Comments (10)
What would be nice is if the RP only had one challenge outstanding, and it could be satisfied by either the autofill UI or a modal interface.
Would that be useful knowing the limitation that Conditional UI requests have stricter requirements (e.g. they only allow discoverable credentials, no timeouts, no errors reported)?
Right now the aborted conditional UI request can't be restarted so the RP has to wire up reinitialization of conditional UI in this scenario.
This is not a spec issue, and you can definitely do that on chrome (:
In both scenarios, "concurrent" and "pausing", it'd be possible to interact with conditional UI after modal UI though,
The RP could choose to ignore the result of the conditional UI promise. But this starts to sound like it's similar in complexity to having to abort the request ๐ค.
unless perhaps success from one (i.e. the Promise resolving) keeps all other existing requests "paused"? thinking
I would be against this. RPs may have reasons to reject a result even if the promise resolves (e.g. because they didn't get some extension they needed, or because they want to reject the attestation). And then they would have to manually restart conditional UI, so we moved the problem to a more obscure edge case that still needs to be handled.
from webauthn.
How about instead of supporting "concurrent" requests, we paused the conditional request while the modal request is happening? This would allow browsers to not worry about authenticator race conditions between both requests and would free RPs from having to handle the case. In practice, this probably means we abort-then-restart just like a website would, but opaquely. I think Apple's original implementation did something like this (haven't caught up to the current behaviour). A modal request from a child frame would also pause a parent frame's request.
We'd have to update credman as Emil points out above, but it can definitely be done.
from webauthn.
What would be nice is if the RP only had one challenge outstanding, and it could be satisfied by either the autofill UI or a modal interface. Imagine the onClick action of a button on the same page as the autofill input field, being the thing that invoked the modal "version" of the interface. Ideally only one (the autofill) WebAuthn call need be made in JS, and the button just invoked the modal version of that while pausing the autofill version.
from webauthn.
From our experience with implementing conditional UI, we would very much welcome the proposed change.
from webauthn.
How about instead of supporting "concurrent" requests, we paused the conditional request while the modal request is happening? This would allow browsers to not worry about authenticator race conditions between both requests and would free RPs from having to handle the case.
I like this idea, to me whether it's "concurrent" or not wouldn't be here-nor-there to the RP. Thinking through a bit, I think RP's are more concerned that one of the requests is in-progress.
And come to think of it, if a conditional UI request is "paused" during modal UI but becomes unpaused when the modal UI ends then it'd actually be an improvement. This would mean that conditional UI could be used if the user decides to cancel out of the modal experience. Right now the aborted conditional UI request can't be restarted so the RP has to wire up reinitialization of conditional UI in this scenario.
In both scenarios, "concurrent" and "pausing", it'd be possible to interact with conditional UI after modal UI though, unless perhaps success from one (i.e. the Promise resolving) keeps all other existing requests "paused"? ๐ค
from webauthn.
We went over this issue at the working group meeting yesterday (and I forgot to click submit on this comment).
I think it would be fine to allow a modal request during a Conditional UI request. The Conditional UI request would be paused until the modal request finishes (successfully or not). This would require changes in both credman and webauthn.
I believe Shane mentioned he wanted to take another look at my previous comment and come back to the thread.
from webauthn.
See also: #1790. Seems like this is governed by the Credential Management spec, which WebAuthn hooks into. This is currently handled in step 6 of ยง2.5.1. Request a Credential, which currently matches only on [[type]]
regardless of the corresponding mediation
values.
from webauthn.
Speaking a little to developer experience, needing to be mindful of aborting existing CredMan requests is an aspect of WebAuthn API that is unlike most other browser APIs. As such I think it'd be more ideal for developers to be able to "fire and forget" requests.
Implementing JS logic to juggle abort controllers when implementing both Conditional and Modal UI flows on a page is not too onerous a task, speaking from practical experience. However we're essentially consigning every RP to have to write such logic (or find a third-party library that does this) if we don't consider updating Credential Management API to achieve this.
Speaking for developers I'd say it'd be worth it for the easier WebAuthn learning curve. However I acknowledge that this would introduce a lot of complexity into the Credential Management API given its current architecture. The ball is with the browser vendors now and if they'd want to take on such an effort.
from webauthn.
I am ok with allowing both concurrently from the client-side JS with the conditional UI request being paused whileever a modal is running. I'd like the test cases to include the ability to abort the conditional requests from the promise handler of the modal request if that sounds reasonable?
Also is there any reason why you couldn't use the same challenge (retrieved once from the server) for both these requests?
from webauthn.
2023-08-30 meeting: @nsatragno @sbweeden did we still want to pursue this? I think there were some concerns about the experience across clients if some implemented this and others didn't as there is no feature detection for something like this.
from webauthn.
Related Issues (20)
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
- Clarify usage of credentialRecord.transports HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.