Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

I had a vastly different idea for how this could work:

```html
<form method="POST" action="/exampleapp/webauthn/finish_assertion">
    <input type="hidden" name="exampleapp_request_id" value="3a74f2b4-cff0-4f50-8076-2f5532a0d6f3"/>
    <input type="text" name="public_key_credential" value='{
        "publicKey": {
            "challenge": "WwdPrNbUcI1034qZ9LYks32ZPezDLZSieFI9f6NaZZs",
            "allowCredentials": [{ "type": "public-key", "id": "Pzy_hxuR849qZbLAE8Vr4U3KPiIN6W10ssJOR55BMZQ" }],
        }
    }'/>
    <input type="submit"/>
</form>
```

That is, a perfectly normal form with nothing special except the new `<input type="webauthn.get">` suggested in OP. The `exampleapp_request_id` field is an example application-specific reference to server-side state containing things like the username, a copy of the challenge, and probably where to redirect the user next. Of course the application could add any other fields to the form that they need, as usual.

The `<input type="webauthn.get">` would probably render a button which starts the WebAuthn ceremony, and replace the button with a success/failure indicator after the ceremony finishes. When the form is submitted, this would send a POST as usual with the contents

```http
POST /exampleapp/webauthn/finish_assertion
exampleapp_request_id=3a74f2b4-cff0-4f50-8076-2f5532a0d6f3&public_key_credential={"id":"K3xM080fiCDCkv412SdQ6--982rRf9i6NtDY0Jkv-AJZaCH9-MNs-ijV2y2OXKbxjzD3rXR05rmGF_jGQnXyPQ","response":{"authenticatorData":"xGzvgq0bVGR3WR0Aiwh1nsPm0uy085R0v+ppaZJdA7cBAAAANQ==","clientDataJSON":"eyJjaGFsbGVuZ2UiOiJwakpQTWFvUUFFSEhKb0NtR0lVd3EtclZBc0JzRDY3Q2pCVDhMYXJwcEtjIiwiY2xpZW50RXh0ZW5zaW9ucyI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cHM6Ly9kZW1vLnl1Ymljby5jb20iLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0=","signature":"MEUCIHwdgFLpCi05C1SeqRIBEwM1iJr4HJu8H9YC49vlTd+OAiEAxGDHU0+zNrgk8eSrx9KD8bj6jqRiKdPNz2ANA7EShqI="},"clientExtensionResults":{},"transports":["usb"]}
```

or in the case of failure something like:

```http
POST /exampleapp/webauthn/finish_assertion
exampleorg_request_id=3a74f2b4-cff0-4f50-8076-2f5532a0d6f3&public_key_credential={"error":"NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission."}
```

This way we would reuse the existing JSON/JS data structures, and the only new thing to add would be how `<input type="webauthn.create">` and `<input type="webauthn.get">` work (and how to en/decode the binary values to/from JSON). All other details about data transport, URLs, redirects etc. would be left to the RP to implement however they please with already existing tools.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-510848391 using your GitHub account

Received on Friday, 12 July 2019 11:12:50 UTC