MANAGE_USER_IDM 44 - ohos.permission.ACCESS_PIN_AUTH 45 462. Import the **osAccount** module. 47 48 ```ts 49 import { osAccount } from '@kit.BasicServicesKit'; 50 ``` 51 523. Create a **UserIDM** instance. 53 54 ```ts 55 let userIDM: osAccount.UserIdentityManager = new osAccount.UserIdentityManager(); 56 ``` 57 58## Registering a PIN Inputer 59 60Register a PIN inputer to transmit PIN data. 61 62**Procedure** 63 641. Define a PIN inputer and obtain the PIN. 65 66 ```ts 67 let pinData: Uint8Array = new Uint8Array([31, 32, 33, 34, 35, 36]); // you can obtain a PIN through other ways. 68 let inputer: osAccount.IInputer = { 69 onGetData: (authSubType: osAccount.AuthSubType, callback: osAccount.IInputData) => { 70 callback.onSetData(authSubType, pinData); 71 } 72 } 73 ``` 74 752. Use [registerInputer](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#registerinputer8) to register the PIN inputer. 76 77 ```ts 78 let pinAuth: osAccount.PINAuth = new osAccount.PINAuth(); 79 pinAuth.registerInputer(inputer); 80 ``` 81 82## Opening a Session 83 84Use [openSession](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#opensession8) to open a session for credential management. 85 86**Procedure** 87 88Use [openSession](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#opensession8) to open a session for credential management. 89 90 ```ts 91 let challenge: Uint8Array = await userIDM.openSession(); 92 ``` 93 94## Enrolling a PIN 95 96Use [addCredential](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to enroll a PIN. 97 98**Procedure** 99 1001. Define the PIN authentication credential. 101 102 ```ts 103 let credentialInfo: osAccount.CredentialInfo = { 104 credType: osAccount.AuthType.PIN, 105 credSubType: osAccount.AuthSubType.PIN_SIX, 106 token: new Uint8Array([0]) 107 }; 108 ``` 109 1102. Use [addCredential](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to add credential information. The credential is returned by a callback or promise. 111 112 ```ts 113 userIDM.addCredential(credentialInfo, { 114 onResult: (code: number, result: osAccount.RequestResult) => { 115 console.log('addCredential code = ' + code); 116 console.log('addCredential result = ' + result); 117 } 118 }); 119 ``` 120 121## Authenticating a PIN 122 123Use [auth](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#auth8) to perform PIN authentication. 124 125**Procedure** 126 1271. Set authentication parameters, including the challenge value, authentication type, and authentication trust level. 128 129 ```ts 130 let challenge: Uint8Array = new Uint8Array([1, 2, 3, 4, 5]); 131 let authType: osAccount.AuthType = osAccount.AuthType.PIN; 132 let authTrustLevel: osAccount.AuthTrustLevel = osAccount.AuthTrustLevel.ATL1; 133 ``` 134 1352. Use [auth](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#auth8) to perform PIN authentication. 136 137 ```ts 138 let userAuth: osAccount.UserAuth = new osAccount.UserAuth(); 139 userAuth.auth(challenge, authType, authTrustLevel, { 140 onResult: (result: number, extraInfo: osAccount.AuthResult) => { 141 console.log('pin auth result = ' + result); 142 console.log('pin auth extraInfo = ' + JSON.stringify(extraInfo)); 143 let authToken = extraInfo.token; 144 } 145 }); 146 ``` 147 148## Enrolling Biometric Credentials 149 150Biometric credentials such as face and fingerprint can be enrolled after the PIN authentication is successful. The enrollment process is similar to the PIN enrollment process. 151 152**Procedure** 153 1541. Perform PIN authentication to obtain the authorization token (**authToken**). 155 1562. Set face credential information. The following uses 2D face credential as an example. 157 158 ```ts 159 let faceCredInfo: osAccount.CredentialInfo = { 160 credType: osAccount.AuthType.FACE, 161 credSubType: osAccount.AuthSubType.FACE_2D, 162 token: new Uint8Array([1, 2, 3, 4, 5]) 163 } 164 ``` 165 1663. Use [addCredential](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to enroll face credentials. 167 168 ```ts 169 userIDM.addCredential(faceCredInfo, { 170 onResult: (code: number, result: osAccount.RequestResult) => { 171 console.log('add face credential, resultCode: ' + code); 172 console.log('add face credential, request result: ' + result); 173 } 174 }); 175 ``` 176 1774. Set fingerprint credential information. 178 179 ```ts 180 let fingerprintCredInfo: osAccount.CredentialInfo = { 181 credType: osAccount.AuthType.FINGERPRINT, 182 credSubType: osAccount.AuthSubType.FINGERPRINT_CAPACITIVE, 183 token: new Uint8Array([1, 2, 3, 4, 5]) 184 } 185 ``` 186 1875. Use [addCredential](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to enroll the fingerprint. 188 189 ```ts 190 userIDM.addCredential(fingerprintCredInfo, { 191 onResult: (code: number, result: osAccount.RequestResult) => { 192 console.log('add fingerprint credential, resultCode: ' + code); 193 console.log('add fingerprint credential, request result: ' + result); 194 } 195 }); 196 ``` 197 198## Authenticating Biometric Credentials 199 200Biometric authentication can be performed after the biometric credentials are enrolled. You can use [auth](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#auth8) to perform biometric authentication. 201 202**Procedure** 203 2041. Set authentication parameters, including the challenge value, authentication type, and authentication trust level. The following uses facial authentication as an example. 205 206 ```ts 207 let challenge: Uint8Array = new Uint8Array([1, 2, 3, 4, 5]); 208 let authType: osAccount.AuthType = osAccount.AuthType.FACE; 209 let authTrustLevel: osAccount.AuthTrustLevel = osAccount.AuthTrustLevel.ATL1; 210 ``` 211 2122. Use **auth()** to perform authentication. 213 214 ```ts 215 let userAuth: osAccount.UserAuth = new osAccount.UserAuth(); 216 userAuth.auth(challenge, authType, authTrustLevel, { 217 onResult: (result: number, extraInfo: osAccount.AuthResult) => { 218 console.log('face auth result = ' + result); 219 console.log('face auth extraInfo = ' + JSON.stringify(extraInfo)); 220 } 221 }); 222 ``` 223 224## Updating a Credential 225 226The user can update credentials as required. You can use [updateCredential](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#updatecredential8) to update credential information. 227 228**Procedure** 229 2301. Perform PIN authentication to obtain the authorization token (**authToken**). 231 2322. Specify the credential information to be updated. 233 234 ```ts 235 let credentialInfo: osAccount.CredentialInfo = { 236 credType: osAccount.AuthType.PIN, 237 credSubType: osAccount.AuthSubType.PIN_SIX, 238 token: new Uint8Array([1, 2, 3, 4, 5]) 239 }; 240 ``` 241 2423. Use [updateCredential](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#updatecredential8) to update the credential. 243 244 ```ts 245 userIDM.updateCredential(credentialInfo, { 246 onResult: (result: number, extraInfo: osAccount.RequestResult) => { 247 console.log('updateCredential result = ' + result); 248 console.log('updateCredential extraInfo = ' + extraInfo); 249 } 250 }); 251 ``` 252 253## Obtaining Credential Information 254 255The enrolled credentials need to be displayed on the credential management page, and the available credential types need to be displayed on the lock screen page. You can use [getAuthInfo](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#getauthinfo8) to obtain the credential information to be displayed. 256 257**Procedure** 258 2591. Obtain information about all the credentials enrolled. 260 261 ```ts 262 let enrolledCredInfoList: osAccount.EnrolledCredInfo[] = await userIDM.getAuthInfo(); 263 ``` 264 2652. Use [getAuthInfo](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#getauthinfo8) to obtain the credential of the specified type. In the following example, the fingerprint enrolled is obtained. 266 267 ```ts 268 let enrolledFingerCredInfoList: osAccount.EnrolledCredInfo[] = await userIDM.getAuthInfo(osAccount.AuthType.FINGERPRINT); 269 ``` 270 271## Deleting a Credential 272 273Before a credential is deleted, [PIN Authentication](#authenticating-a-pin) is required and the ID of the credential to be deleted needs to be [obtained](#obtaining-credential-information). 274 275For example, delete a fingerprint, do as follows: 276 2771. Obtain the fingerprint information. 278 279 ```ts 280 let credentialId: Uint8Array = new Uint8Array([1, 2, 3, 4, 5]); 281 let token: Uint8Array = new Uint8Array([1, 2, 3, 4, 5]); 282 let credInfoList: osAccount.EnrolledCredInfo[] = await userIDM.getAuthInfo(osAccount.AuthType.FINGERPRINT); 283 if (credInfoList.length != 0) { 284 credentialId = credInfoList[0].credentialId; 285 } 286 ``` 287 2882. [Perform PIN authentication](#authenticating-a-pin) to obtain the authentication token. 289 2903. Use [delCred](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#delcred8) to delete the fingerprint credential. 291 292 ```ts 293 userIDM.delCred(credentialId, token, { 294 onResult: (result: number, extraInfo: osAccount.RequestResult) => { 295 console.log('delCred result = ' + result); 296 console.log('delCred extraInfo = ' + JSON.stringify(extraInfo)); 297 } 298 }); 299 ``` 300 301## Unregistering a PIN Inputer 302 303Use [unregisterInputer](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#unregisterinputer8) to unregister the PIN inputer that is no longer required. 304 305**Procedure** 306 307```ts 308pinAuth.unregisterInputer(); 309``` 310 311## Closing a Session 312 313Use [closeSession](../../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#closesession8) to close a session to terminate credential management. 314 315**Procedure** 316 317```ts 318userIDM.closeSession(); 319``` 320