Re: [webauthn] Cross origin authentication without iframes (#1667)

Dirk and I talked about something like what @emlun is proposing a couple of years ago for permission based cross-origin authentication requests.

One issue was the merchants didn't want the browsers making a call to the bank for each request for performance reasons.  

One thing we considered was the RP publishing a JWKS at a .well-known.  That would contain a public key that the bank would use to sign delegation authorizations.

The merchant would send the card number to the bank and get back a list of RPID and a time-limited dedication authorization that would go to the browser allowing the RP to treat the RP as a proxy for the specified RPID.

The browser would need to cache the public key but that could be relatively long lived and used across multiple merchants.

The browser would check that the deligation ticket in the request is valid before allowing the RP to specify a third party RPID.

If we wanted to not keep a cross domain flag in the authenticator for the credential then we could probably do that if the allow list was part of the signed object.  That would prevent the merchant from making a request with credentials in an allow list that the RP doesn't intend for cross domain.

I think it would solve Akshays problem with only allowing specific proxies.

I don't quite get why the requirement for discoverable credentials.  While this should work for discoverable credentials when an allow list is provided, I don't see any reason that a discoverable credential is required.

If we decide to store a flag for the credential that could be stored in the credentialID allowing non discoverable credentials to work as well.

So I mostly agree with @emlun but think the browser should just be getting a key in the .well-known so it can be cached and be replicated via CDN.





-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-909415399 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 31 August 2021 16:58:14 UTC