W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

[webauthn] Better specify what an unknown type credential descriptor being ignored means (#1748)

From: Nina Satragno via GitHub <sysbot+gh@w3.org>
Date: Fri, 17 Jun 2022 16:21:40 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1275230701-1655482897-sysbot+gh@w3.org>
nsatragno has just created a new issue for https://github.com/w3c/webauthn:

== Better specify what an unknown type credential descriptor being ignored means ==
We use credential descriptors "`PublicKeyCredentialDescriptor`" for allow lists & exclude lists. The spec says

> [...][client platforms](https://w3c.github.io/webauthn/#client-platform) MUST ignore any [PublicKeyCredentialDescriptor](https://w3c.github.io/webauthn/#dictdef-publickeycredentialdescriptor) with an unknown [type](https://w3c.github.io/webauthn/#dom-publickeycredentialdescriptor-type).

There's no further specification for unknown types. If we follow the spec to the letter, a possible interpretation ends up with:

  publicKey: {
    allowCredentials: [{type: "not-yet-supported-by-browser", id: <id>}],

Resulting in an empty `allowCredentials` request, which is definitely not what the RP intended. I think we should immediately return `NotAllowedError` in this case, based on prior text:

> If issuedRequests is empty, options.[allowCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials) is not empty, and no authenticator will become available for any [public key credentials](https://w3c.github.io/webauthn/#public-key-credential) therein,
Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "[NotAllowedError](https://webidl.spec.whatwg.org/#notallowederror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException).

This is not a problem for `excludeCredentials`, since in that case the browser will simply discard the unknown credential type.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1748 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 17 June 2022 16:21:42 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC