From 4cc06707fccbce1e0b053c2d9bff123101579cc0 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Tue, 18 Jul 2023 20:17:09 +0000 Subject: [PATCH 01/27] add getClientCapabilites method and enum --- index.bs | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/index.bs b/index.bs index 6f2734374..4c4d341e2 100644 --- a/index.bs +++ b/index.bs @@ -2802,6 +2802,26 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic +### Get Client Capabilities - PublicKeyCredential's `getClientCapabilities()` Method ### {#sctn-getClientCapabilities} + +
+ +[=[WRPS]=] use this method to determine the availability of a limited set of [=WebAuthn Client|client=] capabilities to offer certain workflows and experiences to users. For example, an RP may offer a sign in button on clients where only {{AuthenticatorTransport/hybrid}} transport is available (instead of showing a username field), or offer security key enrollment on [=WebAuthn Client|clients=] that support client PIN entry. + +Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover availablity of these capabilities. + +This method has no arguments and returns a set of strings. + + + partial interface PublicKeyCredential { + static Promise<ClientCapabilities> getClientCapabilities(); + }; + + +Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm—i.e., by a [=permissions policy=]—will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]]. + +
+ ### Deserialize Registration ceremony options - PublicKeyCredential's `parseCreationOptionsFromJSON()` Method ### {#sctn-parseCreationOptionsFromJSON}
@@ -3967,6 +3987,24 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere interest of minimizing disruption to the user interaction flow).
+### Client Capabilities Enumeration (enum ClientCapabilities) ### {#enum-clientCapabilities} + + + enum ClientCapabilities { + "hybrid-transport", + "client-pin-entry" + }; + + +This enumeration defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. + +
+ : hybrid-transport + :: The [=WebAuthn Client=] supports {{AuthenticatorTransport/hybrid}} transport. + + : client-pin-entry + :: The [=WebAuthn Client=] supports PIN entry for [=user verification=] or other [=authenticator=] operations. +
## Permissions Policy integration ## {#sctn-permissions-policy} From 9214c75cdabaf4d1f68cad2ab9967d3d2b4895bf Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Tue, 25 Jul 2023 20:06:40 -0400 Subject: [PATCH 02/27] add "the" Co-authored-by: Adam Langley --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 4c4d341e2..e94593504 100644 --- a/index.bs +++ b/index.bs @@ -4000,7 +4000,7 @@ This enumeration defines a limited set of client capabilities which a [=[WRP]=]
: hybrid-transport - :: The [=WebAuthn Client=] supports {{AuthenticatorTransport/hybrid}} transport. + :: The [=WebAuthn Client=] supports the {{AuthenticatorTransport/hybrid}} transport. : client-pin-entry :: The [=WebAuthn Client=] supports PIN entry for [=user verification=] or other [=authenticator=] operations. From 5e47920cefa86a75a21fa2239f8f4511b7826de3 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Wed, 26 Jul 2023 00:10:24 +0000 Subject: [PATCH 03/27] change enum to ClientCapability for consistency --- index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index e94593504..16a4cc209 100644 --- a/index.bs +++ b/index.bs @@ -2814,7 +2814,7 @@ This method has no arguments and returns a set of strings. partial interface PublicKeyCredential { - static Promise<ClientCapabilities> getClientCapabilities(); + static Promise<clientCapability> getClientCapabilities(); }; @@ -3987,10 +3987,10 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere interest of minimizing disruption to the user interaction flow).
-### Client Capabilities Enumeration (enum ClientCapabilities) ### {#enum-clientCapabilities} +### Client Capability Enumeration (enum ClientCapability) ### {#enum-clientCapability} - enum ClientCapabilities { + enum ClientCapability { "hybrid-transport", "client-pin-entry" }; @@ -3998,7 +3998,7 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere This enumeration defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. -<div dfn-type="enum-value" dfn-for="ClientCapabilities"> +<div dfn-type="enum-value" dfn-for="ClientCapability"> : <dfn>hybrid-transport</dfn> :: The [=WebAuthn Client=] supports the {{AuthenticatorTransport/hybrid}} transport. From 1600f58accc46a8aaa05e18770bc5d863ff3e251 Mon Sep 17 00:00:00 2001 From: Tim Cappalli <tim@cloudauth.dev> Date: Wed, 26 Jul 2023 00:12:46 +0000 Subject: [PATCH 04/27] add note about enum not being referenced --- index.bs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/index.bs b/index.bs index 16a4cc209..cfc688334 100644 --- a/index.bs +++ b/index.bs @@ -3998,6 +3998,8 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere This enumeration defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. +Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]]. + <div dfn-type="enum-value" dfn-for="ClientCapability"> : <dfn>hybrid-transport</dfn> :: The [=WebAuthn Client=] supports the {{AuthenticatorTransport/hybrid}} transport. From 450959b5167052cd6e10ac716100be38512ddcab Mon Sep 17 00:00:00 2001 From: Tim Cappalli <tim@cloudauth.dev> Date: Wed, 26 Jul 2023 00:57:17 +0000 Subject: [PATCH 05/27] updated interface to sequence of DOMStrings --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index cfc688334..7a2e20fcf 100644 --- a/index.bs +++ b/index.bs @@ -2814,7 +2814,7 @@ This method has no arguments and returns a set of strings. <xmp class="idl"> partial interface PublicKeyCredential { - static Promise<clientCapability> getClientCapabilities(); + static Promise<sequence<DOMString>> getClientCapabilities(); }; From 968040a72db36cb2dcfc6440f4b9ef280b5d2422 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Wed, 26 Jul 2023 20:12:38 +0000 Subject: [PATCH 06/27] remove client-pin-entry per 2023-07-26 call --- index.bs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 7a2e20fcf..ad632e54d 100644 --- a/index.bs +++ b/index.bs @@ -3991,8 +3991,7 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere enum ClientCapability { - "hybrid-transport", - "client-pin-entry" + "hybrid-transport" }; @@ -4004,8 +4003,6 @@ Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [ : hybrid-transport :: The [=WebAuthn Client=] supports the {{AuthenticatorTransport/hybrid}} transport. - : client-pin-entry - :: The [=WebAuthn Client=] supports PIN entry for [=user verification=] or other [=authenticator=] operations. ## Permissions Policy integration ## {#sctn-permissions-policy} From 6931dadd4595cd2238398a56e0eea1a73ce6978a Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Tue, 1 Aug 2023 20:07:04 +0000 Subject: [PATCH 07/27] change to dict and add new values --- index.bs | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/index.bs b/index.bs index ad632e54d..cfec2e516 100644 --- a/index.bs +++ b/index.bs @@ -2806,15 +2806,15 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic
-[=[WRPS]=] use this method to determine the availability of a limited set of [=WebAuthn Client|client=] capabilities to offer certain workflows and experiences to users. For example, an RP may offer a sign in button on clients where only {{AuthenticatorTransport/hybrid}} transport is available (instead of showing a username field), or offer security key enrollment on [=WebAuthn Client|clients=] that support client PIN entry. +[=[WRPS]=] use this method to determine the availability of a limited set of [=WebAuthn Client|client=] capabilities to offer certain workflows and experiences to users. Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover availablity of these capabilities. -This method has no arguments and returns a set of strings. +This method has no arguments and returns a promise to a map. partial interface PublicKeyCredential { - static Promise<sequence<DOMString>> getClientCapabilities(); + static Promise<ClientCapability> getClientCapabilities(); }; @@ -3987,21 +3987,31 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere interest of minimizing disruption to the user interaction flow).
-### Client Capability Enumeration (enum ClientCapability) ### {#enum-clientCapability} +### Client Capability Set (dictionary ClientCapability) ### {#dictionary-client-capability} - enum ClientCapability { - "hybrid-transport" + dictionary ClientCapability { + boolean userVerifyingPlatformAuthenticator; + boolean hybridTransport; + boolean passkeyPlatformAuthenticator; + boolean conditionalMediation; }; -This enumeration defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. +This dictionary defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. -Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]]. +
+ : userVerifyingPlatformAuthenticator + :: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=]. -
- : hybrid-transport - :: The [=WebAuthn Client=] supports the {{AuthenticatorTransport/hybrid}} transport. + : hybridTransport + :: The [=WebAuthn Client=] supports usage of the {{AuthenticatorTransport/hybrid}} transport. + + : passkeyPlatformAuthenticator + :: The [=WebAuthn Client=] supports usage of a [=passkey platform authenticator=], locally and/or via {{AuthenticatorTransport/hybrid}} transport. + + : conditionalMediation + :: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation.
From 73071620a3ba5fb6fd03d4344f22ab4177a81441 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Tue, 1 Aug 2023 20:10:33 +0000 Subject: [PATCH 08/27] remove isPasskeyPlatformAuthenticatorAvailable --- index.bs | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/index.bs b/index.bs index 6f2734374..b12912229 100644 --- a/index.bs +++ b/index.bs @@ -2779,29 +2779,6 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic
-### Availability of a [=passkey platform authenticator=] - PublicKeyCredential's `isPasskeyPlatformAuthenticatorAvailable()` Method ### {#sctn-isPasskeyPlatformAuthenticatorAvailable} - -
- -[=[WRPS]=] use this method to determine whether they can create a new [=passkey=] using a [=user-verifying platform authenticator=] or a {{AuthenticatorTransport/hybrid}} authenticator. -Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover available [=user-verifying platform authenticators=] and the -availability of {{AuthenticatorTransport/hybrid}} transport. -If one or both are discovered, the promise is resolved with the value of [TRUE]. -If neither is discovered, the promise is resolved with the value of [FALSE]. -Based on the result, the [=[RP]=] can take further actions to guide the user to create a [=passkey=]. - -This method has no arguments and returns a Boolean value. - - - partial interface PublicKeyCredential { - static Promise<boolean> isPasskeyPlatformAuthenticatorAvailable(); - }; - - -Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm—i.e., by a [=permissions policy=]—will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]]. - -
- ### Deserialize Registration ceremony options - PublicKeyCredential's `parseCreationOptionsFromJSON()` Method ### {#sctn-parseCreationOptionsFromJSON}
From baa930a738a2bb25ab73cbbd65bd0c0f6f004560 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Wed, 2 Aug 2023 01:54:13 +0000 Subject: [PATCH 09/27] s/ClientCapability/ClientCapabilities --- index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index cfec2e516..864a01375 100644 --- a/index.bs +++ b/index.bs @@ -2814,7 +2814,7 @@ This method has no arguments and returns a promise to a map. partial interface PublicKeyCredential { - static Promise<ClientCapability> getClientCapabilities(); + static Promise<ClientCapabilities> getClientCapabilities(); }; @@ -3987,10 +3987,10 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere interest of minimizing disruption to the user interaction flow).
-### Client Capability Set (dictionary ClientCapability) ### {#dictionary-client-capability} +### Client Capabilities Set (dictionary ClientCapabilities) ### {#dictionary-client-capabilities} - dictionary ClientCapability { + dictionary ClientCapabilities { boolean userVerifyingPlatformAuthenticator; boolean hybridTransport; boolean passkeyPlatformAuthenticator; @@ -4000,7 +4000,7 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere This dictionary defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. -<div dfn-type="dict-member" dfn-for="ClientCapability"> +<div dfn-type="dict-member" dfn-for="ClientCapabilities"> : <dfn>userVerifyingPlatformAuthenticator</dfn> :: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=]. From 633a2da0ae7d02665054a037b50aab0e5515fb49 Mon Sep 17 00:00:00 2001 From: Tim Cappalli <tim@cloudauth.dev> Date: Wed, 6 Sep 2023 14:22:50 +0000 Subject: [PATCH 10/27] first stab at new approach for getClientCapabilities --- index.bs | 57 +++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 13 deletions(-) diff --git a/index.bs b/index.bs index 4bb23a15b..a6e30b73e 100644 --- a/index.bs +++ b/index.bs @@ -2779,6 +2779,36 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic </div> +### Availability of [=client=] capabilities - PublicKeyCredential's `getClientCapabilities()` Method ### {#sctn-getClientCapabilities} + +<div link-for-hint="WebAuthentication/getClientCapabilities"> + +[=[WRPS]=] use this method to determine the availability of a limited set of [=WebAuthn Client|client=] capabilities to offer certain workflows and experiences to users. For example, an RP may offer a sign in button on clients where only {{AuthenticatorTransport/hybrid}} transport is available or where {{CredentialMediationRequirement/conditional}} mediation is unavailable (instead of showing a username field). + +Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover availablity of these capabilities. + +This method has no arguments and returns a map of capability keys to boolean values. + +<xmp class="idl"> + partial interface PublicKeyCredential { + static Promise<GetClientCapabilitiesResult> getClientCapabilities(); + }; + + interface GetClientCapabilitiesResult { + readonly maplike<DOMString, boolean>; + }; + + +Keys in {{GetClientCapabilitiesResult}} SHOULD be members of {{ClientCapability}}. + +When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. +When the value for a given capability is [FALSE], the feature is known to be not currently supported by the client. +When a given capability is `undefined`, the availibility of the client feature is not known. + +Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm—i.e., by a [=permissions policy=]—will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]]. + + + ### Deserialize Registration ceremony options - PublicKeyCredential's `parseCreationOptionsFromJSON()` Method ### {#sctn-parseCreationOptionsFromJSON}
@@ -3944,32 +3974,33 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere interest of minimizing disruption to the user interaction flow).
-### Client Capabilities Set (dictionary ClientCapabilities) ### {#dictionary-client-capabilities} +### Client Capability Enumeration (enum ClientCapability) ### {#enum-clientCapability} - dictionary ClientCapabilities { - boolean userVerifyingPlatformAuthenticator; - boolean hybridTransport; - boolean passkeyPlatformAuthenticator; - boolean conditionalMediation; + enum ClientCapability { + "user-verifying-platform-authenticator", + "hybrid-transport, + "passkey-platform-authenticator", + "conditional-mediation" }; -This dictionary defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. +This enumeration defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users. -
- : userVerifyingPlatformAuthenticator +Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]]. + +
+ : user-verifying-platform-authenticator :: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=]. - : hybridTransport + : hybrid-transport :: The [=WebAuthn Client=] supports usage of the {{AuthenticatorTransport/hybrid}} transport. - : passkeyPlatformAuthenticator + : passkey-platform-authenticator :: The [=WebAuthn Client=] supports usage of a [=passkey platform authenticator=], locally and/or via {{AuthenticatorTransport/hybrid}} transport. - : conditionalMediation + : conditional-mediation :: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation. -
## Permissions Policy integration ## {#sctn-permissions-policy} From 244b54e79f9fa0a83960f1c87c2d3d865c1ec9ce Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Wed, 6 Sep 2023 14:35:39 +0000 Subject: [PATCH 11/27] missing quote --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index a6e30b73e..0de82555a 100644 --- a/index.bs +++ b/index.bs @@ -3979,7 +3979,7 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere enum ClientCapability { "user-verifying-platform-authenticator", - "hybrid-transport, + "hybrid-transport", "passkey-platform-authenticator", "conditional-mediation" }; From 1fe91797ad288240266533d8f9cbaadc9f949fad Mon Sep 17 00:00:00 2001 From: Tim Cappalli <tim@cloudauth.dev> Date: Wed, 6 Sep 2023 14:45:37 +0000 Subject: [PATCH 12/27] add SecureContext to result --- index.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/index.bs b/index.bs index 0de82555a..b2809384f 100644 --- a/index.bs +++ b/index.bs @@ -2794,6 +2794,7 @@ This method has no arguments and returns a map of capability keys to boolean val static Promise<GetClientCapabilitiesResult> getClientCapabilities(); }; + [SecureContext, Exposed=Window] interface GetClientCapabilitiesResult { readonly maplike<DOMString, boolean>; }; From 5c39e19f9d18113c22996e7f99a1de4dc5d6707c Mon Sep 17 00:00:00 2001 From: Tim Cappalli <tim@cloudauth.dev> Date: Wed, 6 Sep 2023 22:38:03 -0400 Subject: [PATCH 13/27] spelling Co-authored-by: Matthew Miller <mmiller@duosecurity.com> --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index b2809384f..1cc5a3a95 100644 --- a/index.bs +++ b/index.bs @@ -2804,7 +2804,7 @@ Keys in {{GetClientCapabilitiesResult}} SHOULD be members of {{ClientCapability} When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. When the value for a given capability is [FALSE], the feature is known to be not currently supported by the client. -When a given capability is `undefined`, the availibility of the client feature is not known. +When a given capability is `undefined`, the availability of the client feature is not known. Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm&mdash;i.e., by a [=permissions policy=]&mdash;will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]]. From 699e9d158058ab5b7a852e7abd73876e297269ad Mon Sep 17 00:00:00 2001 From: Tim Cappalli <tim@cloudauth.dev> Date: Thu, 7 Sep 2023 02:44:00 +0000 Subject: [PATCH 14/27] add conditional-create --- index.bs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 1cc5a3a95..7fd01514c 100644 --- a/index.bs +++ b/index.bs @@ -3982,7 +3982,8 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere "user-verifying-platform-authenticator", "hybrid-transport", "passkey-platform-authenticator", - "conditional-mediation" + "conditional-mediation", + "conditional-create" }; @@ -4002,6 +4003,9 @@ Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [ : conditional-mediation :: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation. + + : conditional-create + :: The [=WebAuthn Client=] is capable of a {{CredentialMediationRequirement/conditional}} credential creation operation.
## Permissions Policy integration ## {#sctn-permissions-policy} From 53e8d8ca4d720705a5dee4fc676d6f1df0d946ba Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Fri, 29 Sep 2023 11:05:27 -0400 Subject: [PATCH 15/27] Incorporate Emil's changes Co-authored-by: Emil Lundberg --- index.bs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 7fd01514c..44dd7aa1c 100644 --- a/index.bs +++ b/index.bs @@ -2787,7 +2787,7 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover availablity of these capabilities. -This method has no arguments and returns a map of capability keys to boolean values. +This method has no arguments and returns a map of capability keys to Boolean values. partial interface PublicKeyCredential { @@ -2800,11 +2800,12 @@ This method has no arguments and returns a map of capability keys to boolean val }; -Keys in {{GetClientCapabilitiesResult}} SHOULD be members of {{ClientCapability}}. +[=map/Keys=] in {{GetClientCapabilitiesResult}} MUST be sorted in ascending lexicographical order. +The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. When the value for a given capability is [FALSE], the feature is known to be not currently supported by the client. -When a given capability is `undefined`, the availability of the client feature is not known. +When a capability does not [=map/exist=] as a key, the availability of the client feature is not known. Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm—i.e., by a [=permissions policy=]—will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]]. From b27eb4d0d2644f227c986faaaab308394455801f Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Fri, 27 Oct 2023 02:29:31 +0000 Subject: [PATCH 16/27] address AGL global namespace feedback --- index.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 44dd7aa1c..815af5995 100644 --- a/index.bs +++ b/index.bs @@ -2791,16 +2791,16 @@ This method has no arguments and returns a map of capability keys to Boolean val partial interface PublicKeyCredential { - static Promise<GetClientCapabilitiesResult> getClientCapabilities(); + static Promise<PublicKeyCredentialClientCapabilities> getClientCapabilities(); }; [SecureContext, Exposed=Window] - interface GetClientCapabilitiesResult { + interface PublicKeyCredentialClientCapabilities { readonly maplike<DOMString, boolean>; }; -[=map/Keys=] in {{GetClientCapabilitiesResult}} MUST be sorted in ascending lexicographical order. +[=map/Keys=] in {{PublicKeyCredentialClientCapabilities}} MUST be sorted in ascending lexicographical order. The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. From ecc19d46c98fcb9cfa185da04ae5b0901ada6d79 Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Mon, 11 Dec 2023 19:13:49 +0000 Subject: [PATCH 17/27] first pass at privacy considerations --- index.bs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/index.bs b/index.bs index 815af5995..ddad14043 100644 --- a/index.bs +++ b/index.bs @@ -8563,6 +8563,11 @@ If a [=platform authenticator=] is included in a [=client device=] with a multi- authenticator=] and [=client device=] SHOULD work together to ensure that the existence of any [=platform credential=] is revealed only to the operating system user that created that [=platform credential=]. +### Disclosing Client Capabilities ### {#sctn-disclosing-client-capabilities} + +The {{getClientCapabilities}} method assists [=[WRPS]=] in crafting registration and authentication experiences which have a high chance of success with the client and/or user. + +By indicating support of a certain WebAuthn-capability, a relying party may also be able to infer other lower level platform features, such as the availability of Bluetooth. Client implementations MAY wish to limit capability disclosures based on client policy and/or user consent. ## Privacy considerations for [=[RPS]=] ## {#sctn-privacy-considerations-rp} From 594e3388d0af20977dbce2c0fe3bb5cd7a83429f Mon Sep 17 00:00:00 2001 From: Tim Cappalli Date: Mon, 11 Dec 2023 19:57:14 +0000 Subject: [PATCH 18/27] John's feedback --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index ddad14043..0f462659e 100644 --- a/index.bs +++ b/index.bs @@ -8567,7 +8567,7 @@ only to the operating system user that created that [=platform credential=]. The {{getClientCapabilities}} method assists [=[WRPS]=] in crafting registration and authentication experiences which have a high chance of success with the client and/or user. -By indicating support of a certain WebAuthn-capability, a relying party may also be able to infer other lower level platform features, such as the availability of Bluetooth. Client implementations MAY wish to limit capability disclosures based on client policy and/or user consent. +The client's support or lack of support of a WebAuthn capability may pose a fingerprinting risk. Client implementations MAY wish to limit capability disclosures based on client policy and/or user consent. ## Privacy considerations for [=[RPS]=] ## {#sctn-privacy-considerations-rp} From a3fd6fda1167d563a8d64c5e5a52525cc1954629 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 3 Jan 2024 15:10:06 -0800 Subject: [PATCH 19/27] Replace "maplike" with "record" --- index.bs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 094fcef89..95fa4dbd5 100644 --- a/index.bs +++ b/index.bs @@ -2801,7 +2801,7 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover availablity of these capabilities. -This method has no arguments and returns a map of capability keys to Boolean values. +This method has no arguments and returns a record of capability keys to Boolean values. partial interface PublicKeyCredential { @@ -2810,7 +2810,7 @@ This method has no arguments and returns a map of capability keys to Boolean val [SecureContext, Exposed=Window] interface PublicKeyCredentialClientCapabilities { - readonly maplike<DOMString, boolean>; + readonly record<DOMString, boolean>; }; From a856b6da966cbce9029a54ad6344237fe862c803 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 3 Jan 2024 15:10:45 -0800 Subject: [PATCH 20/27] Switch to camelCase for capability names --- index.bs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/index.bs b/index.bs index 95fa4dbd5..53ed4fea4 100644 --- a/index.bs +++ b/index.bs @@ -4019,11 +4019,11 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere enum ClientCapability { - "user-verifying-platform-authenticator", - "hybrid-transport", - "passkey-platform-authenticator", - "conditional-mediation", - "conditional-create" + "userVerifyingPlatformAuthenticator", + "hybridTransport", + "passkeyPlatformAuthenticator", + "conditionalMediation", + "conditionalCreate" }; @@ -4032,19 +4032,19 @@ This enumeration defines a limited set of client capabilities which a [=[WRP]=] Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
- : user-verifying-platform-authenticator + : userVerifyingPlatformAuthenticator :: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=]. - : hybrid-transport + : hybridTransport :: The [=WebAuthn Client=] supports usage of the {{AuthenticatorTransport/hybrid}} transport. - : passkey-platform-authenticator + : passkeyPlatformAuthenticator :: The [=WebAuthn Client=] supports usage of a [=passkey platform authenticator=], locally and/or via {{AuthenticatorTransport/hybrid}} transport. - : conditional-mediation + : conditionalMediation :: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation. - : conditional-create + : conditionalCreate :: The [=WebAuthn Client=] is capable of a {{CredentialMediationRequirement/conditional}} credential creation operation.
From 4969d28f403ee35b5e32983640ea552d39f7e2f4 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 3 Jan 2024 15:16:16 -0800 Subject: [PATCH 21/27] Prune readonly from record --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 53ed4fea4..3b6b43fda 100644 --- a/index.bs +++ b/index.bs @@ -2810,7 +2810,7 @@ This method has no arguments and returns a record of capability keys to Boolean [SecureContext, Exposed=Window] interface PublicKeyCredentialClientCapabilities { - readonly record; + record; }; From b0fdc69d6ebe9ca12fb580fc21c13e521ce73e51 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 3 Jan 2024 15:23:27 -0800 Subject: [PATCH 22/27] Switch to a typedef --- index.bs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 3b6b43fda..f7ada31ce 100644 --- a/index.bs +++ b/index.bs @@ -2808,10 +2808,7 @@ This method has no arguments and returns a record of capability keys to Boolean static Promise getClientCapabilities(); }; - [SecureContext, Exposed=Window] - interface PublicKeyCredentialClientCapabilities { - record; - }; + typedef record PublicKeyCredentialClientCapabilities; [=map/Keys=] in {{PublicKeyCredentialClientCapabilities}} MUST be sorted in ascending lexicographical order. From 903620ec2be7c5118b8357b2ab909a45bf63d896 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 5 Jan 2024 09:22:42 -0800 Subject: [PATCH 23/27] Remove key sorting requirement --- index.bs | 1 - 1 file changed, 1 deletion(-) diff --git a/index.bs b/index.bs index f7ada31ce..8016484bf 100644 --- a/index.bs +++ b/index.bs @@ -2811,7 +2811,6 @@ This method has no arguments and returns a record of capability keys to Boolean typedef record PublicKeyCredentialClientCapabilities; -[=map/Keys=] in {{PublicKeyCredentialClientCapabilities}} MUST be sorted in ascending lexicographical order. The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. From ee7990c2766a88cc1e307c9e068e808d28d0268c Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Mon, 8 Jan 2024 09:47:34 -0800 Subject: [PATCH 24/27] Add link to Disclocing Client Capabilities section --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 8016484bf..697feb000 100644 --- a/index.bs +++ b/index.bs @@ -2811,7 +2811,7 @@ This method has no arguments and returns a record of capability keys to Boolean typedef record PublicKeyCredentialClientCapabilities; -The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. +The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. See also [[#sctn-disclosing-client-capabilities]]. When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. When the value for a given capability is [FALSE], the feature is known to be not currently supported by the client. From f6d2eb58e34382aa0c9f2fa86a657d042f96e441 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 9 Jan 2024 10:17:34 -0800 Subject: [PATCH 25/27] Restore mandate to sort capabilities --- index.bs | 1 + 1 file changed, 1 insertion(+) diff --git a/index.bs b/index.bs index 697feb000..2f91b985e 100644 --- a/index.bs +++ b/index.bs @@ -2811,6 +2811,7 @@ This method has no arguments and returns a record of capability keys to Boolean typedef record PublicKeyCredentialClientCapabilities; +[=map/Keys=] in {{PublicKeyCredentialClientCapabilities}} MUST be sorted in ascending lexicographical order. The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. See also [[#sctn-disclosing-client-capabilities]]. When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. From 803fa75fb86972bc6150f2da740817681196ca6f Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 9 Jan 2024 10:18:13 -0800 Subject: [PATCH 26/27] Lexicographically sort ClientCapability --- index.bs | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/index.bs b/index.bs index 2f91b985e..04c3c0047 100644 --- a/index.bs +++ b/index.bs @@ -4016,11 +4016,11 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere enum ClientCapability { - "userVerifyingPlatformAuthenticator", + "conditionalCreate", + "conditionalMediation", "hybridTransport", "passkeyPlatformAuthenticator", - "conditionalMediation", - "conditionalCreate" + "userVerifyingPlatformAuthenticator", }; @@ -4029,8 +4029,11 @@ This enumeration defines a limited set of client capabilities which a [=[WRP]=] Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].
- : userVerifyingPlatformAuthenticator - :: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=]. + : conditionalCreate + :: The [=WebAuthn Client=] is capable of a {{CredentialMediationRequirement/conditional}} credential creation operation. + + : conditionalMediation + :: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation. : hybridTransport :: The [=WebAuthn Client=] supports usage of the {{AuthenticatorTransport/hybrid}} transport. @@ -4038,11 +4041,8 @@ Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [ : passkeyPlatformAuthenticator :: The [=WebAuthn Client=] supports usage of a [=passkey platform authenticator=], locally and/or via {{AuthenticatorTransport/hybrid}} transport. - : conditionalMediation - :: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation. - - : conditionalCreate - :: The [=WebAuthn Client=] is capable of a {{CredentialMediationRequirement/conditional}} credential creation operation. + : userVerifyingPlatformAuthenticator + :: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=].
### User-agent Hints Enumeration (enum PublicKeyCredentialHints) ### {#enum-hints} From ef54380aebf78db9bcadb1b5751c1158e1d802d7 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 9 Jan 2024 10:27:50 -0800 Subject: [PATCH 27/27] Allow clients to omit capabilities --- index.bs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 04c3c0047..ea13051ed 100644 --- a/index.bs +++ b/index.bs @@ -2812,7 +2812,8 @@ This method has no arguments and returns a record of capability keys to Boolean [=map/Keys=] in {{PublicKeyCredentialClientCapabilities}} MUST be sorted in ascending lexicographical order. -The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}. See also [[#sctn-disclosing-client-capabilities]]. +The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}}, +but the client MAY omit keys as it deems necessary; see [[#sctn-disclosing-client-capabilities]]. When the value for a given capability is [TRUE], the feature is known to be currently supported by the client. When the value for a given capability is [FALSE], the feature is known to be not currently supported by the client.