-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does AuthenticationExtensionsClientOutputs key have to be extension identifier or not? #1430
Comments
The entry key in this case is |
on 2020-06-03 call: @emlun will investigate |
As far as I can tell @ynojima is right that the CTAP2.1 definition departs from how the WebAuthn extensions framework is intended to work. Fortunately this only affects clients - authenticators that have already shipped with the feature will not have to change if we want to fix it. The extensions framework in WebAuthn would expect the registration input to look like this:
However in Chromium 83.0.4103.61 this causes the extension to be ignored. You indeed have to specify the extension like this:
which causes the extension to be processed and reflected in the authenticator extension output. On the authenticator side, the extension input is simply an integer So in summary: Chromium implements the extension as specified in CTAP2.1, but CTAP2.1 does not follow the extension input structure expected by WebAuthn. CTAP could change the specification to match the WebAuthn structure, in which case only client code needs to change. Alternatively, WebAuthn could relax the soft requirement that extension inputs be grouped under a key named as the extension identifier. |
I always assumed the second behavior. Another extensions which works this way is @equalsJeffH, Can you check appid ones? |
this is what is in https://w3c.github.io/webauthn/#sctn-appid-extension
|
2020-06-10 WG call: all extensions defined in the WebAuthn spec follow the specified pattern; will add a note mentioning that there exist other extensions that do not. |
On a related note, §9.2 Defining Extensions says:
...which is currently not obeyed by the |
In section 9.3(https://w3c.github.io/webauthn/#sctn-extension-request-parameters), it is stated that
But Credential Protection extension defined in CTAP2.1, whose extension identifier is
credProtect
, has following definition. Its key doesn't match the extention identifier and moreover, it has two keys.Does the extension definision have to be updated? or Is the extension key naming rule to be relaxed?
The text was updated successfully, but these errors were encountered: