- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Jun 2023 07:42:41 +0000
- To: public-webauthn@w3.org
@arianvp also notes in https://github.com/w3c/webauthn/issues/1909#issuecomment-1610131343 : > The spec also says: > > > [Discoverable credentials](https://w3c.github.io/webauthn/#discoverable-credential) store this identifier and return it as [response](https://w3c.github.io/webauthn/#dom-publickeycredential-response).[userHandle](https://w3c.github.io/webauthn/#dom-authenticatorassertionresponse-userhandle) in [authentication ceremonies](https://w3c.github.io/webauthn/#authentication-ceremony) started with an [empty](https://infra.spec.whatwg.org/#list-empty) [allowCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials) argument. > > Which kind of implies that a Discoverable credential should return `userHandle` > > It makes sense that it is non-required in the `authenticatorAssertionResponse` as non-discoverable credentials can not return a `userHandle` > > We can make the spec more clear maybe. But I think "Discoverable Credentials return `userHandle` when `allowedCredentials` is empty" is something that the spec currently (kind of in a round-about way) mandates So it looks like there's a slight mismatch between the [User Handle definition](https://w3c.github.io/webauthn/#user-handle) (which says it's required) and the formal authenticatorGetAssertion algorithm (which doesn't explicitly say it's required). -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1892#issuecomment-1610926289 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 28 June 2023 07:42:43 UTC