Re: [webauthn] Add a way to use webauthn without Javascript (#1255) from Garnac via GitHub on 2019-07-12 (public-webauthn@w3.org from July 2019)

From: Garnac via GitHub <sysbot+gh@w3.org>
Date: Fri, 12 Jul 2019 09:03:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-510811400-1562922228-sysbot+gh@w3.org>

I've spent some time thinking about creating a declarative HTML API that eliminates javascript. In this case, *a lot* of configuration properties need to be defined by the RP, somewhere. (i.e. the PublicKeyCredentialCreationOptions, etc. ) I think this should be done with a combination of both a config document hosted at the RP (written in JSON, retrieved by HTTPS), and properties defined locally in the HTML element. The local property values override the values in the config document. The config document and/or the (rel="capis-api") attribute can also serve as the "declaration" that the RP supports the API. I use a single HTML attribute to hold a JSON-style set of properties. @equalsJeffH is right. The browser must support one or more transport formats. For the browser to send the credentials to the RP. I suggest using a JSON Web Signature (JWS) as the default. (The object needs to contain the "action", "challenge", user_id, etc.) Just as important, is that the RP must issue a response, which is not a web page. It must be in a standard format, because the browser must parse it to see if the action succeeded. Note that the API directly tells the browser the login status at the RP. (The browser may keep a list of all logged in RPs, and provide a "logoutAll" button.)

<a href="/old_style_login_form.html" rel="capis-api" capis-cfg=' "action":"ua/login", "redirect_uri":"/after_login.html", "endpoint_uri":"/validate_JWS.json", "capis_doc_uri":"/capis_config.json", "challenge":"H3uz78_k...", "transport_format":"JWS" '>Login</a>

The href is to catch OLD browsers that do not support the API. The new API does not use the href. (It uses the endpoint_uri.) "action" holds the requested operation. (Supports "login", "logout", "prove-user-presence", etc.) "capis_doc_uri" is the URL of the config document. "challenge" is a base64url encoded binary value. endpoint_uri is the URL the browser needs to send the credentials (JWS) to. redirect_uri is the page the browser should redirect to after user authentication success. Note that "endpoint_uri" and "transport_format" are not necessary in the HTML, they can be defined in the config document.

--
GitHub Notification of comment by Garnac
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-510811400 using your GitHub account

Received on Friday, 12 July 2019 09:03:51 UTC