- From: Paul Wise via GitHub <sysbot+gh@w3.org>
- Date: Sat, 19 Nov 2022 23:54:08 +0000
- To: public-webauthn@w3.org
The issues with basic auth and TLS client certs are browser UI issues that should be fixed by browser vendors. Web devs need to put pressure on those vendors to have better support for browser-native auth flows. I have filed a bug with Mozilla about that for TLS client certs a while ago, but there hasn't been any movement, not sure how to change that, hopefully someone here has some contacts. The current UI for those are inexcusably bad and it is incredible how long this has persisted. The basic auth and TLS client cert protocols definitely support logout (just don't send the basic auth HTTP header or TLS auth extensions), so lack of logout is again a browser UI issue that should get fixed. I was thinking that after a user logs in with the HTTP/TLS based WebAuthn protocol, the website would map their WebAuthn credential to the appropriate username/etc, or if none exists on the service, then the website would return the account registration flow including creating a user and registering their WebAuthn credential to that user. The website itself wouldn't have any logout functionality, that would be provided solely by the browser UI. WebAuthn definitely belongs in HTTP or TLS not anywhere else. Using WebAuthn on a server would ensure that the API access credential can never get duplicated if the server ever gets compromised, when the credential is just using a USB WebAuthn device. This is highly desirable in some environments. HTTP tokens can leak from the remote service or get duplicated during hacks or be sent in the clear etc. I still think the best way to do WebAuthn without JavaScript is to add it to both the HTTP and TLS layers. The HTTP layer so web app authors can workaround web servers they don't control. The TLS layer so that auth can be checked on TLS forwarders/load balancers and web servers. -- bye, pabs https://bonedaddy.net/pabs3/ -- GitHub Notification of comment by pabs3 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-1320994468 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 19 November 2022 23:54:10 UTC