- From: Peter Gasper via GitHub <noreply@w3.org>
- Date: Tue, 21 Oct 2025 16:31:11 +0000
- To: public-webauthn@w3.org
> Hi! Just to help me understand what problem you're facing: are you implementing an authenticator (which signs the hash of `clientDataJSON`), a client (which constructs `clientDataJSON`) or a Relying Party (which validates `clientDataJSON` and verifies the signature over it)? > > The `"extraData"` field is included in some of the test vectors (decided pseudo-randomly) in order to discourage RPs from matching `clientDataJSON` against an exhaustive template, since that would be forward-incompatible in case fields are added in the future. This mimics Google Chrome's behaviour of randomly adding `"extra_keys_may_be_added_here":"do not compare clientDataJSON against a template. See https://goo.gl/yabPex"` to `clientDataJSON`. These `"extraData"` and `"extra_keys_may_be_added_here"` fields do not need to be processed by authenticators or RPs, apart from them being part of the data that is cryptographically signed. > > Thus, if you are implementing an authenticator or an RP, you do not need to worry about how the `"extraData"` value in the test vectors is constructed. Your tests can simply copy the `clientDataJSON` value from the test vector into your test suite. > > If you are implementing a client and wish to reproduce `clientDataJSON` exactly to validate your implementation, then yes, you would need to include `"extraData"` to get an exact match. As you can see in the code you pointed out, the value is a constant prefix followed by the base64url encoding of the `extra_client_data` value listed in the test vector set. Note that the test vector set lists `extra_client_data` in hexadecimal form rather than base64url, so it appears different than in `clientDataJSON`, but it's the same binary data. > > Does that help? Thanks for quick response. I have implemented software authenticator so I was doing both, constructing the `clientDataJSON` and doing other stuff down the line, like creating signature. You are correct that I could have hard-coded the value, however as I was writing a test which constructs everything - doing encoding where needed, etc. from the test vector input, I had a problem finding out how to construct exactly the same `clientDataJSON` that would match the test vector. I found out by decoding it instead. It's more of an enhancement/clarification for first comers to the test vectors to mention there is some data included. -- GitHub Notification of comment by viralpoetry Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2345#issuecomment-3427566215 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 21 October 2025 16:31:12 UTC