• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Managing System Account Credentials (for System Application Only)
2
3Credentials can be used to authenticate users. This topic walks you through on how to add, update, obtain, and delete credentials for a system account and authenticate the system account using the enrolled credentials.
4
5## Credential Type
6
7The following types of credentials are supported for system accounts:
8
9| Name | Value| Description            |
10| ----- | ----- | ---------------- |
11| PIN   | 1     | PIN.|
12| FACE  | 2     | Face.|
13| FINGERPRINT<sup>10+</sup>   | 4     | Fingerprint.|
14
15## Credential Subtype
16
17Credential types are further classified into the following subtypes:
18
19| Name      | Value| Description              |
20| ---------- | ----- | ------------------ |
21| PIN_SIX    | 10000 | Six-digit PIN.      |
22| PIN_NUMBER | 10001 | Custom PIN.|
23| PIN_MIXED  | 10002 | Custom mixed PIN.|
24| FACE_2D    | 20000 | 2D face credential.  |
25| FACE_3D    | 20001 | 3D face credential.  |
26| FINGERPRINT_CAPACITIVE<sup>10+</sup>    | 30000 | Capacitive fingerprint.  |
27| FINGERPRINT_OPTICAL<sup>10+</sup>    | 30001 | Optical fingerprint.  |
28| FINGERPRINT_ULTRASONIC<sup>10+</sup>    | 30002 | Ultrasonic fingerprint.  |
29
30> **NOTE**<br>The credential types supported by the device depend on the hardware capability.
31
32## Before You Start
33
341. Request the following permissions. For details, see [Requesting Permissions for system_basic Applications](../security/AccessToken/determine-application-mode.md#requesting-permissions-for-system_basic-applications).
35   - ohos.permission.MANAGE_USER_IDM
36   - ohos.permission.ACCESS_PIN_AUTH
37
382. Import the **osAccount** module.
39
40   ```ts
41   import account_osAccount from '@ohos.account.osAccount';
42   ```
43
443. Create a **UserIDM** instance.
45
46   ```ts
47   let userIDM: account_osAccount.UserIDM = new account_osAccount.UserIDM();
48   ```
49
50## Opening a Session
51
52Use [openSession](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#opensession8) to open a session for credential management.
53
54**Procedure**
55
561. Use [openSession](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#opensession8) to open a session for credential management.
57
58   ```ts
59   let challenge: Uint8Array = await userIDM.openSession();
60   ```
61
62## Registering a PIN Inputer
63
64Register a PIN inputer to transmit PIN data.
65
66**Procedure**
67
681. Define a PIN inputer and obtain the PIN.
69
70   ```ts
71   let pinData: Uint8Array = new Uint8Array([31, 32, 33, 34, 35, 36]); // you can obtain a PIN throught other ways.
72   let inputer: IInputer = {
73     onGetData: (authSubType: account_osAccount.AuthSubType, callback: account_osAccount.IInputData) => {
74       callback.onSetData(authSubType, pinData);
75     }
76   }
77   ```
78
792. Use [registerInputer](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#registerinputer8) to register the PIN inputer.
80
81   ```ts
82   let pinAuth: PINAuth = new account_osAccount.PINAuth();
83   pinAuth.registerInputer(inputer);
84   ```
85
86## Enrolling a PIN
87
88Use [addCredential](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to enroll a PIN.
89
90**Procedure**
91
921. Defines the PIN authentication credential.
93
94   ```ts
95   let credentialInfo: account_osAccount.CredentialInfo = {
96     credType: account_osAccount.AuthSubType.PIN,
97     token: null
98   };
99   ```
100
1012. Use [addCredential](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to add credential information. The credential is returned by a callback or promise.
102
103   ```ts
104   userIDM.addCredential(credentialInfo, {
105     onResult: (code: number, result: account_osAccount.RequestResult) => {
106       console.log('addCredential code = ' + code);
107       console.log('addCredential result = ' + result);
108     }
109   });
110   ```
111
112## Authenticating a PIN
113
114Use [auth](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#auth8) to perform PIN authentication.
115
116**Procedure**
117
1181. Set authentication parameters, including the challenge value, authentication type, and authentication trust level.
119
120   ```ts
121   let challenge: Uint8Array = new Uint8Array([1, 2, 3, 4, 5]);
122   let authType: account_osAccount.AuthType = account_osAccount.AuthType.PIN;
123   let authTrustLevel: account_osAccount.AuthTrustLevel = account_osAccount.AuthTrustLevel.ATL1;
124   ```
125
1262. Use [auth](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#auth8) to perform PIN authentication.
127
128   ```ts
129   let userAuth: account_osAccount.UserAuth = new account_osAccount.UserAuth();
130   userAuth.auth(challenge, authType, authTrustLevel, {
131     onResult: (result: number, extraInfo: account_osAccount.AuthResult) => {
132       console.log('pin auth result = ' + result);
133       console.log('pin auth extraInfo = ' + JSON.stringify(extraInfo));
134       let authToken = extraInfo.token;
135     }
136   });
137   ```
138
139## Enrolling Biometric Credentials
140
141Biometric credentials such as face and fingerprint can be enrolled after the PIN authentication is successful. The enrollment process is similar to the PIN enrollment process.
142
143**Procedure**
144
1451. Perform PIN authentication to obtain the authorization token (**authToken**).
146
1472. Set face credential information. The following uses 2D face credential as an example.
148
149   ```ts
150   let faceCredInfo: account_osAccount.CredentialInfo = {
151     credType: account_osAccount.AuthType.FACE,
152     credSubType: account_osAccount.AuthSubType.FACE_2D,
153     token: authToken
154   }
155   ```
156
1573. Use [addCredential](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to enroll face credentials.
158
159   ```ts
160   userIDM.addCredential(faceCredInfo, {
161     onResult: (code: number, result: account_osAccount.RequestResult) => {
162       console.log('add face credential, resultCode: ' + code);
163       console.log('add face credential, request result: ' + result);
164     }
165   });
166   ```
167
1684. Set fingerprint credential information.
169
170   ```ts
171   let fingerprintCredInfo: account_osAccount.CredentialInfo = {
172     credType: account_osAccount.AuthType.FINGERPRINT,
173     credSubType: account_osAccount.AuthSubType.FINGERPRINT_CAPACITIVE,
174     token: authToken
175   }
176   ```
177
1785. Use [addCredential](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#addcredential8) to enroll the fingerprint.
179
180   ```ts
181   userIDM.addCredential(fingerprintCredInfo, {
182     onResult: (code: number, result: account_osAccount.RequestResult) => {
183       console.log('add fingerprint credential, resultCode: ' + code);
184       console.log('add fingerprint credential, request result: ' + result);
185     }
186   });
187   ```
188
189## Authenticating Biometric Credentials
190
191Biometric authentication can be performed after the biometric credentials are enrolled. You can use [auth](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#auth8) to perform biometric authentication.
192
193**Procedure**
194
1951. Set authentication parameters, including the challenge value, authentication type, and authentication trust level. The following uses facial authentication as an example.
196
197   ```ts
198   let challenge: Uint8Array = new Uint8Array([1, 2, 3, 4, 5]);
199   let authType: account_osAccount.AuthType = account_osAccount.AuthType.FACE;
200   let authTrustLevel: account_osAccount.AuthTrustLevel = account_osAccount.AuthTrustLevel.ATL1;
201   ```
202
2032. Use **auth()** to perform authentication.
204
205   ```ts
206   let userAuth: account_osAccount.UserAuth = new account_osAccount.UserAuth();
207   userAuth.auth(challenge, authType, authTrustLevel, {
208     onResult: (result: number, extraInfo: account_osAccount.AuthResult) => {
209       console.log('face auth result = ' + result);
210       console.log('face auth extraInfo = ' + JSON.stringify(extraInfo));
211     }
212   });
213   ```
214
215## Updating a Credential
216
217The user can update credentials as required. You can use [updateCredential](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#updatecredential8) to update credential information.
218
219**Procedure**
220
2211. Perform PIN authentication to obtain the authorization token (**authToken**).
222
2232. Specify the credential information to be updated.
224
225   ```ts
226   let credentialInfo: account_osAccount.CredentialInfo = {
227     credType: account_osAccount.AuthType.PIN,
228     credSubType: account_osAccount.AuthSubType.PIN_SIX,
229     token: authToken,
230   };
231   ```
232
2333. Use [updateCredential](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#updatecredential8) to update the credential.
234
235   ```ts
236   userIDM.updateCredential(credentialInfo, {
237     onResult: (result: number, extraInfo: account_osAccount.RequestResult) => {
238       console.log('updateCredential result = ' + result);
239       console.log('updateCredential extraInfo = ' + extraInfo);
240     }
241   });
242   ```
243
244## Obtaining Credential Information
245
246The enrolled credentials need to be displayed on the credential management page, and the available credential types need to be displayed on the lock screen page. You can use [getAuthInfo](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#getauthinfo8) to obtain the credential information to be displayed.
247
248**Procedure**
249
2501. Obtain information about all the credentials enrolled.
251
252   ```ts
253   let enrolledCredInfoList: account_osAccount.EnrolledCredInfo = await userIDM.getAuthInfo();
254   ```
255
2562. Use [getAuthInfo](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#getauthinfo8) to obtain the credential of the specified type. In the following example, the fingerprint enrolled is obtained.
257
258   ```ts
259   let enrolledFingerCredInfoList: account_osAccount.EnrolledCredInfo = await userIDM.getAuthInfo(account_osAccount.AuthType.Fingerprint);
260   ```
261
262## Deleting a Credential
263
264Before a credential is deleted, [PIN authentication](#authenticating-a-pin) is required and the ID of the credential to be deleted needs to be [obtained](#obtaining-credential-information).
265
266For example, delete a fingerprint, do as follows:
267
2681. Obtain the fingerprint information.
269
270   ```ts
271   let credInfoList: account_osAccount.EnrolledCredInfo = await userIDM.getAuthInfo(account_osAccount.AuthType.Fingerprint);
272   let credentialId: number = 0;
273   if (credInfoList.length != 0) {
274     credentialId = credInfoList[0].credentialId;
275   }
276   ```
277
2782. [Perform PIN authentication](#authenticating-a-pin) to obtain the authentication token.
279
2803. Use [delCred](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#delcred8) to delete the fingerprint credential.
281
282   ```ts
283   userIDM.delCred(credentialId, token, {
284     onResult: (result: number, extraInfo: account_osAccount.RequestResult) => {
285       console.log('delCred result = ' + result);
286       console.log('delCred extraInfo = ' + JSON.stringify(extraInfo));
287     }
288   });
289   ```
290
291## Unregistering a PIN Inputer
292
293Use [unregisterInputer](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#unregisterinputer8) to unregister the PIN inputer that is no longer required.
294
295**Procedure**
296
297```ts
298pinAuth.unregisterInputer();
299```
300
301## Closing a Session
302
303Use [closeSession](../reference/apis-basic-services-kit/js-apis-osAccount-sys.md#closesession8) to close a session to terminate credential management.
304
305**Procedure**
306
307```ts
308userIDM.closeSession();
309```
310