- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Sun, 27 Apr 2025 21:43:53 +0000
- To: public-webauthn@w3.org
I'm using a demo website whose backend is based on my [`webauthn_rp` library](https://docs.rs/webauthn_rp/latest/webauthn_rp/). My library is intentionally strict. One of the things it does is verifies that if `prf` is `true`, then `hmac-secret` is `true`. The demo website sends pretty basic JavaScript that manually sends the `PublicKeyCredential` since I don't like how much superfluous data is returned from `toJSON`:
```js
{
attestationObject: encodeToB64Url(cred.response.attestationObject),
authenticatorAttachment: cred.authenticatorAttachment,
clientDataJSON: encodeToB64Url(cred.response.clientDataJSON),
clientExtensionResults: cred.getClientExtensionResults(),
transports: cred.response.getTransports(),
}
```
I'm connecting to this demo website via Safari and use the iPhone's native [Passwords app](https://support.apple.com/en-us/120758). If `hmac-secret` is indeed required as I thought, then there is issue somewhere. I think the issue would exist with Safari (perhaps in addition to others) since the spec states:
> Set [`enabled`](https://w3c.github.io/webauthn/#dom-authenticationextensionsprfoutputs-enabled) to the value of `hmac-secret` in the authenticator extensions output. If not present, set [`enabled`](https://w3c.github.io/webauthn/#dom-authenticationextensionsprfoutputs-enabled) to `false`.
If there is no `hmac-secret`, then Safari is not following the spec.
--
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2285#issuecomment-2833653668 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 27 April 2025 21:43:54 UTC