-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow multiple types via navigator.credentials's methods #140
Comments
I don't mind Separately, I don't feel like All in all, my intuition is that we have found a shared compromise on |
The problem was that To be clear, this is the ol' problem: navigator.credentials.get({publicKey: ...., password:..., digital: ...}); If we can get Cred Man to disallow multiple request types, then we could use I think we need to talk to @nsatragno about the feasibility (and backwards compatibility) of changing Cred Man to restrict to a single request type. We could support that in WebKit for sure (we only support |
Isn't that a problem we inherited by reusing the FWIW, the main reason I think
Yeah, we did check with @nsatragno that making the Credential Management API that throw an error in this case is viable: as you said, it just documents the implementation. I think that would be feasible in Chrome too.
IMHO, that's my preferred route too. I can live with If you and others wanted to go this route, I'd be fairly supportive of investigating further (but just to reaffirm: |
The tradeoff here is that it prevents (the purely theoretical so far) use by a site to have the user select between a passkey, federation, or a password manager entry in the same dialog. I like this as a possibility for the user because it enables a much easier "login" button that just gives them the options that they have used before in a browser dialog- they don't need to make up their mind about how to log in without that context. |
But we wouldn't be cornering ourselves from this (purely theoretical, as you noted) future, would we? That is, if the CM API threw an |
Maybe I misunderstood marcos' proposal: I thought he was saying we would have an example request be but if he was using jq syntax in I still have my reservations in throwing |
Oh yeah, so then, maybe I'm the one that is misunderstanding @marcoscaceres 's proposal then :) Just to try to paraphrase @marcoscaceres on this line:
I interpreted that as the following: // Throws a NotSupportedError
await navigator.credentials.get({
digital: ...,
publicKey: ...,
federated: ...,
}); Which I'm supportive of, because it would mean we could move the API out of // returns a DigitalCredential object
await navigator.credentials.get({
digital: ...,
}); Does that make sense? |
@bvandersloot-mozilla, what @samuelgoto wrote above is my proposal. Sorry for not being clear. |
Moved the discussion to w3c/webappsec-credential-management#244 ... pinged folks above there. |
As it's still early, and given that we are generalizing this API beyond "identity", should we renamed it to
navigator.digitalCredentials
?The text was updated successfully, but these errors were encountered: