- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Wed, 02 Jun 2021 18:45:50 +0000
- To: public-webauthn@w3.org
> It would be useful to be able to use WebAuthn with WWW-Authenticate Sure, ISTM IIUC that this is _nominally_ possible to achieve since the "Access Authentication Framework" that the `WWW-Authenticate` response header field is a part of is challenge-response. `WWW-Authenticate` conveys an "authentication scheme" identifier and a challenge: > `WWW-Authenticate = 1#challenge` // [[RFC7235 S 4.1](https://datatracker.ietf.org/doc/html/rfc7235#section-4.1)] > `challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]` // [RFC7235 S 2.1](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1) One could spec this by defining a new `auth-scheme` (say "webauthn1") and how the server's params are mapped into `( token68 / #auth-param )`, how the client deciphers all that into `nav.creds.get()` call params, and then maps the results into a `Authorization` request header field's `credentials` component: > `Authorization = credentials` ..and then how the server parses and verifies it upon receipt. However, ISTM we would not spec this in the webauthn spec or the W3C, but rather if someone really feels it's worth the effort to do so, I'd suggest doing it in the IETF as an Internet-Draft to begin with (one'd figure out there in the IETF whether it'll end up on the standards track or informational or experimental or whatever). -- GitHub Notification of comment by equalsJeffH Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1616#issuecomment-853294410 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 2 June 2021 18:46:42 UTC