Re: [webauthn] New platform authenticators are making discoverable credentials regardless of residentKey=false passed to Create() (#1457) from Arian van Putten via GitHub on 2020-09-11 (public-webauthn@w3.org from September 2020)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Fri, 11 Sep 2020 10:54:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-691025327-1599821641-sysbot+gh@w3.org>

Hmm; but the spec is pretty clear about how `get` should behave after a `create` with `requireResidentKey=true` is performed.    Chrome for Android not supporting an empty `allowCredentials` list sounds like a clear deviation from both the L1 and L2 spec to me:

From the spec on `requireResidentKey`:

> This member describes the Relying Party's requirements regarding resident credentials. If the parameter is set to true, the authenticator **MUST create a _client-side-resident public key credential source_ when creating a public key credential**

And from the definition of **client-side-resident public key credential source**:

>  Such client-side storage requires a resident credential capable authenticator and has the property that the authenticator **is able to select the credential private key given only an RP ID**, possibly with user assistance (e.g., by providing the user a pick list of credentials scoped to the RP ID)

This reads to me, unambigiously,  as: **if** `create` succeeds with `requireResidentKey = true` then I can rely on  `get` being able to work with `allowCredentials = []` if the same authenticator is inserted.


What I want to know is, an implementor of an RP; how do I detect this edge-case where I _required_ a resident credential during registration; but when the user presents the same hardware token during login, the  resident credential flow doesn't work?

The simple requirement is  "I want people who register with a token to be able to login with that token".  and i don't see a way how I can currently require that; which is not great.

I tried setting `extensions: { credProps: true }`  so that I can look at the `rk` property after credential creation, but that does not seem to be implemented by Chrome yet (at least it didn't work for me). 



-- 
GitHub Notification of comment by arianvp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1457#issuecomment-691025327 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 11 September 2020 10:54:05 UTC