Re: [webauthn] Clarify browser behavior when an authenticators return equivalent of "InvalidStateError" (#1888) from Emil Lundberg via GitHub on 2023-05-19 (public-webauthn@w3.org from May 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 19 May 2023 09:57:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1554327184-1684490238-sysbot+gh@w3.org>

I think I agree with @MasterKale. I would put the ask as:

- If the user cancels out of the ceremony, and _at no point during that ceremony_ the user attempted to use an authenticator that matched `excludeCredentials`, then return `NotAllowedError`.
- If the user cancels out of the ceremony, but _at some point during that ceremony_ the user attempted to use an authenticator that matched `excludeCredentials` (even if the user afterwards clicked a retry option and, for example, attempted to use hybrid but failed), then return `InvalidStateError`.

Does that match up with what you're saying, @MasterKale?

(I currently have no opinion on whether the browser should offer a retry option or should always return on first failure.)

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1888#issuecomment-1554327184 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 19 May 2023 09:57:21 UTC