[webauthn] Clarify the valid values for user handle in the Authentication Assertion (#1723) from Boris Lykah via GitHub on 2022-04-25 (public-webauthn@w3.org from April 2022)

From: Boris Lykah via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Apr 2022 19:41:33 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1214961452-1650915691-sysbot+gh@w3.org>

lykahb has just created a new issue for https://github.com/w3c/webauthn:

== Clarify the valid values for user handle in the Authentication Assertion ==
The [5.4.3. User Account Parameters for Credential Generation](https://www.w3.org/TR/webauthn-2/#dictionary-user-credential-params) requires that the user handle must not be an empty string.
However, the [5.2.2. Web Authentication Assertion (interface AuthenticatorAssertionResponse)](https://w3c.github.io/webauthn/#iface-authenticatorassertionresponse) does not explicitly say if userHandle may be an empty string. I would infer that it must be either null, or the same value as passed under `PublicKeyCredentialUserEntity` when registering.

At the moment not all browsers have consistent behavior. For my authenticator (YubiKey) Firefox and Chromium always return `userHandle: null`. However, Safari returns `userHandle: ""`. I opened a [bug report](https://bugs.webkit.org/show_bug.cgi?id=239737) for Safari based on my understanding of the authentication part of the WebAuthn spec.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1723 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 25 April 2022 19:41:34 UTC