-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply RFC 8264 enforcement only to non-empty strings #2073
Conversation
Co-authored-by: Matthew Miller <matthew@millerti.me>
I approved as-is, but I keep coming back to the idea that maybe we keep the existing preamble, but change the "SHOULD set to an empty string" guidance to something like "MUST omit the value" instead 🤔 |
We could do that. |
That won't work with the dictionary IDL as currently defined, as But maybe we could make it optional? I think the only blocker could be compatibility with CTAP2. But it actually looks like CTAP2 would already be compatible with that change. I noticed this in particular in §6.8.6. Updating user information:
But one problem is that in CTAP2,
So maybe clients are expected to expect that not all member will always be present. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we spell out the same requirement for name
too?
@emlun, would you be willing to create a PR making |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the value can't be empty, what should sites who don't have a value set it to?
Also, we can't make it optional
without leaving a trap for sites which will then break with all clients that haven't been updated with that.
It's not clear that RFC8266 is worth the reference here. It's concerned with contexts where a nickname is presented to other users of the system. But, in WebAuthn, it's only presented to that same person.
To be clear, I never advocated for disallowing empty strings for Something like below:
Completely removing any mention of RFC 8266 and Nickname Profile enforcement is also a good alternative (and is easier on the RP). |
We can't trivially declare Also, I think it's a bad idea to make both
Oh right, this is also a very good point. In fact we had already come to this same conclusion in #2024.
This sounds like a reasonable compromise to me. The background for why the PRECIS enforcement was added is in #593 (comment) and I think most of that probably still applies, so I don't think we should drop it completely. On the other hand there is #2068 (comment):
But I think this probably overrules still:
If it can't be optional or nullable, then I guess empty string is the second best alternative? |
We specifically enforce it can't be an empty string in webauthn-rs because it's potentially confusing vs a null/none type. And given how many providers offer OIDC, it seems far more prudent to say "must be a string excluding empty string". Then you have to also consider how many resident key UI's would mishandle the empty string too in a device listing. So I think there are a fair number of potential ways for this to go sideways. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't like the idea that we define this parameter with "MUST NOT
be the empty string". If we do that, its implied that the client should raise an error if the RP sets this value to the empty string, which would be a breaking change to RPs that might be doing that now. I think it would be better just to define what the client behaviour should be when the empty string is provided (which should be done if we think its an error anyway).
I'm leaning towards tweaking guidance on how to process |
During the call, we decided: Let's state that the RFC only applies for non-empty values. This prevents us from breaking backwards compatibility, removes the contradiction, and keeps the value from specifying how the display name should be chosen. The issue discussed during the call of compatibility issues due to empty display names is orthogonal, and likely an implementation issue. If we tried to fix it by making it optional, we'd risk the much worse compatibility risk of clients that haven't updated breaking. We'll figure out if there are any spec bugs leading to that offline with @MasterKale. (this discussion was long, and I might have missed something worth summarizing, feel free to chime in!) @selfissued said he'd be happy to update this PR to match. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved, thank you!
Looks good as per WebAuthn Call and wanted to merge it.
SHA: 49325c8 Reason: push, by akshayku Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Fixes #2068
Cc @zacknewman
Preview | Diff