Comments (3)
...and as I wrote this out I realized I'm going to immediately argue against myself (hey, that's what discussions are for!):
Essentially, a
false
output would indicate that the extension might succeed on that device if the RP retries the request at a later time, while an absent output would indicate the extension is unlikely to succeed if retried.
On further thought this doesn't quite hold up: an absent output could also just mean the client is not recent enough, while the authenticator is perfectly capable of the required operations. So the false
proposed above might actually not add any information?
So perhaps the meaning of false
should be the other way around, at least on the client output level - if the client understands the extension, and knows that the authenticator will never support it, then return some variant of "~false" to indicate the RP can stop retrying on this machine. If that is in combination with an authenticator output of false
, then it means the extension is supported but failed; if the client output is "~false" and the authenticator output is absent, that means the authenticator will never support it.
As noted above, I suppose empty object ({}
) would be the natural way to express a "~false" client output without complicating the WebIDL types. But then: this adds a bit of complexity in processing the output values. Is the information gained worth that added complexity?
from webauthn.
Picking at the language in the spec:
Similarly, any extension that requires authenticator processing MUST return an authenticator extension output to let the Relying Party know that the extension was honored by the authenticator.
If the authenticator refused / failed to create a DPK then the extension wasn't honored by the authenticator.
If an extension does not otherwise require any result values, it SHOULD be defined as returning a JSON Boolean client extension output result, set to true to signify that the extension was understood and processed.
DPK does require result values. (And in the case in question, the extension was not processed.)
Likewise, any authenticator extension that does not otherwise require any result values MUST return a value and SHOULD return a CBOR Boolean authenticator extension output result, set to true to signify that the extension was understood and processed.
DPK does require result values. (And in the case in question, the extension was not processed.)
So I don't think any of those apply here?
In practice, I don't believe that the authenticator failing to create a DPK is a useful signal for sites. It "shouldn't" happen. Of course, weird corruption does happen on a tiny handful of devices that can cause all sorts of weirdness, but that argues too much: if any sort of weird behaviour is in scope then we would have no end of error conditions to explicitly handle.
from webauthn.
Agreed, I don't think the difference (if any) is actually useful to the RP. An RP that wants to use devicePubKey
should always request the extension anyway. The case where a supporting authenticator randomly fails, but would succeed if the request is immediately retried, should be rare enough that it's not worth these complications. Thanks for your thoughts!
from webauthn.
Related Issues (20)
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
- Clarify usage of credentialRecord.transports HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.