Make makeCredential() more precise. #347
Conversation
jyasskin
changed the title
jyasskin
force-pushed
the
clean-make-credential
branch
2 times, most recently
from
a1c674c
to
f06fd29
Compare
|
It seems #273 is the more elaborate issue. |
index.bs
Outdated
| : {{challenge}} | ||
| :: The [=base64url encoding=] of {{attestationChallenge}} | ||
| : {{origin}} | ||
| :: |rpId| |
There was a problem hiding this comment.
rpId is not an origin though. It can be a host per the above steps.
There was a problem hiding this comment.
Yep, I haven't tackled #259 yet, and I think that'll be easier once w3c/html#769 (splitting the document.domain setter) is fixed. So fixing this will probably be a follow-up. That said, it's probably a good idea to specify this as one of the serializations of an origin, pretending |rpId| is already an origin.
There was a problem hiding this comment.
We'll get the fix in whatwg/html; w3c is just where the bug happened to get filed due to #257.
jyasskin
force-pushed
the
clean-make-credential
branch
2 times, most recently
from
47b9c22
to
02b0bb2
Compare
jyasskin
force-pushed
the
clean-make-credential
branch
from
6388eb1
to
1af52d3
Compare
index.bs
Outdated
| : {{ClientData/extensions}} | ||
| :: <code>{{options}}.{{ScopedCredentialOptions/extensions}}</code> | ||
|
|
||
| 10. Let |clientDataJSON| be the UTF-8 encoding of the result of calling the |
There was a problem hiding this comment.
You should link UTF-8 encoding to https://encoding.spec.whatwg.org/#utf-8-encode.
There was a problem hiding this comment.
thanks @jyasskin, this seems to me to be an overall improvement to the prior state. I have some questions/suggestions inline.
| @@ -62,6 +66,7 @@ spec: WebCryptoAPI; urlPrefix: https://www.w3.org/TR/WebCryptoAPI/ | |||
| </pre> <!-- class=anchors --> | |||
|
|
|||
| <pre class="link-defaults"> | |||
| spec:infra; type:dfn; text:list | |||
There was a problem hiding this comment.
Add "infra" to the list of dependencies in {#dependencies}?
There was a problem hiding this comment.
Bikeshed does provide an [INFRA] in https://api.csswg.org/bikeshed/?url=https://raw.githubusercontent.com/jyasskin/webauthn/clean-make-credential/index.bs#normative with the used terms listed in https://api.csswg.org/bikeshed/?url=https://raw.githubusercontent.com/jyasskin/webauthn/clean-make-credential/index.bs#index-defined-elsewhere. I can add it redundantly to #dependencies, or we could plan to remove that whole section in favor of the automated sections.
There was a problem hiding this comment.
I usually state them upfront so readers know what kind of things to expect, but maybe we should stop doing that? Probably worth revisiting at some point.
There was a problem hiding this comment.
@annevk said:
I usually state them upfront so readers know what kind of things to expect, but maybe we should stop doing that? Probably worth revisiting at some point
yeah, something to think about. of course i was lame and didn't search further down in doc for mentions/links to [INFRA]. [ perhaps also bikeshed could eventually construct a {#dependencies} section nearer front of specs. ]
There was a problem hiding this comment.
Would y'all file an issue in https://github.com/tabatkins/bikeshed/issues about generating a dependencies section earlier in the document? For now ... I'm going to take this thread as an indication not to add "infra" to #dependencies unless y'all say otherwise.
There was a problem hiding this comment.
Would y'all file an issue in https://github.com/tabatkins/bikeshed/issues about generating a dependencies section earlier in the document?
done: speced/bikeshed#937
I'm going to take this thread as an indication not to add "infra" to #dependencies unless y'all say otherwise.
ok, tho perhaps Dependencies section ought to have link to #index-defined-elsewhere ?
index.bs
Outdated
| Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the | ||
| ones enumerated below, cancel the timer, reject |promise| with a DOMException whose name is "{{UnknownError}}", and terminate | ||
| this algorithm. | ||
| Issue: Put some constraints on the "reasonable range". |
There was a problem hiding this comment.
hm, maybe we should only add issues such as this to the spec if there are corresponding issues filed in https://github.com/w3c/webauthn/issues/ and said in-spec-issue explicitly links to the issue-in-github -- i.e., if any in-spec-issues remain at time of merge, they should have corresponding webauthn/issues/ filed.
e.g., some of the below in-spec-issues might be resolved by incorporating review feedback.
There was a problem hiding this comment.
Yeah, that sounds right. I'm hoping to resolve most of the new Issues using your feedback during the review, but I'll file official issues for anything we can't resolve here.
index.bs
Outdated
| cancel the timer started in step 2, return [=a promise rejected with=] with | ||
| a {{DOMException}} whose name is "{{NotSupportedError}}", and terminate this | ||
| algorithm. | ||
|
|
index.bs
Outdated
| an error occurs during this procedure, then [=continue=]. | ||
| - [=list/Append=] a new object of type {{ScopedCredentialParameters}} to | ||
| |normalizedParameters|, with |type| set to | ||
| <code>|current|.{{ScopedCredentialParameters/type}}</code> and |
There was a problem hiding this comment.
add..
Issue(#265): is WRT the above step.
..? (and perhaps just go ahead and incorp the proposed solution?)
There was a problem hiding this comment.
I've incorporated the proposed solution.
There was a problem hiding this comment.
yay, tho there might be a modest bug in last substep: https://github.com/w3c/webauthn/pull/347/files#r103042454 ?
index.bs
Outdated
| <a>present</a>, then [=map/for each=] |extension| → |argument| of | ||
| <code>{{options}}.{{ScopedCredentialOptions/extensions}}</code>: | ||
| 1. If |extension| is not supported by this client platform, [=continue=]. | ||
| 2. Let |result| be the result of running |extension|'s [=client processing=] algorithm on |argument|. |
There was a problem hiding this comment.
s/algorithm/algorithm, if any,/
There was a problem hiding this comment.
We'd need to define what to do with clientExtensions for an extension with no client processing algorithm. https://w3c.github.io/webauthn/#extensions says
Clients wishing to support the widest possible range of extensions may choose to pass through any extensions that they do not recognize to authenticators, generating the authenticator argument by simply encoding the client argument in CBOR.
I'd read that as a default definition of an extension's client processing, but I guess it's actually one of 3 alternatives for this step:
- The extension's defined client processing.
- CBOR-encode argument.
- Continue.
There was a problem hiding this comment.
see https://github.com/w3c/webauthn/pull/347/files#r103043381 for possible resolution...
index.bs
Outdated
| :: <code>{{options}}.{{ScopedCredentialOptions/extensions}}</code> | ||
|
|
||
| 10. Let |clientDataJSON| be the UTF-8 encoding of the result of calling the | ||
| original value of {{JSON/stringify|JSON.stringify}} on |clientData|. |
There was a problem hiding this comment.
what is meant by "calling the original value of JSON.stringify"? The term "original" does not appear in or around https://tc39.github.io/ecma262/#sec-json.stringify
There was a problem hiding this comment.
It should have been "initial", matching https://www.w3.org/2001/tag/doc/promises-guide/#a-new-promise. It's a fuzzy term, but it's meant to defend against the web page assigning a new value to window.JSON or to JSON.stringify.
index.bs
Outdated
| 14. [=set/For each=] |authenticator| in |currentlyAvailableAuthenticators|: | ||
| 1. Let |excludeList| be a new [=list=]. | ||
| 2. [=list/For each=] credential |C| in <code>{{options}}.{{ScopedCredentialOptions/excludeList}}</code>: | ||
| 1. If |C| has an empty {{transports}} list, [=list/append=] it to |
index.bs
Outdated
| 2. If |authenticator| is connected over a transport not mentioned in | ||
| <code>|C|.{{transports}}</code>, the client MAY [=continue=]. | ||
|
|
||
| Issue: I'm not sure this captures the intent of the original wording. |
There was a problem hiding this comment.
upon review it seems to me it does capture the original intent, tho would be good to get @vijaybh's (at least) review.
index.bs
Outdated
| this client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered | ||
| while processing an extension, skip that extension and do not produce any extension data for it. Call the result of this | ||
| processing |clientExtensions|. | ||
| Issue: Should "process" be "algorithm", or does it actually mean an OS |
There was a problem hiding this comment.
seems to me "process" should be "algorithm".
There was a problem hiding this comment.
Changed, but @vijaybh should double-check.
index.bs
Outdated
| while processing an extension, skip that extension and do not produce any extension data for it. Call the result of this | ||
| processing |clientExtensions|. | ||
| Issue: Should "process" be "algorithm", or does it actually mean an OS | ||
| process? What kinds of fatal errors are you worried about? I suggest we just |
There was a problem hiding this comment.
It seems to me a case can be made that any possible errors are covered by the "If any authenticator returns an error status", but perhaps @vijaybh was worried about various platform-level errors that might percolate up in real life, eg when calling authenticatorCancel (e.g., authnr is now unreachable) and intends for that sentence to be a catch-all.
jyasskin
force-pushed
the
clean-make-credential
branch
6 times, most recently
from
c403edc
to
3268d0c
Compare
index.bs
Outdated
| :: UA-chosen | ||
|
|
||
| Issue: We need *some* constraints on the possible hash algorithms, or | ||
| else sites will fail on unusual UAs. |
There was a problem hiding this comment.
pick from this set: {"SHA-256", "SHA-384", "SHA-512"}, c.f. webcrypto ?
There was a problem hiding this comment.
I'm inclined to keep that policy decision out of this PR. :) I've filed an issue and referred to it from here.
index.bs
Outdated
| an error occurs during this procedure, then [=continue=]. | ||
| 1. [=list/Append=] the pair of | ||
| <code>|current|.{{ScopedCredentialParameters/type}}</code> and | ||
| |algorithm| to |normalizedAlgorithm|. |
There was a problem hiding this comment.
s/normalizedAlgorithm/normalizedParameters/ ?
index.bs
Outdated
| 1. If the {{ScopedCredentialOptions/extensions}} member of {{options}} is | ||
| <a>present</a>, then [=map/for each=] |extension| → |argument| of | ||
| <code>{{options}}.{{ScopedCredentialOptions/extensions}}</code>: | ||
| 1. If |extension| is not supported by this client platform, [=continue=]. |
There was a problem hiding this comment.
given #347 (comment), should this substep be something like..
If |extension| is not supported by this client platform, either [=continue=], or optionally CBOR-encode |argument| as a byte string, and go to Step 4.
..@vijaybh ?
There was a problem hiding this comment.
I've added some text along those lines, and a new issue to make it better.
| :: |clientExtensions| | ||
|
|
||
| 1. Let |clientDataJSON| be the [=UTF-8 encoding=] of the result of calling the | ||
| initial value of {{JSON/stringify|JSON.stringify}} on |clientData|. |
There was a problem hiding this comment.
Note that this fixes #274 by precisely specifying the JSON format. Do UAs need to use the flexibility that was here before?
There was a problem hiding this comment.
No, we don't want to allow for multiple JSON implementations (and then later have that end up being required due to some silliness/webness).
There was a problem hiding this comment.
You might want to make this change centrally in https://w3c.github.io/webauthn/#clientdata-clientdatajson and reference that here. Maybe we should also change the variable name so that we can say something like "Generate the [=clientDataJSON=] and call it |J|."
|
(Please don't use usernames in commit messages anymore. The spam is annoying and can persist rather long.) |
jyasskin
force-pushed
the
clean-make-credential
branch
from
71b9520
to
62a5ac0
Compare
|
I'm at a C++ committee meeting this week and on vacation next week, so if you want any more changes to this PR, either please feel free to make them yourself, or I'll get to them the week of March 13. |
|
LGTM, thanks @jyasskin. |
| Then asynchronously continue executing the following steps. If any fatal error is encountered in this process other than the | ||
| ones enumerated below, cancel the timer, reject |promise| with a {{DOMException}} whose name is "{{UnknownError}}", and terminate | ||
| this algorithm. | ||
| Issue: Put some constraints on the "reasonable range". |
There was a problem hiding this comment.
Can we use Github to track issues and not put them in the document? Over time it becomes painful to track these inline issues.
There was a problem hiding this comment.
see thread here: #347 (comment)
There was a problem hiding this comment.
Straw man: I chose [15,120] seconds as the range for timeouts in the first Firefox implementation. Under 15 seconds seems too short to dig out a security key, and making things blink for more than two minutes seemed cruel.
|
|
||
| 1. Set |callerOrigin| to the <a>current settings object</a>'s <a>origin</a>. If |callerOrigin| is | ||
| an <a>opaque origin</a>, reject |promise| with a {{DOMException}} whose name is "{{NotAllowedError}}", and | ||
| an <a>opaque origin</a>, [=reject=] |promise| with a {{DOMException}} whose name is "{{NotAllowedError}}", and |
There was a problem hiding this comment.
But you deleted the previous step where |promise| was instantiated, so at this point it is undefined. I suspect what you want to do is keep the part about creating |promise| in the step above this one, and only go async by returning |promise| later on.
There was a problem hiding this comment.
Alternatively, just get rid of |promise| entirely, use [=a promise rejected with=] here and in other error cases, and use [=a new promise=] when going async below.
| <code>{{options}}.{{ScopedCredentialOptions/extensions}}</code>: | ||
| 1. If |extension| is not supported by this client platform, then either: | ||
| * [=Continue=], or | ||
| * Let |result| be a CBOR ([[!RFC7049]]) encoding of |extension|. |
There was a problem hiding this comment.
The consensus among implementers was that we do not want to blindly pass extensions along since this may break a contract the UA has with the user, e.g. you may blindly pass along a location extension when the user has asked to block location info. So maybe we should have [=Continue=] as the only option.
| : {{origin}} | ||
| :: The [=unicode serialization of an origin|unicode serialization=] of |rpId| | ||
| : {{hashAlg}} | ||
| :: UA-chosen |
There was a problem hiding this comment.
We've intentionally avoided using "UA" anywhere in this spec. Suggest "Hash algorithm for generating clientDataHash, by the client". Maybe we could recommend SHA-256 for maximum interop.
| initial value of {{JSON/stringify|JSON.stringify}} on |clientData|. | ||
|
|
||
| Issue: Some extensions contain ArrayBuffers, which don't stringify well. | ||
| What's the intent here? |
There was a problem hiding this comment.
I think we should base64url encode those just as we do with the challenge. Need to update client processing sections of extensions, maybe this should be part of #363.
| :: |clientExtensions| | ||
|
|
||
| 1. Let |clientDataJSON| be the [=UTF-8 encoding=] of the result of calling the | ||
| initial value of {{JSON/stringify|JSON.stringify}} on |clientData|. |
There was a problem hiding this comment.
You might want to make this change centrally in https://w3c.github.io/webauthn/#clientdata-clientdatajson and reference that here. Maybe we should also change the variable name so that we can say something like "Generate the [=clientDataJSON=] and call it |J|."
| 1. [=list/For each=] credential |C| in <code>{{options}}.{{ScopedCredentialOptions/excludeList}}</code>: | ||
| 1. If |C| has an empty {{transports}} list, [=list/append=] |C| to | ||
| |excludeList| and [=continue=]. | ||
| 1. If |authenticator| is connected over a transport not mentioned in |
There was a problem hiding this comment.
This is an "else" from the previous point, right? This seems a bit unwieldy.
Perhaps we could replace all these three sub-bullets with two:
- If |C|.{{transports}} is non-empty and does not contain the transport that |authenticator| is connected over, the client MAY [=continue=].
- [=list/Append=] |C| to |excludeList|.
| any), to create a {{ClientData}} structure representing this request. Choose a hash algorithm for {{ClientData/hashAlg}} and | ||
| compute the {{ScopedCredentialInfo/clientDataJSON}} and its <a>clientDataHash</a>. | ||
| Issue: What kinds of fatal errors are you worried about? I suggest we just | ||
| remove that sentence. |
There was a problem hiding this comment.
OK. The initial intention was to guard against things like low-level communication breakdowns between client and authenticator, but maybe that becomes part of "any authenticator returns an error" now.
| "{{NotAllowedError}}". | ||
|
|
||
| Issue: {{NotAllowedError}} seems incorrect for at least the timeout and | ||
| cancelled exit conditions above. |
There was a problem hiding this comment.
Suggested alternative? If you have one we can just put it in with this PR or open a new issue.
There was a problem hiding this comment.
I've filed #376 for this.
| @@ -542,7 +643,7 @@ When this method is invoked, the user agent MUST execute the following algorithm | |||
| execute a platform-specific procedure to determine which, if any, credentials listed in {{AssertionOptions/allowList}} | |||
| might be present on this authenticator, and set |credentialList| to this filtered list. If no such filtering is | |||
| possible, set |credentialList| to an empty list. | |||
There was a problem hiding this comment.
Should that be [=list=]? Or were you planning to make getAssertion more precise along similar lines in a new PR?
|
As discussed on the call, merging this now. I will send out a new PR with changes reflecting my comments. |
* Refine makeCredential description As per my comments on #347 * Incorporate feedback from JeffH, part 1 * Incorporate feedback from JeffH, part 2 Use "client data" and "authenticator data" instead of "ClientData" and "authenticatorData". * Incorporate feedback from JeffH, part 3 Tag all instances of "client data", "authenticator data" and "attestation data".
* Refine makeCredential description As per my comments on #347 * Incorporate feedback from JeffH, part 1 * [=scoped credential(s)=] * [=authenticator=] * [=[RP]=] * [=Conforming User Agent=] * [=[RPS]=] * [=authenticators=] * [=Web Authentication API=] * [=Registration=] * [=Authentication=] * {{makeCredential()}} and {{getAssertion()}} * [=User Verification=] * [=Authentication Assertion=] * [=authorization gesture=] * [=user consent=] * '<a>...</a>' to be '[=...=]' thru terminology section * Incorporate feedback from JeffH, part 2 Use "client data" and "authenticator data" instead of "ClientData" and "authenticatorData". * Incorporate feedback from JeffH, part 3 Tag all instances of "client data", "authenticator data" and "attestation data". * [=present=] * [=attestation object=] * [=effective domain=] * <a>...</a> replacement up to {#iface-credentialInfo} * <a>...</a> replacement up to {#attestation-formats} * <a>...</a> replacement thru rest of spec * refined regex and caught <a>...</a> stragglers * Fix two typos and some locally anomalous line lengths Typos - weird character in "Subsequently" on line 84, "user verification" missing on line 104 (old) / 102 (new).
I've linked a lot more terms, reordered explanations to be clearer, and
specified some missing behavior.
This fixes #263 and #273, and improves #254 and #270.