New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update name, displayname and icon for RP and user #1200
Comments
Looks like a real use case to me. But was wondering that if name (email) really changes?? In usernameless flows, this information cannot be provided in the authentication. In username flows, will RP provide different name in the API?? |
@akshayku depending on the services, the name can be other attributes like phone number or even nickname such information can be altered. Unlike the traditional web services, such RPs (services) may not have such name almost like an identifier (email). |
This is currently possible to do by replacing an existing credential, by performing a new registration ceremony with the same On the other hand, though: would this risk users getting confused when credential names suddenly change with little or no warning? How big a deal would that be? |
In case of the name for user, the user has the consent for the modification since such name changes are requested by the user. For the RP case, RP may change their logo and it would be better to replace the old one with new one. |
For RP logos I think it's much more likely that RPs will sett I was more worried about |
I agree. For the fetching URL from the remote source (https) happens at the time of registration once and then such fetched icon is stored in the authenticator.
|
That behaviour is not mandated by the spec, in fact neither WebAuthn nor CTAP says anything about what the authenticator is supposed to do with |
From call on 06.12.19: we believe that no normative action is warranted. RPs can already overwrite credentials. Maybe eventually add that as a recommendation. punting to L3 |
Has anyone done this in practise? I tried, and get a new credential identifier. So am I supposed to replace the old credential with this? Or should I be getting back the same ID that I left out from the exclusion list? Using the same user ID |
@ptman If you create a new credential with the same This issue is probably superseded by #1779 now. |
Closing as superseded by #1779, let's continue any further discussion there. |
Depending on the scenarios or cases, RP or user may change their displayable contents like name, displayname or even icon.
Since such information is supplied during the registration and used forever, if RP or user changes such information in the RP side, such information needs to be updated on the client or authenticator side.
The best way is to support it is synchronization between RP and the authenticators.
But it is almost impossible in case of roaming authenticator.
It would be better if we provide the API or parameters at the time the authenticator is really used for authentication.
The text was updated successfully, but these errors were encountered: