Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

I had a vastly different idea for how this could work:

<form method="POST" action="/exampleapp/webauthn/finish_assertion">
    <input type="hidden" name="exampleapp_request_id" value="3a74f2b4-cff0-4f50-8076-2f5532a0d6f3"/>
    <input type="text" name="public_key_credential" value='{
        "publicKey": {
            "challenge": "WwdPrNbUcI1034qZ9LYks32ZPezDLZSieFI9f6NaZZs",
            "allowCredentials": [{ "type": "public-key", "id": "Pzy_hxuR849qZbLAE8Vr4U3KPiIN6W10ssJOR55BMZQ" }],
    <input type="submit"/>

That is, a perfectly normal form with nothing special except the new `<input type="webauthn.get">` suggested in OP. The `exampleapp_request_id` field is an example application-specific reference to server-side state containing things like the username, a copy of the challenge, and probably where to redirect the user next. Of course the application could add any other fields to the form that they need, as usual.

The `<input type="webauthn.get">` would probably render a button which starts the WebAuthn ceremony, and replace the button with a success/failure indicator after the ceremony finishes. When the form is submitted, this would send a POST as usual with the contents

POST /exampleapp/webauthn/finish_assertion

or in the case of failure something like:

POST /exampleapp/webauthn/finish_assertion
exampleorg_request_id=3a74f2b4-cff0-4f50-8076-2f5532a0d6f3&public_key_credential={"error":"NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission."}

This way we would reuse the existing JSON/JS data structures, and the only new thing to add would be how `<input type="webauthn.create">` and `<input type="webauthn.get">` work (and how to en/decode the binary values to/from JSON). All other details about data transport, URLs, redirects etc. would be left to the RP to implement however they please with already existing tools.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Friday, 12 July 2019 11:12:50 UTC