webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Better specify what an unknown type credential descriptor being ignored means

Open nsatragno opened this issue 3 years ago • 3 comments

We use credential descriptors "PublicKeyCredentialDescriptor" for allow lists & exclude lists. The spec says

[...]client platforms MUST ignore any PublicKeyCredentialDescriptor with an unknown type.

There's no further specification for unknown types. If we follow the spec to the letter, a possible interpretation ends up with:

navigator.credentials.get({
  publicKey: {
    allowCredentials: [{type: "not-yet-supported-by-browser", id: <id>}],
  }
});

Resulting in an empty allowCredentials request, which is definitely not what the RP intended. I think we should immediately return NotAllowedError in this case, based on prior text:

If issuedRequests is empty, options.allowCredentials is not empty, and no authenticator will become available for any public key credentials therein, Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "NotAllowedError" DOMException.

This is not a problem for excludeCredentials, since in that case the browser will simply discard the unknown credential type.

nsatragno avatar Jun 17 '22 16:06 nsatragno

This a good analysis, I agree with this :)

Firstyear avatar Jun 20 '22 01:06 Firstyear

Interesting point. I agree that implicitly falling back to behaving as if allowCredentials were empty is clearly not what the RP intended, since that entails username-less authentication, but I also think that similar to #1738, ignoring unknown values is needed for forward compatibility.

Maybe we can change the requirement to be that "client platforms MUST ignore any PublicKeyCredentialDescriptor with an unknown type, treating the item as if it was not present" but if this results in an empty allowCredentials, then throw an error? In that case we would need to move the requirement from the PublicKeyCredentialDescriptor definition to the definitions of excludeCredentials and allowCredentials (and/or maybe the create() and get() operations).

emlun avatar Jun 20 '22 19:06 emlun

I also think that similar to https://github.com/w3c/webauthn/issues/1738, ignoring unknown values is needed for forward compatibility.

Yes, this came up when fixing that issue on chrome.

Maybe we can change the requirement to be that "client platforms MUST ignore any PublicKeyCredentialDescriptor with an unknown type, treating the item as if it was not present" but if this results in an empty allowCredentials, then throw an error?

Agreed.

nsatragno avatar Jun 21 '22 15:06 nsatragno

Addressed in #1971

agl avatar Jan 03 '24 19:01 agl