W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: [webauthn] Add a way to use webauthn without Javascript (#1255)

From: Ignas Kiela via GitHub <sysbot+gh@w3.org>
Date: Fri, 12 Jul 2019 22:05:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-511048222-1562969146-sysbot+gh@w3.org>
@Garnac I have a few problems with your idea: 
> (1) I use an anchor. (Although a form can be used too. If necessary.) I am intentionally trying to remove login forms, and make them unnecessary. 

It should be a form IMO. You are sending info from browser to the server, the usual way to do this without Javascript is <form>

> (2) My idea has an explicit response to the login request from the RP. This informs the browser of the success/fail and state of the login. I want the browser to be able to keep track of which RP are logged in, so it can provide a "logoutAll" option. 

This doesn't make sense with webauthn.
 
> (2b) The response from the RP is caught by the browser, parsed, and the browser updates the Authenticator. With either data from the response, or data stored from the request. (The browser calls navigator.credentials.store)

Again, this doesn't make sense with webauthn, `navigator.credentials.store` [is invalid with webauthn](https://www.w3.org/TR/webauthn/#storeCredential)

> (3) My idea includes an explicit fallback mechanism. In case the browser does not support the new API. (If the browser does not understand the input type="webauthn.get" HTML element.)

Adding a `hidden` to the <input> will make it unnoticable for browsers that don't support it, and then Javascript webauthn API can be likely used as a fallback mechanism. In my mind this is more of an alternative for users who would block Javascript for various reasons, but still want to be able to use webauthn.

> (4) My idea has a discrete "action" property. This allows both "login" and an explicit "logout" request. 

There is no logout with webauthn

>The browser needs to update the Authenticator with the result, and needs to maintain the login status of the RP.
 
The authenticators in webauthn doesn't know if their authentication succeed in RP side. The RP passes this information to the user, which then can choose what to do. 

> (6) It may be beneficial to allow the JSON configuration document hosted by the RP as an option. (accessible via HTTPS or FTPS, etc.) My idea is that it may be possible to use this document to perform user authentication for other applications beyond browsers and HTML. Imagine using the same Authenticator to login to other applications, online games (i.e. Steam, World of Warcraft), FTP, etc. As long as those other applications can parse JSON, make a call to the Authenticator, and create the desired transport data. (i.e. the existing JSON/JS data structure or a JSON Web Signature.) I imagine that eventually the Operating System will provide an API to connect to the Authenticator.

The example applications you've given would use the same configuration every time, that could be stored in application, which wouldn't need for developers to implement every possible config option, just those that they need, and wouldn't need an additional HTTP request.


-- 
GitHub Notification of comment by ignaloidas
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-511048222 using your GitHub account
Received on Friday, 12 July 2019 22:05:49 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:38 UTC