W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] Provide request deserialization, response serialization (#1683)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Sat, 15 Jan 2022 06:02:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1013620453-1642226572-sysbot+gh@w3.org>
> For the response case, wouldn't it be simpler to define a toJSON() method that can be called on the respective PublicKeyCredential instance that the WebAuthn call returns...

@kreichgauer You make a great point here, a `.toJSON()` method on the `PublicKeyCredential` value returned from `navigator.credentials.create()` and `navigator.credentials.get()` would make it even easier to prepare a credential to send to an RP as JSON:

const resp = await navigator.credentials.create(createOpts);
const respJSON = resp.toJSON();
apiClient.postJSON(url, respJSON);

I think this'd be great for serializing responses. It'd still need to be paired with something like the `.optionsFromJSON()` static method I outlined above 🤔 

> For either response examples, the top-level PublicKeyCredential-ish object should include an authenticatorAttachment field, I think?

You're right, as of L3 this'll be the case thanks to https://github.com/w3c/webauthn/pull/1668.

> For the create response example, why does `transports` appear in the top-level dictionary? I believe that information comes from `AuthenticatorAttestationResponse.getTransports()`, so shouldn't it appear in the object under the `response` key?
> Also for the create response example, I believe the `response` key dictionary should include the data from the `getAuthenticatorData()`, `getPublicKey()`, and `getPublicKeyAlgorithm()` helpers. I believe those methods were added specifically to aid RPs that wish not to carry a CBOR parsing dependency, so omitting that data would make the `toJSON()` helper less useful IMHO.

These are the kinds of good questions I figured we'd get to in a PR after I gauged sufficient (current) interest in the idea of serialization helpers to attempt to make a change to the spec. I'm sure there are a few opinions about where values like `transports` should go in a serialized representation of the `PublicKeyCredentials` we get back from `.create()` and `.get()` and I believe together we can get to something that makes sense.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1683#issuecomment-1013620453 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 15 January 2022 06:02:55 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC