Skip to content

Commit

Permalink
Describe how to determine authenticator attachment from transports
Browse files Browse the repository at this point in the history
  • Loading branch information
emlun committed Sep 17, 2021
1 parent 3b6a836 commit 8415a95
Showing 1 changed file with 35 additions and 1 deletion.
36 changes: 35 additions & 1 deletion index.bs
Expand Up @@ -2454,6 +2454,40 @@ To remove the need to parse CBOR at all in many cases, {{AuthenticatorAttestatio

Note: {{AuthenticatorAttestationResponse/getPublicKey()}} and {{AuthenticatorAttestationResponse/getAuthenticatorData()}} were only added in level two of this spec. [=[RPS]=] SHOULD use feature detection before using these functions by testing the value of `'getPublicKey' in AuthenticatorAttestationResponse.prototype`. [=[RPS]=] that require this function to exist may not interoperate with older user-agents.


#### Determining Authenticator Attachment Options from Credential Transports #### {#sctn-attachments-from-transports}

[INFORMATIVE]

After creating a [=credential=], the [=[RP]=] may wish to know the [=authenticator attachment modality=] of the credential's [=managing authenticator=].
This can be done by inspecting the result of calling {{getTransports()}}.

If the result of {{getTransports()}}

<dl class="switch">
: is [=list/empty=],
:: the [=authenticator attachment modality|attachment modality=] of the credential and its [=managing authenticator=] is unknown.

: [=list/contains=] only {{AuthenticatorTransport/internal}},
:: the credential is a [=platform credential=].

: is not [=list/empty=] and does not [=list/contain=] {{AuthenticatorTransport/internal}},
:: the credential is a [=roaming credential=].

: [=list/contains=] both {{AuthenticatorTransport/internal}} and other values,
:: the credential can be used as a [=platform credential=] under some circumstances and a [=roaming credential=] under some circumstances.
Both attachment options may or may not be available at the same time.

For example, a credential [=created on=] a mobile phone may be available as a [=platform credential=]
when the [=client device=] is that mobile phone,
and as a [=roaming credential=] when the [=client device=] is a laptop computer that can reach the mobile phone via Bluetooth.
</dl>

Note that an [=authenticator's=] [=authenticator attachment modality|attachment modality=] could change over time.
For example, a mobile phone might at one time only support [=platform attachment=]
but later receive updates to support [=cross-platform attachment=] as well.


### Web Authentication Assertion (interface <dfn interface>AuthenticatorAssertionResponse</dfn>) ### {#iface-authenticatorassertionresponse}

The {{AuthenticatorAssertionResponse}} interface represents an [=authenticator=]'s response to a client's request for
Expand Down Expand Up @@ -2739,7 +2773,7 @@ attributes.

The [=[RP]=] can determine the resulting [=authenticator attachment modality|attachment=] for the created credential
using the {{AuthenticatorAttestationResponse/getTransports()}} method of the resulting {{AuthenticatorAttestationResponse}}.
See [[#enum-transport]] for details.
See [[#sctn-attachments-from-transports]] for details.

: <dfn>residentKey</dfn>
:: Specifies the extent to which the [=[RP]=] desires to create a [=client-side discoverable credential=]. For historical reasons the naming retains the deprecated “resident” terminology. The value SHOULD be a member of {{ResidentKeyRequirement}} but [=client platforms=] MUST ignore unknown values, treating an unknown value as if the [=map/exist|member does not exist=]. If no value is given then the effective value is {{ResidentKeyRequirement/required}} if {{requireResidentKey}} is [TRUE] or {{ResidentKeyRequirement/discouraged}} if it is [FALSE] or absent.
Expand Down

0 comments on commit 8415a95

Please sign in to comment.