Allow callers to explicitly specify RP ID #198
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -130,8 +130,8 @@ or a combination of both. | |
|
|
||
| This specification relies on several other underlying specifications. | ||
|
|
||
| : HTML | ||
| :: The concept of <dfn for='web'>origin</dfn> and the <dfn>Navigator</dfn> interface are defined in [[!HTML51-20160621]]. | ||
|
|
||
| : Web IDL | ||
| :: Many of the interface definitions and all of the IDL in this specification depend on [[!WebIDL-1]]. This updated version of | ||
|
|
@@ -204,10 +204,6 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and | |
| :: A user agent implementing, in conjunction with the underlying platform, the <a>Web Authentication API</a> and algorithms | ||
| given in this specification, and handling communication between <a>Authenticators</a> and <a>[RPS]</a>. | ||
|
|
||
| : <dfn>Registration</dfn> | ||
| :: The <a>ceremony</a> where a user, a <a>[RP]</a>, and the user's computing device(s) (containing at least one | ||
| <a>authenticator</a>) work in concert to create a <a>scoped credential</a> and associate it with the user's <a>[RP]</a> | ||
|
|
@@ -222,7 +218,8 @@ NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and | |
|
|
||
| : <dfn>Relying Party Identifier</dfn> | ||
| : <dfn>RP ID</dfn> | ||
| :: A Relying Party Identifier defines the scope of a given credential, i.e. the set of origins that the client will permit to | ||
| access that credential. It is derived from a <a>[RP]</a>'s web origin's hostname or directly specified by the [RP]. | ||
|
|
||
| : <dfn>Scoped Credential</dfn> | ||
| :: Generically, a credential is data one entity presents to another in order to authenticate the former's identity [[RFC4949]]. | ||
|
|
@@ -345,10 +342,12 @@ When this method is invoked, the user agent MUST execute the following algorithm | |
| 2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds. | ||
| Then asynchronously continue executing the following steps. | ||
|
|
||
| 3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. If {{CredentialOptions/rpId}} is not specified, then | ||
| set |rpId| to |callerOrigin|. If {{CredentialOptions/rpId}} is specified, then invoke the algorithm for relaxing the same- | ||
| origin restriction as specified in [[!HTML51-20160621]] section 6.4.1, using {{CredentialOptions/rpId}} as the given value | ||
| and without changing the current document's `domain`. If any errors are thrown, reject |promise| with a <a>DOMException</a> | ||
| whose name is "SecurityError", and terminate this algorithm. If no errors are thrown, set |rpId| to the value of `host` as | ||
| computed by the algorithm. Set |rpIdHash| to the SHA-256 hash of |rpId|. | ||
|
|
||
| 4. Process each element of <a>cryptoParameters</a> using the following steps, to produce a new sequence `normalizedParameters`: | ||
| - Let |current| be the currently selected element of <a>cryptoParameters</a>. | ||
|
|
@@ -421,10 +420,12 @@ When this method is invoked, the user agent MUST execute the following algorithm | |
| 2. Let |promise| be a new <a data-lt="Promises">Promise</a>. Return |promise| and start a timer for |adjustedTimeout| seconds. | ||
| Then asynchronously continue executing the following steps. | ||
|
|
||
| 3. Set |callerOrigin| to the <a link-for='web'>origin</a> of the caller. If {{CredentialOptions/rpId}} is not specified, then | ||
| set |rpId| to |callerOrigin|. If {{CredentialOptions/rpId}} is specified, then invoke the algorithm for relaxing the same- | ||
| origin restriction as specified in [[!HTML51-20160621]] section 6.4.1, using {{CredentialOptions/rpId}} as the given value | ||
| and without changing the current document's `domain`. If any errors are thrown, reject |promise| with a <a>DOMException</a> | ||
| whose name is "SecurityError", and terminate this algorithm. If no errors are thrown, set |rpId| to the value of `host` as | ||
| computed by the algorithm. Set |rpIdHash| to the SHA-256 hash of |rpId|. | ||
|
|
||
| 4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the | ||
| extension data that needs to be sent to the authenticator. Call this data |clientExtensions|. | ||
|
|
@@ -553,6 +554,7 @@ authorizing an authenticator with which to complete the operation. | |
| <pre class="idl"> | ||
| dictionary CredentialOptions { | ||
| unsigned long timeoutSeconds; | ||
| USVString rpId; | ||
|
There was a problem hiding this comment. Why USVString here? See http://heycam.github.io/webidl/#idl-USVString There was a problem hiding this comment. This RP ID will be sent to the authenticator "over the wire" when authenticatorMakeCredential is invoked. That seems to fit the USVString use case in the above guidance, though I would welcome expert guidance here. |
||
| sequence < CredentialDescription > excludeList; | ||
| WebAuthnExtensions extensions; | ||
| }; | ||
|
|
@@ -564,6 +566,9 @@ authorizing an authenticator with which to complete the operation. | |
|
|
||
| - The <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the call to | ||
| complete. This is treated as a hint, and may be overridden by the platform. | ||
|
|
||
| - The <dfn>rpId</dfn> parameter explicitly specifies the RP ID that the credential should be associated with. If it is | ||
| omitted, the RP ID will be set to the caller's origin. | ||
|
There was a problem hiding this comment. i suspect that the term "caller's origin" will not pass muster here -- will try to figure out more precise term for where we say "caller" or "caller's". There was a problem hiding this comment. fyi/fwiw, i did nose around in the HTML spec(s) and they also use the term "caller" (in terms of the caller of an algorithm/operation), so I think/hope we're ok with using it in a similar fashion. |
||
|
|
||
| - The <dfn>excludeList</dfn> parameter is intended for use by <a>[RPS]</a> that wish to limit the creation of multiple | ||
| credentials for the same account on a single authenticator. The platform is requested to return an error if the new | ||
|
|
@@ -610,6 +615,7 @@ user consent to a specific transaction. The structure of these signatures is def | |
| <pre class="idl"> | ||
| dictionary AssertionOptions { | ||
| unsigned long timeoutSeconds; | ||
| USVString rpId; | ||
|
There was a problem hiding this comment. Why USVString here? See http://heycam.github.io/webidl/#idl-USVString There was a problem hiding this comment. See above comment regarding same issue in CredentialOptions. |
||
| sequence < CredentialDescription > allowList; | ||
| WebAuthnExtensions extensions; | ||
| }; | ||
|
|
@@ -620,6 +626,9 @@ user consent to a specific transaction. The structure of these signatures is def | |
|
|
||
| - The optional <dfn>timeoutSeconds</dfn> parameter specifies a time, in seconds, that the caller is willing to wait for the | ||
| call to complete. This is treated as a hint, and may be overridden by the platform. | ||
|
|
||
| - The optional <dfn>rpId</dfn> parameter specifies the rpId claimed by the caller. If it is omitted, it will be assumed to | ||
| be equal to the caller's origin. | ||
|
There was a problem hiding this comment. see comment above wrt "caller" et al. |
||
|
|
||
| - The optional <dfn>allowList</dfn> member contains a list of credentials acceptable to the caller, in order of the caller's | ||
| preference. | ||
|
|
@@ -691,7 +700,6 @@ string-valued keys. Values may be any type that has a valid encoding in JSON. It | |
| dictionary ClientData { | ||
| required DOMString challenge; | ||
| required DOMString origin; | ||
| required AlgorithmIdentifier hashAlg; | ||
| DOMString tokenBinding; | ||
| WebAuthnExtensions extensions; | ||
|
|
@@ -704,8 +712,6 @@ string-valued keys. Values may be any type that has a valid encoding in JSON. It | |
| The <dfn>origin</dfn> member contains the fully qualified web origin of the requester, as provided to the authenticator by | ||
| the client, in the syntax defined by [[RFC6454]]. | ||
|
|
||
| The <dfn>hashAlg</dfn> member specifies the hash algorithm used to compute <a>clientDataHash</a> (see | ||
| [[#authenticator-signature]]). Use "S256" for SHA-256, "S384" for SHA384, "S512" for SHA512, and "SM3" for SM3 (see | ||
| [[#iana-considerations]]). This algorithm is chosen by the client at its sole discretion. | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fyi, the fix I'm working on for #171 & #172 alters the first sentence, but not the remainder of this step, i.e., it ought to mesh ok (I hope).