diff --git a/index.bs b/index.bs index 3d077e23e..f5f109347 100644 --- a/index.bs +++ b/index.bs @@ -374,10 +374,7 @@ are returned to the caller when a new credential is created, or a new assertion optional ScopedCredentialOptions options ); - static Promise getAssertion( - BufferSource assertionChallenge, - optional AssertionOptions options - ); + static Promise getAssertion(ScopedCredentialRequestOptions options); };
@@ -413,7 +410,7 @@ are returned to the caller when a new credential is created, or a new assertion approve this operation. On success, the promise will be resolved with a {{ScopedCredential}} which contains an {{AuthenticatorAttestationResponse}} object. Implementation details are found in [#createCredential]. - : getAssertion(assertionChallenge, options) + : getAssertion(data) :: This method is used to discover and use an existing scoped credential, with the user's consent. Implementation details are found in [[#getAssertion]].
@@ -437,9 +434,9 @@ This method takes the following parameters: authenticator already has a credential for the specified value of {{Account/id}} in {{accountInformation}}, and if this credential is not listed in the {{ScopedCredentialOptions/excludeList}} member of {{options}}, then after successful execution of this method: - - Any calls to {{getAssertion()}} that do not specify {{AssertionOptions/allowList}} will not result in the older + - Any calls to {{getAssertion()}} that do not specify {{ScopedCredentialRequestOptions/allowList}} will not result in the older credential being offered to the user. - - Any calls to {{getAssertion()}} that specify the older credential in the {{AssertionOptions/allowList}} may also not + - Any calls to {{getAssertion()}} that specify the older credential in the {{ScopedCredentialRequestOptions/allowList}} may also not result in it being offered to the user. - The cryptoParameters parameter supplies information about the desired properties of the credential to be created. @@ -505,7 +502,7 @@ When this method is invoked, the user agent MUST execute the following algorithm 1. [=list/Append=] |result| to |clientExtensions|. 1. Let |clientData| be a new {{ClientData}} instance whose fields are: - : {{challenge}} + : {{ClientData/challenge}} :: The [=base64url encoding=] of {{attestationChallenge}} : {{origin}} :: The [=unicode serialization of an origin|unicode serialization=] of |rpId| @@ -588,7 +585,7 @@ authorizing an authenticator. ### Use an existing credential - ScopedCredential::getAssertion() method ### {#getAssertion} -
+
This method is used to discover and use an existing scoped credential, with the user's consent. The script optionally specifies some criteria to indicate what credentials are acceptable to it. The user agent and/or platform locates credentials matching the specified criteria, and guides the user to pick one that the script should be allowed to use. The user may choose not to provide @@ -597,21 +594,18 @@ a credential even if one is present, for example to maintain privacy.
This method takes the following parameters: -
    -- The assertionChallenge parameter contains a challenge that the selected authenticator is expected to sign to - produce the assertion. - -- The optional options parameter specifies additional options, as described in - [[#assertion-options]]. +
      +- The options parameter contains a challenge that the selected authenticator is expected to sign to + produce the assertion, and specifies additional options as described in [[#assertion-parameters]].
When this method is invoked, the user agent MUST execute the following algorithm: -1. If the {{AssertionOptions/timeout}} member of {{options}} is [=present=], check if its value lies within a reasonable range +1. If the {{ScopedCredentialRequestOptions/timeout}} member of {{options}} is [=present=], check if its value lies within a reasonable range as defined by the platform and if not, correct it to the closest value lying within that range. Set |adjustedTimeout| to - this adjusted value. If the {{AssertionOptions/timeout}} member of {{options}} is [=present|not present=], then set + this adjusted value. If the {{ScopedCredentialRequestOptions/timeout}} member of {{options}} is [=present|not present=], then set |adjustedTimeout| to a platform-specific default. 1. Let |global| be the {{ScopedCredential}}'s [=relevant settings object=]'s @@ -621,28 +615,28 @@ When this method is invoked, the user agent MUST execute the following algorithm |callerOrigin| is an [=opaque origin=], return [=a promise rejected with=] a {{DOMException}} whose name is "{{NotAllowedError}}", and terminate this algorithm. -1. If the {{AssertionOptions/rpId}} member of {{options}} is [=present|not present=], then set |rpId| to |callerOrigin|. +1. If the {{ScopedCredentialRequestOptions/rpId}} member of {{options}} is [=present|not present=], then set |rpId| to |callerOrigin|. Otherwise: 1. Let |effectiveDomain| be the |callerOrigin|'s [=effective domain=]. 1. If |effectiveDomain| is null, then return [=a promise rejected with=] a {{DOMException}} whose name is "{{SecurityError}}" and terminate this algorithm. - 1. If {{AssertionOptions/rpId}} [=is not a registrable domain suffix of and is not equal to=] + 1. If {{ScopedCredentialRequestOptions/rpId}} [=is not a registrable domain suffix of and is not equal to=] |effectiveDomain|, return [=a promise rejected with=] a {{DOMException}} whose name is "{{SecurityError}}", and terminate this algorithm. - 1. Set |rpId| to the {{AssertionOptions/rpId}}. + 1. Set |rpId| to the {{ScopedCredentialRequestOptions/rpId}}. 1. Let |clientExtensions| be a new [=list=]. -1. If the {{AssertionOptions/extensions}} member of {{options}} is [=present=], then [=map/for each=] - |extension| → |argument| of {{options}}.{{AssertionOptions/extensions}}: +1. If the {{ScopedCredentialRequestOptions/extensions}} member of {{options}} is [=present=], then [=map/for each=] + |extension| → |argument| of {{options}}.{{ScopedCredentialRequestOptions/extensions}}: 1. If |extension| is not supported by this client platform, then [=continue=]. 1. Otherwise, let |result| be the result of running |extension|'s [=client processing=] algorithm on |argument|. If the algorithm returned an error, [=continue=]. 1. [=list/Append=] |result| to |clientExtensions|. 1. Let |clientData| be a new {{ClientData}} instance whose fields are: - : {{challenge}} - :: The [=base64url encoding=] of {{assertionChallenge}} + : {{ClientData/challenge}} + :: The [=base64url encoding=] of {{options}}.{{ScopedCredentialRequestOptions/challenge}} : {{origin}} :: The [=unicode serialization of an origin|unicode serialization=] of |rpId| : {{hashAlg}} @@ -663,11 +657,11 @@ When this method is invoked, the user agent MUST execute the following algorithm 1. Let |credentialList| be a new [=list=]. - 1. If {{options}}.{{AssertionOptions/allowList}} [=list/is not empty=], execute a + 1. If {{options}}.{{ScopedCredentialRequestOptions/allowList}} [=list/is not empty=], execute a platform-specific procedure to determine which, if any, credentials in - {{options}}.{{AssertionOptions/allowList}} are present on this |authenticator| by matching with - {{options}}.{{AssertionOptions/allowList}}.{{ScopedCredentialDescriptor/id}} and - {{options}}.{{AssertionOptions/allowList}}.{{ScopedCredentialDescriptor/type}}, and set |credentialList| to + {{options}}.{{ScopedCredentialRequestOptions/allowList}} are present on this |authenticator| by matching with + {{options}}.{{ScopedCredentialRequestOptions/allowList}}.{{ScopedCredentialDescriptor/id}} and + {{options}}.{{ScopedCredentialRequestOptions/allowList}}.{{ScopedCredentialDescriptor/type}}, and set |credentialList| to this filtered list. 1. If |credentialList| [=list/is empty=] then [=continue=]. @@ -926,10 +920,11 @@ a minimum of friction, e.g., the user will not have to dig around in their pocke example of the latter, when the user is accessing the [RP] from a given client for the first time, they may be required to use a [=roaming authenticator=] which was originally registered with the [RP] using a different client. -## Additional options for Assertion Generation (dictionary AssertionOptions) ## {#assertion-options} +## Parameters for Assertion Generation (dictionary ScopedCredentialRequestOptions) ## {#assertion-parameters} - dictionary AssertionOptions { + dictionary ScopedCredentialRequestOptions { + required BufferSource challenge; unsigned long timeout; USVString rpId; sequence<ScopedCredentialDescriptor> allowList = []; @@ -937,8 +932,12 @@ use a [=roaming authenticator=] which was originally registered with the [RP] us }; -
- This dictionary is used to supply additional options when generating an assertion. All these parameters are optional. +
+ This dictionary is used to supply additional options when generating an assertion. All these parameters are optional, except + {{ScopedCredentialRequestOptions/challenge}}, which is required: + + - The challenge parameter specifies a challenge that the selected authenticator is expected to sign to produce + the assertion. - The optional timeout parameter specifies a time, in milliseconds, that the caller is willing to wait for the call to complete. This is treated as a hint, and may be overridden by the platform. @@ -2387,7 +2386,7 @@ error. :: A single [=UTF-8 encoded=] string specifying a FIDO |appId|. : Client processing -:: If {{AssertionOptions/rpId}} is present, reject promise with a DOMException +:: If {{ScopedCredentialRequestOptions/rpId}} is present, reject promise with a DOMException whose name is "{{NotAllowedError}}", and terminate this algorithm. Replace the calculation of |rpId| in Step 3 of [[#getAssertion]] with the following procedure: The client uses the value of |fido_appid| to perform