-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address description of uses, and requirements for supplying userHandle #1914
Conversation
…ies with empty allowCredentials list and enhance description and uses of userHandle
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, save for a few minor comments (mostly trailing whitespace). Thanks!
Co-authored-by: Emil Lundberg <emil@emlun.se>
remove whitespace Co-authored-by: Emil Lundberg <emil@emlun.se>
Remove whitespace Co-authored-by: Emil Lundberg <emil@emlun.se>
Accepted all suggestions - thanks for the review. |
Note: this adds a new normative requirement for clients to ignore empty-allowCredentials responses without user handle. I therefore tagged this with the "technical" label. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
SHA: bd68fbf Reason: push, by nicksteele Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This was discussed again on call of 16 August 2023, and general consensus was that browser vendors seem unlikely to change current implementations to enforce that assertions from an authenticator be rejected if userHandle is not supplied during ceremonies without an allowCredentials list. That said, it is desirable that the spec be internally consistent. Even without browser implementation changes, RPs should still reject these assertions since section 7 already required the RP to verify the userHandle in such cases. This PR makes the spec consistent and the decision was made to merge the PR. |
Explicitly require userHandle to be supplied during assertion ceremonies with empty allowCredentials list and enhance description and uses of userHandle.
Preview | Diff