LG-12571 Specify "hints" for WebAuthn security key enrollment #10382
Conversation
| @@ -56,6 +56,7 @@ function webauthn() { | |||
| .filter(Boolean), | |||
| ), | |||
| authenticatorAttachment: platformAuthenticator ? 'platform' : 'cross-platform', | |||
| publicKeyCredentialHints: platformAuthenticator ? 'client-device' : 'security-key', | |||
There was a problem hiding this comment.
I think we should support "hybrid" for platform authenticator enrollments, like using a smartphone QR code to complete MFA setup initiated on a computer. I'd think we should either leave the hints unspecified for platform authenticators, or provide an array including both client-device and hybrid (in order of preference).
There was a problem hiding this comment.
Added 'hybrid' into the acceptable options.
| @@ -37,6 +39,10 @@ interface EnrollResult { | |||
| transports?: string[]; | |||
| } | |||
|
|
|||
| interface AuthenticatorSelectionCriteriaWithHints extends AuthenticatorSelectionCriteria { | |||
| publicKeyCredentialHints?: 'client-device' | 'security-key'; | |||
There was a problem hiding this comment.
- The property of
publicKeyis calledhints, notpublicKeyCredentialHints - The value is an array of strings, not a string
'hybrid'is a validhintsstring value
Reference: https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialcreationoptions-hints
| publicKeyCredentialHints?: 'client-device' | 'security-key'; | |
| hints?: Array<'client-device' | 'security-key' | 'hybrid'>; |
There was a problem hiding this comment.
Updated value to array of strings and set property name to 'hints'
| @@ -23,6 +23,8 @@ interface EnrollOptions { | |||
| excludeCredentials: PublicKeyCredentialDescriptor[]; | |||
|
|
|||
| authenticatorAttachment?: AuthenticatorAttachment; | |||
|
|
|||
| publicKeyCredentialHints?: 'client-device' | 'security-key'; | |||
There was a problem hiding this comment.
since this 'client-device' | 'security-key' union is used in two spots, should we name it & typedef it?
typedef PublicKeyCredentialType = 'client-device' | 'security-key';There was a problem hiding this comment.
I like that idea. Could even use an enum and call it the same as in the spec, PublicKeyCredentialHints
https://www.w3.org/TR/webauthn-3/#enumdef-publickeycredentialhints
https://www.typescriptlang.org/docs/handbook/enums.html#string-enums
There was a problem hiding this comment.
I have those cast in a Type now. I'm not entirely clear on how to leverage an enum there but can spend a little more time on it.
🎫 Ticket
LG-12571
🛠 Summary of changes
When enrolling a non-platform webauthn device it passes the value 'security-key' with the
authenticatorSelectionobject.Platform devices will have 'client-device' added.
https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialhints-client-device
📜 Testing Plan
Test for enroll-webauthn-device should pass.
Setup should work as before without any issues.