W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

[webauthn] What is the point of `allowCredentials`?

From: Suby Raman via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Apr 2018 17:01:16 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-313811663-1523552474-sysbot+gh@w3.org>
subyraman has just created a new issue for https://github.com/w3c/webauthn:

== What is the point of `allowCredentials`? ==
My understanding, reading the spec, was that `allowCredentials` provides a means for the RP to filter registered authenticators, eg request the browser to "wink" a single selected authenticator (like a Yubikey). As an RP, this would be useful (essential?) for providing a good UX, so that the user is not confused by several authentication notifications, only one of which is valid.

There seems to be differences of opinion on this as noted on this discussion in the [Chromium bug board; ](https://bugs.chromium.org/p/chromium/issues/detail?id=828567); there is a stance that that `allowedCredentials` is a list used to fail authentications only after a ceremony takes place.

If that is the case, I don't understand why it is useful at all; the RP themselves can reject the authentication on our end given that we receive the `credentialId `.

Can we get some clarification on this, and perhaps emphasize it in the spec if it isn't there?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/867 using your GitHub account
Received on Thursday, 12 April 2018 17:01:23 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC