[webauthn] Clarify browser behavior when an authenticators return equivalent of "InvalidStateError" (#1888) from Arnar Birgisson via GitHub on 2023-05-05 (public-webauthn@w3.org from May 2023)

From: Arnar Birgisson via GitHub <sysbot+gh@w3.org>
Date: Fri, 05 May 2023 21:57:40 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1698237876-1683323858-sysbot+gh@w3.org>

arnar has just created a new issue for https://github.com/w3c/webauthn:

== Clarify browser behavior when an authenticators return equivalent of "InvalidStateError" ==
In the CreateCredential algorithm, [step 20](https://w3c.github.io/webauthn/#CreateCred-async-loop) says that if any authenticator returns an equivalent of "InvalidStateError", the browser should cancel any other outstanding authenticator requests and return ISE back to the caller. (Note that the authenticator steps for create say that  an authenticator must collect user consent for the create before returning an ISE for a match on the excludeList)

This makes sense, because it is reasonable for an RP to want to treat this case as success: The user asked to create a credential, then they selected and approved creation on a specific authenticator, but the authenticator they selected already had a credential. That means they are already in the state they were trying to get in to. E.g. google.com renders a message here saying roughly "You're all set on this device."

However, some clients currently don't immediately return an ISE in this case, but rather either a) render an error message saying that a credential already existed on this authenticator, and offer the user to return to start and try again with a different authenticator, or b) fall back to an alternative transport.

Chromium does the former, showing a dialog with a "try again" CTA; and Windows Hello does the latter: E.g. if a platform credential is found to be a match on the excludeList (after collecting the PIN), it falls back to "Insert your Security Key now" instead of returning.

We'd like to propose either setting a norm that aligns the behaviors with the language in the spec, and possibly add a justification with an appropriately placed note in the spec.

## Proposed Change

Add a note, e.g. following [this note](https://github.com/w3c/webauthn/blob/748eea045a18a2ecad384df20c84f5c7ac33303a/index.bs#L2071), stating that an immediate ISE should be returned rather than retrying other authenticators, so that RPs can choose whether it is handled as success or by offering the user to try other authenticators.


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1888 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 5 May 2023 21:57:42 UTC