- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 05 May 2022 18:39:26 +0000
- To: public-webauthn@w3.org
The user handle is set by an RP when creating a discoverable credential so that they can identity that user in future assertion requests with an empty allowList. There was historically ambiguity about whether an empty user handle was valid and implementations differ in whether they support them. Thus empty user handles were disallowed and RPs must not set `user.id` to a non-null, but empty, value when creating credentials. This ensures that RPs work for all authenticators. In terms of whether the [returned user handle](https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle) in an assertion can be empty: I think it validly _can_ be empty if the authenticator returned an empty value. For a given RP, if they never created credentials with empty user handles, then they should never see empty values however. Looking at your Safari bug: indeed, Safari returns an empty user handle in an assertion even with U2F authenticators. U2F authenticators obviously never return any user handles so Safari is mapping that to the empty string rather than null. I think that's wrong per [the spec](https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-userhandle). -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1722#issuecomment-1118925260 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 5 May 2022 18:39:27 UTC