[webauthn] Drop generic client extension processing? (#1730) from Emil Lundberg via GitHub on 2022-05-10 (public-webauthn@w3.org from May 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 May 2022 16:19:16 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1231401001-1652199554-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Drop generic client extension processing? ==
This discussion came up in PR #1703. Currently, [§9. WebAuthn Extensions](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-extensions) states:

>[...]
>Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not recognize to authenticators, generating the [authenticator extension input](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#authenticator-extension-input) by simply encoding the [client extension input](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-extension-input) in CBOR. [...]

and as such for the spec to be internally consistent, it would be expected that all other parts of the spec should be compatible with this provision.

#1703 proposes adding utilities for decoding [`PublicKeyCredentialCreationOptions`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dictdef-publickeycredentialcreationoptions) and [`PublicKeyCredentialRequestOptions`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dictdef-publickeycredentialrequestoptions) objects from JSON, so RPs don't need to reach deep into the data structures to convert binary values from textual representations before passing them into `navigator.credentials.create()` and `.get()`.

Unfortunately, this seems to be [incompatible with the generic extension pass-through provision](https://github.com/w3c/webauthn/pull/1703#discussion_r845941977), since for unknown extensions there's no way for the client to know which extension input values need to be converted to `BufferSource` values, and JSON has no standardized way to flag binary values. In practice all clients represented in the working group have chosen to not implement generic extension pass-through, so we're opening for discussion:

**Should we keep the generic extension pass-through, or drop it in L3?**

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1730 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 10 May 2022 16:19:18 UTC