W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] How should the browser handle CredentialMediationRequirement for public key credentials?

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Tue, 03 Oct 2017 21:48:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-333988852-1507067278-sysbot+gh@w3.org>
Sorry it took me so long to look. I believe https://w3c.github.io/webappsec-credential-management/#algorithm-request takes complete charge of handling the `mediation` field. This handling uses a distinction between the [`[[CollectFromCredentialStore]]`](https://w3c.github.io/webappsec-credential-management/#dom-credential-collectfromcredentialstore-slot) method (which webauthn doesn't override) and the [`[[DiscoverFromExternalSource]]`](https://w3c.github.io/webappsec-credential-management/#dom-credential-discoverfromexternalsource-slot) method (which we [do override](https://w3c.github.io/webauthn/#getAssertion)).

Because we don't override `[[CollectFromCredentialStore]]`, step 5.1 returns an empty list, so if the user passed `"silent"`, step 5.4 returns `null`, while if they passed `"optional"` or `"required"`, the algorithm proceeds to call `[[DiscoverFromExternalSource]]`, where webauthn does all of its work.

It probably makes sense to clarify this in https://w3c.github.io/webauthn/#getAssertion, saying that navigator.credentials.get() lands here, and that by not-overriding `[[CollectFromCredentialStore]]` we've disabled unmediated get() calls.

GitHub Notification of comment by jyasskin
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/566#issuecomment-333988852 using your GitHub account
Received on Tuesday, 3 October 2017 21:48:02 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC