Re: [webauthn] Use of CBOR, and Uint8Array/ArrayBuffer (#1362) from Craig Francis via GitHub on 2020-01-19 (public-webauthn@w3.org from January 2020)

From: Craig Francis via GitHub <sysbot+gh@w3.org>
Date: Sun, 19 Jan 2020 18:54:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-576034705-1579460045-sysbot+gh@w3.org>

Taking some of the ideas from the thread on using [WebAuthn without Javascript](https://github.com/w3c/webauthn/issues/1255), I've created something that could be done via the browser itself.

It uses the idea of including the [public key in result from `create()`](https://github.com/w3c/webauthn/issues/557) - so you don't have every website needing to mess around with CBOR encoding. This does introduce some duplicate data, including the `flags` and `signCount`, but that's relatively small. The main focus is on making WebAuthn much easier for websites to implement, and I suspect most websites would use these parsed values (as I understand it, you only need the binary form if you are using `attestation`, where I don't think I've seen a single website do that so far).

It avoids the issue where the [length of `attestedCredentialData`](https://github.com/w3c/webauthn/issues/1012) is difficult to get right - the implementations I've seen so far assume there is no extension data present, e.g.

    credentialPublicKey = authData.slice(55 + credentialIdLength); // Missing [end]

By converting all of the Uint8Array/ArrayBuffer values directly to base64 encoding, it's much easier to provide values (e.g. the `publicKey.user.id`), and have a response that can be sent to the server.

And a minor thing, my implementation has replaced the base64url encoding of the `response.id` with normal base64 encoding, but that's just to make it easier for programming languages that don't support rfc4648 by default.

---

This is my first working version (3rd attempt at trying to understand WebAuthn, which I don't think is a good in regards to the current complexity):

https://github.com/craigfrancis/webauthn-tidy/tree/master/html

The HTML is at the bottom of the PHP scripts.

I should note that the PHP code is intentionally trying to remain as simple as possible, so it's not pulling in a framework, or using objects, types, etc.

-- 
GitHub Notification of comment by craigfrancis
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1362#issuecomment-576034705 using your GitHub account

Received on Sunday, 19 January 2020 18:54:11 UTC