Closed Bug 1406462 Opened 3 years ago Closed 2 years ago

Web Authentication - Add authenticator selection criteria and attachment types

Categories

(Core :: DOM: Device Interfaces, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
Future
Tracking Status
firefox57 --- unaffected
firefox59 --- fixed

People

(Reporter: jcj, Assigned: ttaubert)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [webauthn][webauthn-wd07])

Attachments

(1 file)

Web Authentication now has a concept of attachment types; we need to support the ones that are relevant given our U2F implementation.
This also needs to cover Authentication Selection criteria
Summary: Web Authentication - Add attachment types → Web Authentication - Add authenticator selection criteria and attachment types
Duplicate of this bug: 1406466
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Short summary of my thoughts:

We should forward the authenticator selection criteria to the soft and HID token implementations. They can then decide what to do with that information.


1) U2FSoftToken

On every MakeCredential() request, the softtoken checks whether the RP requires resident keys, user verification, or platform attachment. If any of the three is "true" we'll abort with ERR_NOT_IMPLEMENTED. Our softtoken will never support any of this.


2) U2FHIDToken

The HID token forwards the selection criteria to u2f-hid-rs. If either user verification or resident keys are required by the RP we ignore all USB devices, yet keep the loop running (and time out eventually). That will match future behavior when e.g. only non-UV tokens are inserted and we're waiting for the user to insert a token with UV support.


I'm not entirely sure how to handle the "platform attachment" flag for the HID case. We could return ERR_NOT_IMPLEMENTED even before we start the state machine to look for tokens. That would, I think, be valid behavior if we in the future would either use the platform authenticator, or poll for cross-platform authenticators.

For signing, we'd probably always ask the platform authenticator, if available, first to see whether it's their token. If not, we'd start asking all available cross-platform authenticators.

How would we deal with platform authenticators in the registration case? Would we also ask e.g. Windows first whether it's set up for it, and whether the user wants to use the platform capabilities? And then when either Windows can't or the user declines we'd look for cross-platform authenticators?
Flags: needinfo?(jjones)
I agree with #1; it doesn't exactly match the spec (which says we should run to timeout), but that's OK.

#2: We should not exit early with ERR_NOT_IMPLEMENTED; that's what isPlatformUserVerifyingPlatformIsPlatformAuthenticatorPresentOkayLetsGo() is for... 

For signing, you're right, it shouldn't matter if we're iterative and start with the platform authenticators.

For credential creation, we should try to do them all at once, and whatever finishes first prompts a cancel of all the others. For example: create credential starts. We start blinking all USB authenticators, and we also call the method for Windows. Whichever completes first prompts an "authenticatorCancel" operation on all the others. I realize that's a little extra complicated, but if the RP wants one or the other, they'll specify it with the attachment modality setting.
Flags: needinfo?(jjones)
Comment on attachment 8931410 [details]
Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D278#7123
Attachment #8931410 - Flags: review+
Comment on attachment 8931410 [details]
Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj

Olli, can you please take a look at the WebIDL changes? The Phabricator diff has comments with links to the latest version of the spec. Thanks!
Attachment #8931410 - Flags: review?(bugs)
Comment on attachment 8931410 [details]
Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj

Olli Pettay [:smaug] has approved the revision.

https://phabricator.services.mozilla.com/D278#7222
Attachment #8931410 - Flags: review+
Comment on attachment 8931410 [details]
Bug 1406462 - Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj

Thanks!
Attachment #8931410 - Flags: review?(bugs)
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/735e651fcd65
Web Authentication - Add support for authenticator selection criteria and attachment types r=jcj,smaug
https://hg.mozilla.org/mozilla-central/rev/735e651fcd65
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.