W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2019

Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

From: Taylor Hunt via GitHub <sysbot+gh@w3.org>
Date: Sun, 01 Dec 2019 22:43:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-560169100-1575240210-sysbot+gh@w3.org>
I doubt browsers want to revive the `<keygen>` element, but it addressed a lot of design decisions brought up in this thread. A strawman using only already-standardized HTML could look like:

```html
<form method="post" action="/exampleapp/webauthn/finish_assertion">
  <input name="user" autocomplete="username">

  <keygen name="webauthn"
    required
    keytype="webauthn-public"
    keyparams="alg -7"
    challenge="WwdPrNbUcI1034qZ9LYks32ZPezDLZSieFI9f6NaZZs">
    <!-- fallback for non-implementing browsers goes here -->
  </keygen>

  <input type="hidden" autocomplete="webauthn-userid">
  <input type="hidden" name="exampleapp_request_id" value="3a74f2b4-cff0-4f50-8076-2f5532a0d6f3">
</form>
```

The `required` attribute is reused for the WebAuthN API’s `userVerification: 'required'`. `hidden` could be used for `userVerification: 'discouraged'`, and `'preferred'` would be the default.

Multiple credentials as mentioned by @Garnac could be implemented with multiple elements.

Of course, this strawman lacks a lot of the discussed functionality, but I think it’s worth learning from the Web of yesteryear for how one might implement webauthn without JavaScript.

-- 
GitHub Notification of comment by tigt
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-560169100 using your GitHub account
Received on Sunday, 1 December 2019 22:43:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:09 UTC