Closed
Bug 1406462
Opened 7 years ago
Closed 7 years ago
Web Authentication - Add authenticator selection criteria and attachment types
Categories
(Core :: DOM: Device Interfaces, enhancement, P1)
Core
DOM: Device Interfaces
Tracking
()
RESOLVED
FIXED
Future
Tracking | Status | |
---|---|---|
firefox57 | --- | unaffected |
firefox59 | --- | fixed |
People
(Reporter: jcj, Assigned: ttaubert)
References
()
Details
(Whiteboard: [webauthn][webauthn-wd07])
Attachments
(1 file)
Web Authentication now has a concept of attachment types; we need to support the ones that are relevant given our U2F implementation.
Reporter | ||
Comment 1•7 years ago
|
||
This also needs to cover Authentication Selection criteria
Summary: Web Authentication - Add attachment types → Web Authentication - Add authenticator selection criteria and attachment types
Updated•7 years ago
|
status-firefox57:
--- → unaffected
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•7 years ago
|
||
Short summary of my thoughts: We should forward the authenticator selection criteria to the soft and HID token implementations. They can then decide what to do with that information. 1) U2FSoftToken On every MakeCredential() request, the softtoken checks whether the RP requires resident keys, user verification, or platform attachment. If any of the three is "true" we'll abort with ERR_NOT_IMPLEMENTED. Our softtoken will never support any of this. 2) U2FHIDToken The HID token forwards the selection criteria to u2f-hid-rs. If either user verification or resident keys are required by the RP we ignore all USB devices, yet keep the loop running (and time out eventually). That will match future behavior when e.g. only non-UV tokens are inserted and we're waiting for the user to insert a token with UV support. I'm not entirely sure how to handle the "platform attachment" flag for the HID case. We could return ERR_NOT_IMPLEMENTED even before we start the state machine to look for tokens. That would, I think, be valid behavior if we in the future would either use the platform authenticator, or poll for cross-platform authenticators. For signing, we'd probably always ask the platform authenticator, if available, first to see whether it's their token. If not, we'd start asking all available cross-platform authenticators. How would we deal with platform authenticators in the registration case? Would we also ask e.g. Windows first whether it's set up for it, and whether the user wants to use the platform capabilities? And then when either Windows can't or the user declines we'd look for cross-platform authenticators?
Flags: needinfo?(jjones)
Reporter | ||
Comment 4•7 years ago
|
||
I agree with #1; it doesn't exactly match the spec (which says we should run to timeout), but that's OK. #2: We should not exit early with ERR_NOT_IMPLEMENTED; that's what isPlatformUserVerifyingPlatformIsPlatformAuthenticatorPresentOkayLetsGo() is for... For signing, you're right, it shouldn't matter if we're iterative and start with the platform authenticators. For credential creation, we should try to do them all at once, and whatever finishes first prompts a cancel of all the others. For example: create credential starts. We start blinking all USB authenticators, and we also call the method for Windows. Whichever completes first prompts an "authenticatorCancel" operation on all the others. I realize that's a little extra complicated, but if the RP wants one or the other, they'll specify it with the attachment modality setting.
Flags: needinfo?(jjones)
Assignee | ||
Comment 5•7 years ago
|
||
FYI, I filed: https://github.com/w3c/webauthn/issues/698
Comment 6•7 years ago
|
||
Comment on attachment 8931410 [details] Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj J.C. Jones [:jcj] has approved the revision. https://phabricator.services.mozilla.com/D278#7123
Attachment #8931410 -
Flags: review+
Assignee | ||
Comment 7•7 years ago
|
||
Comment on attachment 8931410 [details] Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj Olli, can you please take a look at the WebIDL changes? The Phabricator diff has comments with links to the latest version of the spec. Thanks!
Attachment #8931410 -
Flags: review?(bugs)
Comment 8•7 years ago
|
||
Comment on attachment 8931410 [details] Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj Olli Pettay [:smaug] has approved the revision. https://phabricator.services.mozilla.com/D278#7222
Attachment #8931410 -
Flags: review+
Assignee | ||
Comment 9•7 years ago
|
||
Comment on attachment 8931410 [details] Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj Thanks!
Attachment #8931410 -
Flags: review?(bugs)
Assignee | ||
Comment 10•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f9f4d79ff70a88c657b3bbbe368a7cba114f5dfb
Comment 11•7 years ago
|
||
Pushed by ttaubert@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/735e651fcd65 Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj,smaug
Comment 12•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/735e651fcd65
You need to log in
before you can comment on or make changes to this bug.
Description
•