- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 04 Oct 2023 18:09:34 +0000
- To: public-webauthn@w3.org
I'll start: You probably don't want to expose all this information before the user is authenticated. This also doesn't work at all when the user isn't yet identified (empty `allowCredentials`, username-less/passkey authentication). This makes it rather useless as an assertion extension, as that would require a second assertion ceremony. And since the RP isn't supposed to need to track state over time, presumably the RP should just always send the extension? So always two assertion ceremonies? That won't work.
So it needs to be something you can call after successful authentication. Maybe a static function on `PublicKeyCredential`?
Or maybe the extension outputs a callback that the RP can invoke after retrieving the right state for the user?
```js
const credential = await navigator.credentials.get({
publicKey: {
// ...
extensions: {
updateCredentials: true, // Request that extension outputs include the callback
},
},
});
// Finish authentication on backend
const userSession = await finishAuthentication(credential);
credential.getClientExtensionResults().updateCredentials(userSession.updateCredentials);
```
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1967#issuecomment-1747400525 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 4 October 2023 18:09:35 UTC