Re: [webauthn] Use of CBOR, and Uint8Array/ArrayBuffer (#1362)

Taking some of the ideas from the thread on using [WebAuthn without Javascript](, I've created something that could be done via the browser itself.

It uses the idea of including the [public key in result from `create()`]( - so you don't have every website needing to mess around with CBOR encoding. This does introduce some duplicate data, including the `flags` and `signCount`, but that's relatively small. The main focus is on making WebAuthn much easier for websites to implement, and I suspect most websites would use these parsed values (as I understand it, you only need the binary form if you are using `attestation`, where I don't think I've seen a single website do that so far).

It avoids the issue where the [length of `attestedCredentialData`]( is difficult to get right - the implementations I've seen so far assume there is no extension data present, e.g.

    credentialPublicKey = authData.slice(55 + credentialIdLength); // Missing [end]

By converting all of the Uint8Array/ArrayBuffer values directly to base64 encoding, it's much easier to provide values (e.g. the ``), and have a response that can be sent to the server.

And a minor thing, my implementation has replaced the base64url encoding of the `` with normal base64 encoding, but that's just to make it easier for programming languages that don't support rfc4648 by default.


This is my first working version (3rd attempt at trying to understand WebAuthn, which I don't think is a good in regards to the current complexity):

The HTML is at the bottom of the PHP scripts.

I should note that the PHP code is intentionally trying to remain as simple as possible, so it's not pulling in a framework, or using objects, types, etc.

GitHub Notification of comment by craigfrancis
Please view or discuss this issue at using your GitHub account

Received on Sunday, 19 January 2020 18:54:11 UTC