Re: [webauthn] Cross origin authentication without iframes (#1667)

This was discussed today in the SPC Task Force (part of the Web Payments WG). There were two main outcomes of the discussion:

1. A desire that an RP should be able to access SPC in a first-party setting (e.g. on `rp.com`), using an existing and 'normal' WebAuthn credential. That is, to use a credential C in the following cases:

|  | First Party-usage | Third Party-usage |
| ------------- | ------------- | ------------- |
| **Login**  | No bit needed | Never!  |
| **Payments**  | No bit needed | Needs a bit set at creation-time  |

2. A desire that a third-party enabled credential should **also** be usable in a first-party context for login. That is, if `rp.com` creates a third-party enabled credential C so that `not-rp.com` can use it in a payments context, it should also be possible for a user to visit `rp.com` and do a login authentication flow using C.

The first of these is possible by changing the namespace solution to be about the 3p-powers rather than payment abilities (i.e`3p://rp.com` rather than `payment://rp.com`). The second of these, however, is not compatible with a namespace solution as it requires interoperating across two dimensions.

@ve7jtb did come up with a new proposal during the meeting, which I believe he plans to mull on and then post here if he's happy enough with it :).

-- 
GitHub Notification of comment by stephenmcgruer
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-975770111 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 22 November 2021 17:45:27 UTC