- From: Jeff Hodges <jdhodges@google.com>
- Date: Fri, 19 Jul 2019 08:57:47 -0700
- To: John Bradley <jbradley@yubico.com>
- Cc: Marius Scurtescu <marius.scurtescu@coinbase.com>, Adam Langley <agl@google.com>, W3C Web Authn WG <public-webauthn@w3.org>
- Message-ID: <CAOt3QXuAK=doDRPj-urHp9Dyc3-JvAFn2h_+PCJapNRYrKznGw@mail.gmail.com>
Lets discuss this next week at IETF. On Thu, Jul 18, 2019 at 6:43 PM John Bradley <jbradley@yubico.com> wrote: > There was an effort to simplify the spec. FacitID was a victim of that. > Dirk can fill in the details. > > The payments people are wanting the iframe solution, for 3dsecure and open > banking. > > I think we do need a way to delegate domain A to act as a proxy for domain > B. > > I would prefer to do it in a more granular way than was done in FacitID. > > Some of us kicked some ideas around at the last Fido plenery. I think it > could be done in WebAuthn with existing CTAP2 authenticators. > > John B. > > On Thu, Jul 18, 2019, 7:50 PM Marius Scurtescu < > marius.scurtescu@coinbase.com> wrote: > >> Thanks again Adam. >> >> Is this the iframe spec you are referring to: >> https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance >> >> The situation looks pretty bleak from where I stand. I am surprised that >> this is not coming up as an issue. Was there a concrete reason to stop >> supporting FacetID? Lack of interest? >> >> >> On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote: >> >>> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu < >>> marius.scurtescu@coinbase.com> wrote: >>> >>>> How is a multi-domain deployment supposed to work with WebAuthn? And by >>>> multi-domain I mean domains that don't match: example1.com and >>>> example2.com. >>>> >>>> One solution that was suggested is to always redirect to the IdP, so >>>> there is not need for multiple domains. That might work for login, but when >>>> WebAuthn is used as a re-authentication challenge then a full page redirect >>>> becomes very difficult to implement, especially for an existing application. >>>> >>> >>> WebAuthn credentials are tied to an RP ID, which is a domain name. There >>> is not support for “groups” of domains being acceptable for a credential. >>> >>> Redirecting (with suitable care) is possible, somewhat similar to OAuth. >>> There is also (currently) unimplemented spec for granting iframes WebAuthn >>> abilities, in which case postMessage can be used. Implementation priorities >>> are set by need and, currently, nobody is making a fuss about the lack of >>> iframe support so it's not on the roadmap. >>> >>> >>> Cheers >>> >>> AGL >>> >> -- Thanks, HTH, =JeffH
Received on Friday, 19 July 2019 15:58:41 UTC