RE: [webauthn] New platform authenticators are making discoverable credentials regardless of residentKey=false passed to Create() (#1457) from Shane B Weeden on 2020-09-11 (public-webauthn@w3.org from September 2020)

From: Shane B Weeden <sweeden@au1.ibm.com>
Date: Fri, 11 Sep 2020 11:16:13 +0000
To: "Arian van Putten via GitHub" <sysbot+gh@w3.org>
Cc: public-webauthn@w3.org
Message-Id: <OFB5606F20.E2519414-ON002585E0.003DE8B4-1599822973426@notes.na.collabserv.com>

I was the one who proposed and introduced the credProps extension to
WebAuthn L2 for this purpose. I too hope that the browsers will implement
it.

Sent from my iPhone

> On 11 Sep 2020, at 8:54 pm, Arian van Putten via GitHub <sysbot
+gh@w3.org> wrote:
>
> Hmm; but the spec is pretty clear about how `get` should behave after a
`create` with `requireResidentKey=true` is performed.    Chrome for Android
not supporting an empty `allowCredentials` list sounds like a clear
deviation from both the L1 and L2 spec to me:
>
> From the spec on `requireResidentKey`:
>
>> This member describes the Relying Party's requirements regarding
resident credentials. If the parameter is set to true, the authenticator
**MUST create a _client-side-resident public key credential source_ when
creating a public key credential**
>
> And from the definition of **client-side-resident public key credential
source**:
>
>> Such client-side storage requires a resident credential capable
authenticator and has the property that the authenticator **is able to
select the credential private key given only an RP ID**, possibly with user
assistance (e.g., by providing the user a pick list of credentials scoped
to the RP ID)
>
> This reads to me, unambigiously,  as: **if** `create` succeeds with
`requireResidentKey = true` then I can rely on  `get` being able to work
with `allowCredentials = []` if the same authenticator is inserted.
>
>
> What I want to know is, an implementor of an RP; how do I detect this
edge-case where I _required_ a resident credential during registration; but
when the user presents the same hardware token during login, the  resident
credential flow doesn't work?
>
> The simple requirement is  "I want people who register with a token to be
able to login with that token".  and i don't see a way how I can currently
require that; which is not great.
>
> I tried setting `extensions: { credProps: true }`  so that I can look at
the `rk` property after credential creation, but that does not seem to be
implemented by Chrome yet (at least it didn't work for me).
>
>
>
> --
> GitHub Notification of comment by arianvp
> Please view or discuss this issue at
https://github.com/w3c/webauthn/issues/1457#issuecomment-691025327
  using your GitHub account
>
>
> --
> Sent via github-notify-ml as configured in
https://github.com/w3c/github-notify-ml-config

>

Received on Friday, 11 September 2020 11:16:28 UTC