RE: Re-opening discussion with WebAuthn on credential creation in an iframe

Hi Stephen,

Thank you for the proposal (https://docs.google.com/document/d/1mMgktymuzspnhfKC9i6_yBfb_VqXcc-DiBBhe0TSv5I/edit)

I will confer with the other chairs on the appropriate mechanism to indicate working group support for this/to submit it on behalf of the working group.
I would also already venture that we make this an agenda point for the 18th, at least to discuss, but potentially also to make a decision on this.

Request for input:
It would be great however if we can already get some indications from group members on their views on this proposal; including even questions and further considerations that we may want to add to this proposal.
So to all of us: please weigh in with some initial views on this matter via email.

My thoughts:
The proposal is well-structured and considered. The proposal makes sense to me and I can see the benefit to enable certain use-cases. In fact, at this stage I have no suggestions for changes or edits.

Kind regards,
Gerhard


From: Stephen McGruer <smcgruer@google.com>
Sent: Tuesday, 19 July 2022 15:22
To: Web Payments Working Group <public-payments-wg@w3.org>
Subject: Re-opening discussion with WebAuthn on credential creation in an iframe

Hi folks,

(Sending email as the next WG meeting isn't until August 18th and so we cannot discuss live.)

As you may recall, we have discussed a need in the Web Payments WG for WebAuthn credential creation to be available in a cross-origin iframe (e.g., to allow a https://bank.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbank.com%2F&data=05%7C01%7Cgoosthuizen%40entersekt.com%7C854fde89d381462cbc1b08da698df0d3%7C19c3aeac7d8a4c9e80b99f9510adc7f7%7C1%7C0%7C637938355626302526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SHEucCoc7XmmaoQ29teZVlBfULGJcItjG0EbgG0dr9E%3D&reserved=0> iframe embedded inside of https://merchant.com<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmerchant.com%2F&data=05%7C01%7Cgoosthuizen%40entersekt.com%7C854fde89d381462cbc1b08da698df0d3%7C19c3aeac7d8a4c9e80b99f9510adc7f7%7C1%7C0%7C637938355626302526%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2B4b3Kve8epE6ZN5hKGIC2L3L35dBLqD80aAZT0JugkU%3D&reserved=0> to enroll a user during a payment flow). We've heard that this is useful both for SPC as well as users of 'pure' WebAuthn.

To that end, I've drafted the comment below to re-open the discussion with our WebAuthn colleagues on issue 1656<https://github.com/w3c/webauthn/issues/1656>. I hope for the comment to be made with the backing of the WPWG, so please do take a look and feel free to give feedback.

[Draft] WebAuthn issue to re-allow credential creation in a cross-origin iframe

I leave it to the chairs how we might want to ratify support for this; I'm happy to wait until the August 18th sync, or perhaps we can just do it over email?

Thanks,
Stephen

--
smcgruer * he / him

Received on Friday, 22 July 2022 17:59:43 UTC