New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
preventSilentAccess() -- what effect does calling it have? #565
Comments
Given that this is a feature (though my guess is our end decision will just be return error for this method), I am putting on WD-07 milestone. |
@equalsJeffH @nadalin @YubicoDemo for tracking. |
The danger with allowing "undefined behavior" or "methods that do nothing now, but will do things in the future" in the spec is the following: People may build libraries/websites that do the right thing now, but will break when we update the API to have behavior where things are currently NOOPs |
I'm guessing we should say something.... somewhere.... like |
As I recently added to https://w3c.github.io/webauthn/#getAssertion
If the "prevent silent access flag" is true, then no credentials should be available without user mediation, so get() always falls back to When we add touchless authenticators in L2, WebAuthn will start returning assertions from Is that the right behavior in that case? The user has done something—probably tap the "sign out" button—which indicates they want to be asked before the browser automatically uses their password to sign them in. Do they also want to be asked before the browser automatically uses their touchless authenticator to sign them in? If we think they probably do, then we're in a good place, with at most editorial changes needed to explain this in the spec. If we think they probably don't, then we need to change something. |
@jyasskin wrote:
however, note that credman does not at this time explicitly specify a means to unset the
I tend to think "yes".
agreed. this seems congruent with @jcjones's suggestion (#565 (comment)) of saying something about this in the present spec level. Seems to me we can do now for wd-07 or add this to the CR pile. |
@jyasskin What is the status ? |
I will create a PR based on @jcjones 's October 25th comment. |
The webauthn spec does not mention
preventSilentAccess()
. However, the credman spec does.What does it mean for public key credentials? If it has a meaning, let's explicitly state that. If it doesn't, let's make it throw an error.
The text was updated successfully, but these errors were encountered: