- From: mangoplane via GitHub <sysbot+gh@w3.org>
- Date: Tue, 13 Jun 2023 09:15:09 +0000
- To: public-webauthn@w3.org
Until this gains wider support, this is a recommended Webauthn flow when given as a service for another origin to use:
Initial registration:
1. Register credential. Open new browser window that matches the RP Origin (e.g. auth.example.com). In this opened window, register the users authenticator by creating a new credential.
2. Finishing by returning some token representing their logged in session via window.open postMessage.
e.g.
```javascript
// Within auth.example.com
window.opener.postMessage({ type: 'SESSION', token: 'sessionToken' }, 'https://original.example.com');
```
Assertion:
1. Similar to the above, OR an iframe with the `publickey-credentials-get ORIGIN` permission so that you can have the RP cross-origin in a clean iframe.
AFAIK this will work fine, and is secure particularly if I pass the sessionToken back to the invoking site via a shared secret created with Diffie-Hellmann.
This should allow for a fairly effortless migration once the above `publickey-credentials-create` permission for iframes becomes widely supported at the browser level.
Kind regards.
--
GitHub Notification of comment by mangoplane
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-1588884177 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 13 June 2023 09:15:11 UTC