W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2021

Re: [webauthn] Cross origin authentication without iframes (#1667)

From: Goosth via GitHub <sysbot+gh@w3.org>
Date: Mon, 22 Nov 2021 06:27:20 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-975171376-1637562438-sysbot+gh@w3.org>
This is a great discussion.

I'd like to just ensure we're clear on the set of use-cases that an Relying Party (Bank/Account Provider/Issuer) may want to use a credential for.

If we consider banking, they would still want to use this specific credential to 
* Login in to Digital banking (with discoverable credentials)
* Confirm a Payment in the RP's 1p domain (OIDC redirect such as Open Banking redirect) in top level domain
* Confirm a Payment in the RP's 1p domain (OIDC redirect such as Open Banking redirect) in 3rd Party iFrame

Whatever solution we consider to enable this to be called from another domain should not remove/prevent those use-cases.

Limiting the SPC credential to only work cross domain or only allow payments would not be desirable, since it would severely limit's it's usability. For example, in 3D Secure, the cross domain SPC capability will be used by advanced merchants, while most other merchants will still just redirect to the RP to challenge and confirm the payment. And here we will then want the RP to be able to enable payments. 

GitHub Notification of comment by Goosth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-975171376 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 November 2021 06:27:22 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC