Comments (7)
From 11/1/23 WG meeting: There's definitely still a desire for this from RP's, CC'ing @nsatragno and @emlun to consider the idea that came up today about being able to include more info in errors that happen after a user consents to a ceremony.
from webauthn.
You have to go digging into the spec to connect the pieces, but the spec definitely outlines discrete error scenarios that should be reliably detectable. For sake of discussion, I've done so with my own library for both registration and authentication:
- https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/browser/src/helpers/identifyRegistrationError.ts
- https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/browser/src/helpers/identifyAuthenticationError.ts
The exceptions here are the various NotAllowedError
that can come up. The spec defines a couple of discrete conditions under which NotAllowedError
can be mapped to specific error causes. However, browsers have overloaded this type of error with browser-specific error messages too that make it trickier to differentiate spec-related error conditions from browser-related error conditions.
All this said, I agree that the spec doesn't make it easy at all to identify all the discrete errors that can come up during a WebAuthn ceremony. Perhaps this becomes an editorial PR to bundle these errors together and under what conditions they'd arise.
from webauthn.
Please correct me if I'm wrong, but the code you link to seems to be more about providing some explanatory text for every error, rather than, for example, categorizing errors into those that should be displayed to the user vs those that shouldn't, no? As far as I can tell, it also does not seem to provide a useful return value when, for example, Firefox throws an error in the above mentioned example where the presented authenticator doesn't contain a key for the account.
from webauthn.
2023-08-30 meeting: @MasterKale did you still want to do anything with this issue for L3?
from webauthn.
Just noting that there is precedent in the spec for this: the InvalidStateError
in create() explicitly calls out that a more granular error is acceptable because the user has consented to the operation:
Note: This error status is handled separately because [...] and the user has consented to the operation. Given this explicit consent, it is acceptable for this case to be distinguishable to the Relying Party.
I too was recently surprised that we don't have such a case in get()
for when the user attempts to use an authenticator that is not registered. There are probably other error causes that could be communicated too ("various failure cases in the hybrid flow" was mentioned on the call). We might end up needing a custom DOMException
derived interface for that.
from webauthn.
Another error use case to consider:
- RP requires UV, but a user tries to use a U2F security key that doesn't support PIN. It would be useful to see that the user tried to use an older security key so we could be more specific about why they couldn't use it.
from webauthn.
I'd also love for it to be clarified how the RP can interpret InvalidStateError
during create(…)
:
For now the only possible cause is a excludeCredentials
match, but I believe the spec does not specify that this is a safe assumption for the future.
from webauthn.
Related Issues (20)
- [Superset] Updating credential metadata and requesting deletion of stale credentials HOT 19
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.