CHAPI upgraded to support native apps, iOS, Brave from Manu Sporny on 2022-06-22 (public-credentials@w3.org from June 2022)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 22 Jun 2022 12:45:50 -0400
To: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <3e3fdf9c-1ea6-ed18-c9dc-31bee4d3eea4@digitalbazaar.com>
TL;DR: The Credential Handler API (CHAPI) is a technology that helps ensure
people can choose their own digital wallet in an open ecosystem. As of this
week, CHAPI has been upgraded to support both web apps and native apps.
Additionally, the CHAPI polyfill now has a long-term solution in place for
continued improvements to iOS, Brave, Firefox, and other browsers or platforms
that block 3rd party storage (e.g., cookies). With this latest release, we
know of no modern browser nor app that is not capable of supporting CHAPI.

Here is what has changed with the latest general availability release:

Native App Support
==================

You can now invoke a native digital wallet (app on mobile phone, app on
laptop/desktop) via the CHAPI interface by clicking the "Select Native App
Instead" button. Any app that is registered to handle text files via a Web
Share[1] event will work. You can test the feature out by sharing to a notepad
or Google Drive. There are native wallets that we know of that are integrating
with this feature.

CHAPI also continues to support Web-based digital wallets as well.

1st Party Support
=================

The CHAPI polyfill has historically depended on 3rd party cookies to provide
some of its functionality. This has become increasingly difficult to use as
some of the browser vendors clamp down on 3rd party cookie usage (because they
can also be used to track people without their informed consent). While
browsers like Google Chrome and Microsoft Edge allow 3rd party cookies by
default, others like Safari, Firefox, and Brave do not. This led to
substandard experiences for CHAPI in Safari, Firefox, and Brave.

The CHAPI polyfill has been upgraded such that it can now detect whether the
browser supports 3rd party cookies, and if not, will switch into a mode that
is compatible with iOS, Firefox, Brave, and other browsers that take a more
aggressive privacy stance than Google Chrome and Microsoft Edge. The polyfill
now uses first party storage and the same features used by OAuth2 and OpenID
Connect flows for browsers that do not easily support third party storage.
This mitigates issues related to browser vendors deciding to block or remove
3rd party storage.

Simplified Registration
=======================

Registering a Credential Handler (i.e., registering your website as a Digital
Wallet provider for a particular user) is now simpler. Those previously
familiar with the Credential Hints API should be pleased to know that it has
been deprecated in favour of a simple permission request combined with the
publication of a manifest.json file.

In the past, in order to register your website as a Credential Handler,
permission had to be requested from the individual (which would display a
prompt), followed by creating a Credential Handler registration, followed by
adding at least one Credential Hint via the API. This has been simplified to:

1. Ensuring your website serves a CORS-available manifest.json file that
includes a "credential_handler" section. This section is not new; however, it
was only used previously for Just-In-Time registration via Relying Party
recommended Digital Wallets. It is now a requirement for new Credential
Handler registrations.

2. Requesting permission as before. When calling
`CredentialManager.requestPermission()`, do so immediately following user
activation (e.g., a button click or tap) to ensure the prompt can be shown to
the user.

How to Upgrade
==============

CHAPI has a commitment to continued backwards-compatibility. Sites using the
older version of the CHAPI polyfill should continue to work, while
automatically receiving the updates for the new features. However, please
ensure that your website is using the latest patched version of the
credential-handler-polyfill[2] library either via local install or CDN.

Learn More About CHAPI
======================

To learn how to integrate CHAPI with your Digital Wallet, Issuer, or Verifier,
you can find out more at:

https://github.com/credential-handler/credential-handler-polyfill

Happy to answer any questions that folks have about this release and where
CHAPI is headed over the next year or so.

-- manu

[1] https://www.w3.org/TR/web-share/
[2] https://github.com/credential-handler/credential-handler-polyfill

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Wednesday, 22 June 2022 16:46:09 UTC