-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attachment is only explicitly used in create() #420
Comments
[ oops, did not mean to hit [Comment] yet, sorry, so continuing with the issue submission here, I've also edited the initial description, so please do not rely on the emailed copy ] Is the example (above) expected to work due to.. (a) the RP knowing, from credential creation & registration, that it has a cred for the user backed by a platform-attached authnr and thus is able to place just that one cred in the I.e., rather than, (b) being able to state "use any cred registered with this RP that has an attachment of I do not think we necessarily need to have (b), but if (a) is the expected way for the use case to work we may want to clarify that in the spec. If we were to want (b), we'd have to do some work. |
@equalsJeffH please verify |
Yes, this remains a valid issue -- need feedback from @jyasskin @christiaanbrand @emlun @AngeloKai @akshayku wrt is the answer (a) or (b) ? |
For what it's worth (a) is not possible in the first factor use case (no That said, I frankly can't see a use case for why an RP would ever want to allow an attachment mode for registration but not assertion. I don't see in what way that would be better than just sending |
Oh wait, looks like I mixed this up with transport modes. I think the same argument applies, though. That might actually be even less useful - the use case for roaming authenticators in the example already has this as an implicit limitation, so I don't see why it would be useful to also impose it as an artificial limitation; and the use case for platform authenticators is IMO better solved as described in my previous post. |
I vote (a) and I agree with @emlun that this doesn’t work for resident credentials, but it doesn’t need to. This is to solve for a typical reauth scenario where the RP only want to register a credential on a local “platform” authenticator since part of the security model is the fact that the authenticator is built-in (ie. it’s really used as a 2nd factor; the cookie identifying the platform is the first factor). In this case the RP will always have the credentialID since it has a handle to the device (via a session cookie, etc) and can use the allowList. |
Do we have consensus that passing authenticator selection parameters to |
PR #420 is merged so closing this. |
The description of
MakeCredentialOptions.attachment
(of typeAttachment
) is:Also, in the description of the
Attachment
type, there is this first brief example in the final parag:Finally, there is no option/parameter of type
Attachment
provided toScopedCredential::[[DiscoverFromExternalSource]](options)
(see: https://w3c.github.io/webauthn/#getAssertion)The text was updated successfully, but these errors were encountered: