Re: [webauthn] How should the browser handle CredentialMediationRequirement for public key credentials? from Jeffrey Yasskin via GitHub on 2017-10-03 (public-webauthn@w3.org from October 2017)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Tue, 03 Oct 2017 21:48:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-333988852-1507067278-sysbot+gh@w3.org>

Sorry it took me so long to look. I believe https://w3c.github.io/webappsec-credential-management/#algorithm-request takes complete charge of handling the `mediation` field. This handling uses a distinction between the [`[[CollectFromCredentialStore]]`](https://w3c.github.io/webappsec-credential-management/#dom-credential-collectfromcredentialstore-slot) method (which webauthn doesn't override) and the [`[[DiscoverFromExternalSource]]`](https://w3c.github.io/webappsec-credential-management/#dom-credential-discoverfromexternalsource-slot) method (which we [do override](https://w3c.github.io/webauthn/#getAssertion)).

Because we don't override `[[CollectFromCredentialStore]]`, step 5.1 returns an empty list, so if the user passed `"silent"`, step 5.4 returns `null`, while if they passed `"optional"` or `"required"`, the algorithm proceeds to call `[[DiscoverFromExternalSource]]`, where webauthn does all of its work.

It probably makes sense to clarify this in https://w3c.github.io/webauthn/#getAssertion, saying that navigator.credentials.get() lands here, and that by not-overriding `[[CollectFromCredentialStore]]` we've disabled unmediated get() calls.

-- 
GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/566#issuecomment-333988852 using your GitHub account

Received on Tuesday, 3 October 2017 21:48:02 UTC