W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2020

Re: [webauthn] New platform authenticators are making discoverable credentials regardless of residentKey=false passed to Create() (#1457)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Sep 2020 10:54:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-691025327-1599821641-sysbot+gh@w3.org>
Hmm; but the spec is pretty clear about how `get` should behave after a `create` with `requireResidentKey=true` is performed.    Chrome for Android not supporting an empty `allowCredentials` list sounds like a clear deviation from both the L1 and L2 spec to me:

From the spec on `requireResidentKey`:

> This member describes the Relying Party's requirements regarding resident credentials. If the parameter is set to true, the authenticator **MUST create a _client-side-resident public key credential source_ when creating a public key credential**

And from the definition of **client-side-resident public key credential source**:

>  Such client-side storage requires a resident credential capable authenticator and has the property that the authenticator **is able to select the credential private key given only an RP ID**, possibly with user assistance (e.g., by providing the user a pick list of credentials scoped to the RP ID)

This reads to me, unambigiously,  as: **if** `create` succeeds with `requireResidentKey = true` then I can rely on  `get` being able to work with `allowCredentials = []` if the same authenticator is inserted.

What I want to know is, an implementor of an RP; how do I detect this edge-case where I _required_ a resident credential during registration; but when the user presents the same hardware token during login, the  resident credential flow doesn't work?

The simple requirement is  "I want people who register with a token to be able to login with that token".  and i don't see a way how I can currently require that; which is not great.

I tried setting `extensions: { credProps: true }`  so that I can look at the `rk` property after credential creation, but that does not seem to be implemented by Chrome yet (at least it didn't work for me). 

GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1457#issuecomment-691025327 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 11 September 2020 10:54:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC