Re: [webauthn] Allow Conditional Mediation without autofill (#2144) from Eric Stern via GitHub on 2024-09-11 (public-webauthn@w3.org from September 2024)

From: Eric Stern via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Sep 2024 17:13:58 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2344249519-1726074835-sysbot+gh@w3.org>

_RP perspective_: Agreed @nsatragno, and I'll add that a new mediation option is going to add a lot of complexity on the implementing site side as well - more feature detection and conditionally setting the value based on the results (which could expand to the backend depending on setup, not just pure client code). It would be really easy to break an auth flow if you don't get it just right.

Adding a field into the PK dictionary seems sensible - though I'll suggest making it an array of preferences rather than a single value, and browsers should use the first supported entry, and fall back to their current behavior (based on `mediation`) on no match. This is similar to several other hints.

e.g. you might want to express "use autofill if the correct input element exists, otherwise show the ambient display" (or vice-versa)
```js
{
  "rp": {
    "id": "exmple.com",
  },
  "display": ["autofill", "ambient"], // "modal" too?
  // ...
}
```

While I doubt there are a whole lot of other potential UIs to consider, if others _are_ added in the future, you can safely add the value in the list and not worry about breaking other flows in browsers that don't yet support it.

It _might_ also be worth going down the list-of-objects path here (instead of list-of-strings) in case there are display customizations that these could support: `display: [{"mode": "ambient", "background": "#001122"}, {"mode": "autofill"}]`. I'm not personally a huge fan of these types of customizations, but I've had to reinvent a _lot_ of wheels over my career to support them anyway - so getting ahead of it structurally might be worth considering.

For what it's worth, I also like @MasterKale 's suggestion of "just leave off the autocomplete details and let the browser decide" which is delightfully simple on the RP side (but yes, data races)

-- 
GitHub Notification of comment by Firehed
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2144#issuecomment-2344249519 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 11 September 2024 17:13:59 UTC