Re: [webauthn] Disallow empty strings (#2073) from Emil Lundberg via GitHub on 2024-05-27 (public-webauthn@w3.org from May 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 27 May 2024 11:32:13 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2133282200-1716809530-sysbot+gh@w3.org>

> @emlun, would you be willing to create a PR making `displayName` and `name` optional in the IDL?

We can't trivially declare `name` as `optional` in the WebIDL because it's inherited from [`PublicKeyCredentialEntity`](https://w3c.github.io/webauthn/#dictdef-publickeycredentialentity) and represents both `rp.name` and `user.name`. So we can't declare `user.name` as `optional` without doing the same with `rp.name`. Which perhaps we could, but we haven't decided to do that as of now.

Also, I think it's a bad idea to make both `name` and `displayName` optional. This was discussed at length in [issue #1915](https://github.com/w3c/webauthn/issues/1915#issuecomment-1617744129).

> Also, we can't make it `optional` without leaving a trap for sites which will then break with all clients that haven't been updated with that.

Oh right, this is also a very good point. In fact we had already come to this same conclusion in #2024.

> Merely amending the spec to explicitly state that Nickname enforcement SHOULD be done by both RPs and clients for _non-empty strings_ is fine with me.

This sounds like a reasonable compromise to me. The background for why the PRECIS enforcement was added is in https://github.com/w3c/webauthn/issues/593#issuecomment-369402225 and I think most of that probably still applies, so I don't think we should drop it completely.

On the other hand there is https://github.com/w3c/webauthn/issues/2068#issuecomment-2119839162:

> OpenID Connect also forbids empty strings as claim values in an attempt to preempt some interop problems. There, https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse says:
> 
> > If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.
> 
> We should do likewise.

But I think this probably overrules still:

> If the value can't be empty, what should sites who don't have a value set it to?

If it can't be optional or nullable, then I guess empty string is the second best alternative?

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2073#issuecomment-2133282200 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 27 May 2024 11:32:14 UTC