How should the browser handle CredentialMediationRequirement for public key credentials?

[leshi]

CredentialRequestOptions in webauthn extends CredentialRequestOptions from CredMan. I'm reproducing it below for easy reference:

dictionary CredentialRequestOptions {
  CredentialMediationRequirement mediation = "optional";
};

enum CredentialMediationRequirement {
  "silent",
  "optional",
  "required"
};

I'm not sure how a WebAuthn implementation should handle the mediation parameter. It is not referenced at all in the WebAuthn spec. We should clarify this.

[balfanz]

@jyasskin - can you advise here and assign back to @leshi or unassign?

[jyasskin]

Sorry it took me so long to look. I believe https://w3c.github.io/webappsec-credential-management/#algorithm-request takes complete charge of handling the mediation field. This handling uses a distinction between the [[CollectFromCredentialStore]] method (which webauthn doesn't override) and the [[DiscoverFromExternalSource]] method (which we do override).

Because we don't override [[CollectFromCredentialStore]], step 5.1 returns an empty list, so if the calling script passed "silent", step 5.4 returns null, while if they passed "optional" or "required", the algorithm proceeds to call [[DiscoverFromExternalSource]], where webauthn does all of its work.

It probably makes sense to clarify this in https://w3c.github.io/webauthn/#getAssertion, saying that navigator.credentials.get() lands here, and that by not-overriding [[CollectFromCredentialStore]] we've disabled unmediated get() calls.

[equalsJeffH]

@jyasskin when you use the term "user" in the above, you mean the client-side webapp script?

[jyasskin]

@equalsJeffH Yep, edited to be more precise.