Re: [webauthn] Does AuthenticationExtensionsClientOutputs key have to be extension identifier or not? (#1430)

As far as I can tell @ynojima is right that the CTAP2.1 definition departs from how the WebAuthn extensions framework is intended to work. Fortunately this only affects clients - authenticators that have already shipped with the feature will not have to change if we want to fix it.

The extensions framework in WebAuthn would expect the registration input to look like this:

```
{
  "publicKey": {
    "challenge":  ...,
    ...,
    "authenticatorSelection": {
      "userVerification": "required"
    },
    "extensions": {
      "credProtect": {
        "credentialProtectionPolicy": "userVerificationRequired",
        "enforceCredentialProtectionPolicy": true
      }
    }
  }
}
```

However in Chromium 83.0.4103.61 this causes the extension to be ignored. You indeed have to specify the extension like this:

```
{
  "publicKey": {
    "challenge":  ...,
    ...,
    "authenticatorSelection": {
      "userVerification": "required"
    },
    "extensions": {
      "credentialProtectionPolicy": "userVerificationRequired",
      "enforceCredentialProtectionPolicy": true
    }
  }
}
```

which causes the extension to be processed and reflected in the authenticator extension output.

On the authenticator side, the extension input is simply an integer `"extensions": { "credProtect": 3 }` computed by the client, which incidentally does match the WebAuthn input structure.

So in summary: Chromium implements the extension as specified in CTAP2.1, but CTAP2.1 does not follow the extension input structure expected by WebAuthn. CTAP could change the specification to match the WebAuthn structure, in which case only client code needs to change. Alternatively, WebAuthn could relax the soft requirement that extension inputs be grouped under a key named as the extension identifier.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1430#issuecomment-638468506 using your GitHub account

Received on Wednesday, 3 June 2020 21:20:53 UTC