Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add mediation to PublicKeyCredentialJSON #2124

Closed
zacknewman opened this issue Aug 16, 2024 · 2 comments
Closed

Add mediation to PublicKeyCredentialJSON #2124

zacknewman opened this issue Aug 16, 2024 · 2 comments
Labels
type:technical

Comments

@zacknewman
Copy link
Contributor

zacknewman commented Aug 16, 2024
edited
Loading

WebAuthn Relying Party Operations states (emphasis added):

Upon successful execution of create() or get(), the Relying Party's script receives a PublicKeyCredential containing an AuthenticatorAttestationResponse or AuthenticatorAssertionResponse structure, respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these structures.

Based on this description, I interpret that the expectation is for the server to perform all of the necessary validation. Step 14 of Registering a New Credential cannot be performed without CredentialCreationOptions.mediation:

  1. Verify that the UP bit of the flags in authData is set, unless options.mediation is set to conditional.

Either mediation should be added to RegistrationResponseJSON and AuthenticatorAssertionResponseJSON so that the ceremony has a defined way of receiving this value, or it should be part of PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions so the server has the value already upon receiving PublicKeyCredentialJSON. I realize adding to the PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions is somewhat silly since mediation is already part of CredentialCreationOptions which PublicKeyCredentialCreationOptions is also part via publicKey.

The point of the JSON types is having a defined way for the server to send and receive all necessary information to perform the registration and authentication ceremony criteria, correct? Without this, there is still necessary information missing which sort of defeats the purpose for the JSON types since clients and servers will be forced to come up with their own mechanism and not rely on a standardized way.

Does it make sense to create CredentialCreationOptionsJSON and CredentialRequestOptionsJSON types?

* Note step 14 is technically incorrect since mediation is not a key of PublicKeyCredentialCreationOptions (see #2122).
@BlingBling43

This comment was marked as off-topic.

Sign in to view
@emlun
Copy link
Member

emlun commented Aug 19, 2024

Step 1 of Registering a New Credential reads:

  1. Let options be a new PublicKeyCredentialCreationOptions structure configured to the Relying Party's needs for the ceremony.

Indeed this is currently a bit obscured due to the inconsistency you note in the footnote (#2122), but PR #2125 would correct this to:

  1. Let options be a new CredentialCreationOptions structure configured to the Relying Party's needs for the ceremony. Let pkOptions be options.publicKey.

So the RP should already know the value of options.mediation, because it was one of the input arguments the RP set at the beginning of the procedure. There is no need to feed it back to the RP in the output types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:technical
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@emlun @zacknewman @BlingBling43