W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 12 Jul 2019 11:12:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-510848391-1562929967-sysbot+gh@w3.org>
I had a vastly different idea for how this could work:

<form method="POST" action="/exampleapp/webauthn/finish_assertion">
    <input type="hidden" name="exampleapp_request_id" value="3a74f2b4-cff0-4f50-8076-2f5532a0d6f3"/>
    <input type="text" name="public_key_credential" value='{
        "publicKey": {
            "challenge": "WwdPrNbUcI1034qZ9LYks32ZPezDLZSieFI9f6NaZZs",
            "allowCredentials": [{ "type": "public-key", "id": "Pzy_hxuR849qZbLAE8Vr4U3KPiIN6W10ssJOR55BMZQ" }],
    <input type="submit"/>

That is, a perfectly normal form with nothing special except the new `<input type="webauthn.get">` suggested in OP. The `exampleapp_request_id` field is an example application-specific reference to server-side state containing things like the username, a copy of the challenge, and probably where to redirect the user next. Of course the application could add any other fields to the form that they need, as usual.

The `<input type="webauthn.get">` would probably render a button which starts the WebAuthn ceremony, and replace the button with a success/failure indicator after the ceremony finishes. When the form is submitted, this would send a POST as usual with the contents

POST /exampleapp/webauthn/finish_assertion

or in the case of failure something like:

POST /exampleapp/webauthn/finish_assertion
exampleorg_request_id=3a74f2b4-cff0-4f50-8076-2f5532a0d6f3&public_key_credential={"error":"NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission."}

This way we would reuse the existing JSON/JS data structures, and the only new thing to add would be how `<input type="webauthn.create">` and `<input type="webauthn.get">` work (and how to en/decode the binary values to/from JSON). All other details about data transport, URLs, redirects etc. would be left to the RP to implement however they please with already existing tools.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-510848391 using your GitHub account
Received on Friday, 12 July 2019 11:12:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:38 UTC