- From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
- Date: Thu, 18 May 2023 08:57:34 +0000
- To: public-webauthn@w3.org
Adding non-null constraints for `userHandle` when allowCredentials is empty is not sufficient. As far as I remember, Safari sometimes returns empty string for `userHandle`. This breaks some implementation since the server checks `userHandle` nullity and if it is not null, the server tries to compare the given `userHandle` and the identified user id from the database. So, I think it would be better to explicitly indicate that `userHandle` is not **zero-length** if the allowCredential is empty. Also, there are some [descriptions](https://w3c.github.io/webauthn/#user-handle) about the requirements. > A user handle is an identifier for a [user account](https://w3c.github.io/webauthn/#user-account), specified by the [Relying Party](https://w3c.github.io/webauthn/#relying-party) as [user](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-user).[id](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id) during [registration](https://w3c.github.io/webauthn/#registration). [Discoverable credentials](https://w3c.github.io/webauthn/#discoverable-credential) store this identifier and return it as [response](https://w3c.github.io/webauthn/#dom-publickeycredential-response).[userHandle](https://w3c.github.io/webauthn/#dom-authenticatorassertionresponse-userhandle) in [authentication ceremonies](https://w3c.github.io/webauthn/#authentication-ceremony) started with an [empty](https://infra.spec.whatwg.org/#list-empty) [allowCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials) argument. -- GitHub Notification of comment by Kieun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1892#issuecomment-1552750057 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 18 May 2023 08:57:36 UTC