Re: [webauthn] Need to have authenticator-only extensions (#2331) from Emil Lundberg via GitHub on 2025-08-19 (public-webauthn@w3.org from August 2025)

From: Emil Lundberg via GitHub <noreply@w3.org>
Date: Tue, 19 Aug 2025 11:45:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3200414470-1755603910-noreply@w3.org>

[WebAuthn Level 2](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-extensions) had a provision for this (though optional):

>Clients wishing to support the widest possible range of extensions MAY choose to pass through any extensions that they do not recognize to authenticators, generating the [authenticator extension input](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#authenticator-extension-input) by simply encoding the [client extension input](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#client-extension-input) in CBOR. All [WebAuthn Extensions](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#webauthn-extensions) MUST be defined in such a way that this implementation choice does not endanger the user’s security or privacy.

We dropped this in #1737 after discussions in #1730 and #1703 in order to make way for the new `fromJSON` methods, since no client in practice had implemented this generic pass-through.

Unfortunately I think this and the `fromJSON` methods mutually exclude each other, since there's no feasible way for clients to know which string inputs need to be converted to `BufferSource` for unknown extensions. As much as I agree with the proposal, I don't think there's any chance of reversing direction on this since RPs are already starting to depend on the `fromJSON` methods.

And even though it also [makes my own job harder](https://github.com/YubicoLabs/firefox-webauthn-sign-ext/), I think it's actually better in the end for the Web that there's a fairly steep barrier to entry for deploying extensions. We've decided against many popularly requested features (see for example #1688 and many similar discussions) for the sake of not fragmenting the ecosystem with compliant-but-incompatible implementations, and a proliferation of extensions would encourage _more_ fragmentation as RPs grow to rely on extensions supported only by some authenticators.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2331#issuecomment-3200414470 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 19 August 2025 11:45:13 UTC