Open Bug 1384776 Opened 2 years ago Updated 6 months ago

[meta] Update WebAuthn JS API to the L1-REC spec

Categories

(Core :: DOM: Web Authentication, enhancement, P2)

enhancement

Tracking

()

Future
Tracking Status
firefox57 --- disabled
firefox58 --- fix-optional

People

(Reporter: jcj, Assigned: jcj)

References

(Depends on 1 open bug, Blocks 1 open bug, )

Details

(Keywords: meta, Whiteboard: [webauthn] [webauthn-interop])

There are some normative changes between WD-05 and WD-06 (renames, mostly), which we need to target for Firefox 57. 

Known things are:

* RP ID changes from an origin type to a domain string type
** Code, landed already in a backwards-compatible way and tested in Bug 1329764.
CollectedClientData’s “origin” field changes from the RP ID to the caller’s origin
Code, will need to be added

* RP ID scope must be https, and must match all TCP ports
** Already enforced by existing Gecko methods, but we should add tests, in Bug 1382893

* Most of the WebIDL uses [SameObject] now
** Tackled in Bug 1382888

* Renames:
In  PublicKeyCredentialParameters object, “algorithm” is renamed to “alg”
In MakeCredentialOptions object, “excludeList” is renamed to “excludeCredentials”
In CollectedClientData object, “hashAlg” is renamed to “hashAlgorithm”
In CollectedClientData object, “tokenBinding” is renamed to “tokenBindingId”
In PublicKeyCredentialRequestOptions object, “allowList” is renamed to “allowCredentials”
In AuthenticatorSelectionCriteria  object, “Attachment” is renamed to “AuthenticatorAttachment”
In PublicKeyCredentialDescriptor object, “Transport” is renamed to “AuthenticatorTransport”

There are likely to be a few more based on outstanding work before WD-06 closes out, but all remaining changes are renames.
Depends on: 1385008
See Also: → 1385008
Updating to WD-07, even though it's not published yet. We're not going to stop at WD-06, we'll go straight to -07 which hopefully will have the last normative changes before CR.
Summary: Update WebAuthn JS API to the WD-06 working draft → Update WebAuthn JS API to the WD-07 working draft
Are we planning to ship this in 57?
Flags: needinfo?(jjones)
No. Updating to 'Future' as it's still undetermined what the schedule will be.
Flags: needinfo?(jjones)
Target Milestone: mozilla57 → Future
Version: 55 Branch → Trunk
These are the changes I've identified that we need to undertake, based on a delta between WD-05 and the editor's draft of 28 September 2017.

I'll be filing blockers against this bug for each.

* RP ID changes from an origin type to a domain string type (Done in Bug 1381126) 
* SameObject (Done in Bug 1382888)
* Ensure RP ID is scoped correctly (Bug 1382893)
* WebIDL renames
* Add extension types
* Add token binding types
* Add attachment types
* Add authenticator selection types
* Change to COSE Algorithm Identifier object types (wontfixes or repurposes Bug 1381190)
* Create Credential
    * Check for authenticatorAttachment
    * Check for requireUserVerification
    * authenticatorSelection / requiresResidentKey
* Make Assertion
    * Check for authenticatorAttachment
    * Check for requireUserVerification
    * Assert options.publicKey is present
    * Evaluate transports
* Implement isPlatformAuthenticatorAvailable() method
* Authenticator data:
    * Bit 2 must be explicitly addressed for U2F
* Extension: FIDO AppId Extension - need to implement
Depends on: 1406456
Depends on: 1406458
Depends on: 1406459
Depends on: 1406462
Depends on: 1381190
Depends on: 1406466
Depends on: 1406467
Depends on: 1406468
Depends on: 1406469
Depends on: 1406471
Depends on: 1407093
Depends on: 1407789
Depends on: 1407829
Depends on: 1409202
Depends on: 1409220
Depends on: 1415675
Summary: Update WebAuthn JS API to the WD-07 working draft → [meta] Update WebAuthn JS API to the WD-07 working draft
Is there an existing bug tracking adding [SecureContext] to the Navigator bits?
Flags: needinfo?(jjones)
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #5)
> Is there an existing bug tracking adding [SecureContext] to the Navigator
> bits?

No; what Navigator bits are those? Credential and CredentialsContainer are already [SecureContext] [1]

If there are other bits, feel free to open one and we'll take care of it. (Sorry for my ignorance!)

[1] https://searchfox.org/mozilla-central/source/dom/webidl/CredentialManagement.webidl
Flags: needinfo?(jjones)
> what Navigator bits are those?

https://www.w3.org/TR/credential-management-1/#framework-credential-management

> Credential and CredentialsContainer are already [SecureContext]

Yes, but Navigator.credentials is not.

> feel free to open one

Bug 1430947.
No longer depends on: 1409220
Priority: P1 → P2
Component: DOM: Device Interfaces → DOM: Web Authentication
Summary: [meta] Update WebAuthn JS API to the WD-07 working draft → [meta] Update WebAuthn JS API to the L1-REC spec
You need to log in before you can comment on or make changes to this bug.