-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: add Relying Party id as a required input to SPC authentication #164
Comments
This makes sense. I support that we add this to the specification, and sooner rather than later. It will set us up for the future. @stephenmcgruer would be curious to understand your ideas around the 3DS specification a bit better. |
Thanks @Goosth . I've put together a document with some of my thoughts on this, which we can hopefully discuss early next year: https://docs.google.com/document/d/1uVydbd046aAM_lQd2McEDCM6ttJOh0ggqL5J5TxhZEY/edit?usp=sharing |
Add a required input to `SecurePaymentConfirmationRequest` for the relying party ID. If the requested credentials do not have a matching RP ID, then the authentication will fail in the "Verifying an Authentication Assertion" steps. Before UI is shown, i.e. in "Steps to check if a payment can be made", the input rpId is only checked to be a valid URL. This ensures that this is a breaking change before any UI is shown. The actual validation of the RP ID happens during authentication. Issue w3c#164
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b
* Require Relying Party ID as input Add a required input to `SecurePaymentConfirmationRequest` for the relying party ID. If the requested credentials do not have a matching RP ID, then the authentication will fail in the "Verifying an Authentication Assertion" steps. Before UI is shown, i.e. in "Steps to check if a payment can be made", the input rpId is only checked to be a valid URL. This ensures that this is a breaking change before any UI is shown. The actual validation of the RP ID happens during authentication. Issue #164
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b
Just an FYI for anyone looking at this issue; adapting to this change requires a code change similar to the below in your javascript, and can be done anytime ahead of the change rolling out in browsers (i.e., it is forwards-compatible):
The |
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645}
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645}
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645}
…request, a=testonly Automatic update from web-platform-tests [SPC] Add relying party ID input to SPC request Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645} -- wpt-commits: 22a15c8fe89894330715e64889faf760c3de7457 wpt-pr: 32884
…request, a=testonly Automatic update from web-platform-tests [SPC] Add relying party ID input to SPC request Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645} -- wpt-commits: 22a15c8fe89894330715e64889faf760c3de7457 wpt-pr: 32884
…request, a=testonly Automatic update from web-platform-tests [SPC] Add relying party ID input to SPC request Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645} -- wpt-commits: 22a15c8fe89894330715e64889faf760c3de7457 wpt-pr: 32884
…request, a=testonly Automatic update from web-platform-tests [SPC] Add relying party ID input to SPC request Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645} -- wpt-commits: 22a15c8fe89894330715e64889faf760c3de7457 wpt-pr: 32884
Implementation for the proposal[1] to add the credential's relying party as input to a SecurePaymentConfirmationRequests. This validates the request's RP ID against the stored SPC credential data as part of the SPC request creation; in the future we also want to forward this to webauthn to look up the credential by the relying party ID as part of the authentication. [1] w3c/secure-payment-confirmation#164 Bug: 1298505 Change-Id: If8a305dfb608050107966b2bb6f365a3d2aeb18b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3456482 Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Nick Burris <nburris@chromium.org> Cr-Commit-Position: refs/heads/main@{#981645} NOKEYCHECK=True GitOrigin-RevId: 4a1feed9f2368644c9277ee6e76a87186f2d2b8d
Background
Currently, SPC takes as input a list of credential IDs, but does not take the Relying Party ID as input. Instead, we currently 'magically' obtain it during the "Steps to respond to a payment request".
Currently in Chrome, that magic is part of the browser-local storage that we intend to get rid of (long-term). We had previously envisioned that in the future, the magic would be delivered by authenticator-level support, e.g. as part of our assumed use of a Conditional UI-like API.
However, in talking with the WebAuthn folks, it has become clear that having the RP ID as an input would be beneficial. Authenticators often internally store discoverable credentials as an
RP id --> [credential]
structure, and so looking up from a credential ID to an RP ID could be quite expensive. Additionally, Conditional UI presumes that the RP ID is known, and so it will be easier to 'piggyback' on that API support if we also have the RP ID as an input.Having the RP ID as an input would also solve another edge-case problem - what happens if the SPC caller passes in credentials from multiple different RPs? Today this is undefined; the behaviour will be reasonable but inconsistent. By requiring the RP ID as input, it becomes clear - any credential ID from a different RP will simply not match.
Proposal
Add RP ID as a required member of
SecurePaymentConfirmationRequest
:This RP ID would be a claim from the SPC caller as to whom the RP is for the passed credentials. This claim would be verified by the authenticator as part of the flow (as the credential IDs wouldn't match if the wrong RP ID was provided).
Alternative - optional RP ID
We could make the RP ID an optional field. If not passed, the browser would use the current origin as the RP ID, similar to how WebAuthn
get()
works today. This is mostly useful for supporting the 1p payments case - all 3p use-cases would need to pass the RP ID.Implications
Backwards compatibility
This change would not be backwards compatible. Existing users of SPC would have to update their implementations to pass rpId. They could do this ahead of any browser-side change, as passing an unused member in a dictionary is valid.
3DS
SPC was integrated into the 3DS v2.3 specification. Naively, the existing integration would not support adding an RP ID field. I have some ideas on this
which we should probably take to the 3DS WG and see what they think :).
The text was updated successfully, but these errors were encountered: