- From: Kote Isaev via GitHub <sysbot+gh@w3.org>
- Date: Fri, 18 Nov 2022 14:41:09 +0000
- To: public-webauthn@w3.org
> I think it would be better at the HTTP or TLS layer, so that API clients and similar non-browser clients can also use WebAuthn.
Yes, it sounds reasonable. But from HTML point of view it may be require general elements or attributes.
To my taste, at HTML changes must be more declarative, like:
```html
<form method="authenticate" scheme="webauth/1.0" id="login_form">
<configuration type="challenge" scheme="webauthn/1.0" src="/api/auth/webauthn/challenge" />
<configuration type="webauthn/settings:json" scheme="webauthn/1.0>
{
/* some JSON with webauthn options that acceptable to be rendered at any webauth action */
{
</configuration>
<input type="username" id="username_box" />
<input type="credential/select" scheme="webauthn/1.0" form="login_form" />
</form>
```
Surely, this declarative approach require some specialized usage of well-known headers like `Authorization` to make sure they can be used by APIs and their native clients like mobile devices and other user cases. Even browser will have to work like that if that html-only approach will be used:
```
Authorization: WebAuthn v=1.0;name=value;name2=value2.....
```
--
GitHub Notification of comment by koteisaev
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-1320084421 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 18 November 2022 14:41:11 UTC