W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Can RPs assume that `InvalidStateError` for `create()` means an excludeCredentials match? (#1566)

From: Nick Steele via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 23:32:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-777107286-1612999974-sysbot+gh@w3.org>
Hey Lucas, 
I would say that while you can use the `InvalidStateError` as inference that the user is using the same platform authenticator, I am a bit confused about the use-case: it seems like you're trying to use this error to determine if the user is already registered. Why not just check with the user by supplying a `get` request? Also, In the ideal case, a user registers with an RP and closes the browser client, then opens another client and navigates to the previously registered RP in the new client. Upon the user hitting login, the authenticator **should** be able to use the previously created credential for that RP in the new client browser. Is this not the case? What am I missing? The pandemic has turned my brain into pudding.

Your second point also seems to be laid out in #1568 and thank you for submitting this issue to WebKit 🙇 

GitHub Notification of comment by nicksteele
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1566#issuecomment-777107286 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 23:32:58 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 10 February 2021 23:32:59 UTC