Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

@emlun Nice. Our ideas have a lot of similarities. They both embed JSON in an HTML attribute, include a challenge, and send a POST to the RP. They both add one or two new types of HTML element. (Mine adds two new HTML attributes, yours adds an input type="webauthn.get" and "webauthn.create".) Both of our ideas add something to the anchor or form to explicitly identify it as performing user authentication. So the browser does not have to guess which login forms or anchors are used for user authentication. My idea adds a special attribute to the anchor element. With your idea, the browser can test for the existence of either special input element. (type="webauthn.get") Both of our ideas require a new ability from browsers, to intercept the click or submit and perform the WebAuthn ceremony. Then put the results of the ceremony into a POST.

My idea can be changed to behave like yours. My original idea was to send a JSON Web Signature, but that can be changed to send the existing JSON/JS data structure. Similarly, my idea can be modified to include a reference to a server side state, and the "publicKey" and "allowCredentials" properties. If possible, the entire JSON configuration document hosted at the RP (that I suggest) may be omitted. (Although there may be extra reasons to keep it. See below.) The end result is that the two ideas can send the exact same POST to the RP. As in your example.

The real differences between our ideas seems to be:
(1) I use an anchor. (Although a form can be used too. If necessary.) I am intentionally trying to remove login forms, and make them unnecessary. The browser detects the special attribute, renders the anchor specially. On click, it starts the WebAuthn ceremony, and will send a POST to the endpoint_uri.

(2) My idea has an explicit response to the login request from the RP. This informs the browser of the success/fail and state of the login. I want the browser to be able to keep track of which RP are logged in, so it can provide a "logoutAll" option. It does this by having the RP send a JSON response to the browser, with success or error information. If it can be worked out that the RP can include redirect information in the response, so much the better. The browser can read the "redirect_uri" property etc. from the response, and redirect to the desired page. Or if the redirect_uri is missing, the browser will refresh the existing page by default.

(3) My idea includes an explicit fallback mechanism. In case the browser does not support the new API. (If the browser does not understand the input type="webauthn.get" HTML element.)

(4) It may be beneficial to allow the JSON configuration document hosted by the RP as an option. (accessible via HTTPS or FTPS, etc.) My idea is that it may be possible to use this document to perform user authentication for other applications beyond browsers and HTML. Imagine using the same Authenticator to login to other applications, online games (i.e. Steam, World of Warcraft), FTP, etc. As long as those other applications can parse JSON, make a call to the Authenticator, and create the desired transport data. (i.e. the existing JSON/JS data structure or a JSON Web Signature.) I imagine that eventually the Operating System will provide an API to connect to the Authenticator.

-- 
GitHub Notification of comment by Garnac
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-510993295 using your GitHub account

Received on Friday, 12 July 2019 18:47:14 UTC