Does the browser receive credential IDs or instrument IDs? #10
Comments
|
I think it needs to be credentials since we have heard a requirement from @btidor-stripe that the merchant is able to verify the assertion itself which means it MUST get back the credential ids and public keys from the issuer before invoking SPC. Further... I worry about the browser-side mapping of instruments to credentials and the high likelihood that the data gets stale. Why is it necessary for the browser to keep this mapping if it's possible for the issuer to simply return the credential IDs? Taking that thinking a little further, why do we even need a special credential type for this use case? Is it enough to simply use existing PublicKeyCredentials but only allow them to be used for assertions from non-RP origins if it's done in the context of a payment. I.e. After the merchant/PISP has gone to the ACS they will have a challenge and set of credentials and public keys that can be used for the SPC. Why not simply let the merchant provide the instrument label and icon? const securePaymentConfirmationRequest = {
instrument: {
displayName: 'Mastercard····4444',
icon: 'icon.png'
},
allowCredentials: [{
id: Uint8Array.from(credentialId, c => c.charCodeAt(0)),
type,
transports,
}],
challenge,
timeout,
fallbackUrl: "https://fallback.example/url"
}; |
|
Hey @adrianhopebailie, the browser needs to store the list of instruments, with names and icons, in order to show the card selector for the combined flow, right? I imagine they'll be kept in persistent, long-term storage, but that users will be able to view and delete instruments in some sort of browser settings page (which could be a nice kind of control to offer). For the authentication-only flow, I think it could be possible to do away with the instrument and use only a PublicKeyCredential, though I'm not sure if the browser should trust the merchant to display text and an icon in this particular surface. |
Yes, but not bound to a credential. The mapping of an instrument to a credential is set by the issuer and will be maintained on the issuer's systems. Asking issuers to also store this in all of a user's browsers is a recipe for chaos IMO.
I think we need to look at this carefully. I couldn't think of any threats that this would present. |
|
Great questions!
Because browser doesn't trust the merchant. If the merchant is able to provide the label and icon, then it'll be possible for a malicious merchant to provide a misleading icon and label to phish the user's credential. It's critical that the label and icon are supplied by the original RP. Technically, the instrument label and icon don't need to be saved in the browser. Since the browser knows the RP, it can use some kind of discovery mechanism to find the instrument label and credential. But this gets complicated... It's much simpler for the browser to cache a string and an icon during credential enrollment.
Great point. The simplest approach is for the issuer to update an existing credential with a new label and icon when the user visits the issuer's website. But I wonder if a user cannot be guaranteed to revisit. Perhaps some kind of push mechanism for the RP to update the instrument label and icon would be helpful. Filed https://github.com/rsolomakhin/secure-payment-confirmation/issues/14 to track this separately.
The extra metadata associated with the credential is one reason for a special credential type. Another reason is developer ergonomics. PublicKeyCredentialCreationOptions contains a lot of options that don't make sense for Secure Payment Confirmation (e.g. The new type also enables us to build payments specific features, such as the aforementioned push update of instrument label and icon. Going back to the original question, I'm leaning towards instrument ID over credential ID because the added layer of abstraction allows loose coupling.
|
|
If a single |
|
@rsolomakhin and @stephenmcgruer, I think we can answer "credential ID" in light of the draft and close this. |
I agree. |
|
Closed after confirming with @rsolomakhin. |
During checkout, the browser needs to know the WebAuthn credential IDs associated with the instrument to generate an assertion. The issuer can return the credential IDs directly or return the instrument IDs, which the browser will dereference into credential IDs using an internal mapping. The internal mapping is updated when enrolling a new credential.
For the pilot, both options will work equally well.
Post pilot, having the instrument ID abstraction may be useful. For example, it can be used as a new routable ID on the network for the combined instrument selection & authentication flow.
The instrument ID format will be defined by each payment method. So maybe it can also be a composite data structure that contains a credential ID and any other metadata the issuer wants to include.
The text was updated successfully, but these errors were encountered: