- From: mpeng-okta via GitHub <sysbot+gh@w3.org>
- Date: Fri, 27 Nov 2020 04:38:10 +0000
- To: public-webauthn@w3.org
Thanks so much for your replies! I see what you mean, and from my reading of the WebAuthn spec it does appear as if the most correct/secure/logical implementation would be to have `sub.d.c` (or the origin whose page is actually calling the WebAuthn browser API) be the endpoint at which the entire authentication ceremony is performed. However, as mentioned it also does seem conceivable to have `auth.domain.com` handle the validation that `sub.d.c` is acceptable as an origin (but not ideal). In this use case, all of the auth is being performed on the backend via the endpoint exposed at the `auth.d.c` domain (including the generation of the `challenge` nonce parameter). Only the WebAuthn registration/verification via browser API is happening at `sub.d.c`. In other words, `sub.d.c` is being passed the known `challenge` and WebAuthn-related config params from `auth.d.c` via a trusted channel, and `sub.d.c` does is perform the `navigation.credentials.create()` and `navigation.credentials.get()` calls, whereupon the output data is being passed back to `auth.d.c` via a trusted channel. This use case is basically where developer users have an existing framework hosting a sign-on page at some set of `sub1.d.c`, `sub2.d.c`, etc domains, so the approach idea is to receive all the WebAuthn config values (e.g. user verification, authenticator attachment, allowed credentials, and so on) and challenge values from a central `auth.d.c` domain, then pass the resulting outputs of the WebAuthn ceremony to a common `auth.d.c` domain for the actual ultimate auth. @emlun with respect to your last comment, I think I might be confused and would appreciate if you could fix any misunderstanding I have: > ...might be better off having `sub.d.c` perform the whole authentication ceremony and verify the assertion, and then return some authorization ticket > ... > And it would probably be `sub.d.c` that redirects to `auth.d.c`, which performs the WebAuthn ceremony and then redirects back to sub.d.c with the authorization ticket.) Per the earlier mention, it sounded to me that by the last sentence you would mean: > And it would probably be ~sub.d.c~ `auth.d.c` that redirects to ~auth.d.c~ `sub.d.c`, which performs the WebAuthn ceremony and then redirects back to ~sub.d.c~ `auth.d.c` with the authorization ticket.) Is that accurate? Just wanted to check my understanding in case I misunderstood anything. -- GitHub Notification of comment by mpeng-okta Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372#issuecomment-734640285 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 27 November 2020 04:38:13 UTC