Skip to content

Commit

Permalink
Add backup flags to virtual authenticator (#1999)
Browse files Browse the repository at this point in the history 
* Add backup flags to virtual authenticator

Allow setting and changing the backup eligibility (BE) and backup state
(BS) flags through the virtual authenticator API.

Fixed: #1987 

Co-authored-by: Emil Lundberg <[email protected]>
  • Loading branch information
@nsatragno @emlun
nsatragno and emlun authored Dec 13, 2023
1 parent 2745802 commit cf35363
Showing 1 changed file with 115 additions and 0 deletions.
115 changes: 115 additions & 0 deletions index.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7794,6 +7794,14 @@ Each stored [=virtual authenticator=] has the following properties:
:: A {{UvmEntries}} array to be set as the [=authenticator extension output=] when processing the [=User Verification Method=] extension.

Note: This property has no effect if the [=Virtual Authenticator=] does not support the [=User Verification Method=] extension.
: |defaultBackupEligibility|
:: Determines the default state of the [=backup eligibility=] [=credential property=] for any newly created [=Public Key Credential Source=].
This value MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=]
operation with this [=virtual authenticator=].
: |defaultBackupState|
:: Determines the default state of the [=backup state=] [=credential property=] for any newly created [=Public Key Credential Source=].
This value MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing an [=authenticatorMakeCredential=]
operation with this [=virtual authenticator=].

## <dfn>Add Virtual Authenticator</dfn> ## {#sctn-automation-add-virtual-authenticator}

Expand Down Expand Up @@ -7878,6 +7886,18 @@ The <dfn>Authenticator Configuration</dfn> is a JSON [=Object=] passed to the [=
<td>Up to 3 [=User Verification Method=] entries</td>
<td>Empty array</td>
</tr>
<tr>
<td>|defaultBackupEligibility|</td>
<td>boolean</td>
<td>[TRUE], [FALSE]</td>
<td>[FALSE]</td>
</tr>
<tr>
<td>|defaultBackupState|</td>
<td>boolean</td>
<td>[TRUE], [FALSE]</td>
<td>[FALSE]</td>
</tr>
</tbody>
</table>
</figure>
Expand Down Expand Up @@ -8020,6 +8040,26 @@ The <dfn>Credential Parameters</dfn> is a JSON [=Object=] passed to the [=remote
</td>
<td>string</td>
</tr>
<tr>
<td>|backupEligibility|</td>
<td>
The simulated [=backup eligibility=] for the [=public key credential source=]. If unset, the value will default to the
[=virtual authenticator=]'s |defaultBackupEligibility| property.
The simulated [=backup eligibility=] MUST be reflected by the [=BE=] [=authenticator data=] [=flag=] when performing
an [=authenticatorGetAssertion=] operation with this [=public key credential source=].
</td>
<td>boolean</td>
</tr>
<tr>
<td>|backupState|</td>
<td>
The simulated [=backup state=] for the [=public key credential source=]. If unset, the value will default to the
[=virtual authenticator=]'s |defaultBackupState| property.
The simulated [=backup state=] MUST be reflected by the [=BS=] [=authenticator data=] [=flag=] when performing
an [=authenticatorGetAssertion=] operation with this [=public key credential source=].
</td>
<td>boolean</td>
</tr>
</tbody>
</table>
</figure>
Expand Down Expand Up @@ -8056,6 +8096,10 @@ The [=remote end steps=] are:
1. If |largeBlob| is failure, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=].
1. Otherwise:
1. Let |largeBlob| be `null`.
1. Let |backupEligibility| be the |parameters|' |backupEligibility| property.
1. If |backupEligibility| is not defined, set |backupEligibility| to the value of the |authenticator|'s |defaultBackupEligibility|.
1. Let |backupState| be the |parameters|' |backupState| property.
1. If |backupState| is not defined, set |backupState| to the value of the |authenticator|'s |defaultBackupState|.
1. Let |credential| be a new [=Client-side discoverable Public Key Credential Source=] if |isResidentCredential| is [TRUE]
or a [=Server-side Public Key Credential Source=] otherwise whose items are:
: [=public key credential source/type=]
Expand All @@ -8068,6 +8112,8 @@ The [=remote end steps=] are:
:: |rpId|
: [=public key credential source/userHandle=]
:: |userHandle|
1. Set the |credential|'s [=backup eligibility=] [=credential property=] to |backupEligibility|.
1. Set the |credential|'s [=backup state=] [=credential property=] to |backupState|.
1. Associate a [=signature counter=] |counter| to the |credential| with a starting value equal to the |parameters|'
|signCount| or `0` if |signCount| is `null`.
1. If |largeBlob| is not `null`, set the [=large, per-credential blob=] associated to the |credential| to |largeBlob|.
Expand Down Expand Up @@ -8201,6 +8247,75 @@ The [=remote end steps=] are:
1. Set the |authenticator|'s |isUserVerified| property to the |parameters|' |isUserVerified| property.
1. Return [=success=].

## <dfn>Set Credential Properties</dfn> ## {#sctn-automation-set-credential-properties}

The [=Set Credential Properties=] [=extension command=] allows setting the |backupEligibility| and |backupState| [=credential properties=] of
a [=Virtual Authenticator=]'s [=public key credential source=]. It is defined as follows:

<figure id="table-setFlags" class="table">
<table class="data">
<thead>
<tr>
<th>HTTP Method</th>
<th>URI Template</th>
</tr>
</thead>
<tbody>
<tr>
<td>POST</td>
<td>`/session/{session id}/webauthn/authenticator/{authenticatorId}/credentials/{credentialId}/props`</td>
</tr>
</tbody>
</table>
</figure>

The <dfn>Set Credential Properties Parameters</dfn> is a JSON [=Object=] passed to the [=remote end steps=] as |parameters|.
It contains the following |key| and |value| pairs:

<figure id="table-setCredentialPropertiesParameters" class="table">
<table class="data">
<thead>
<tr>
<th>Key</th>
<th>Description</th>
<th>Value Type</th>
</tr>
</thead>
<tbody>
<tr>
<td>|backupEligibility|</td>
<td>The [=backup eligibility=] [=credential property=].</td>
<td>boolean</td>
</tr>
<tr>
<td>|backupState|</td>
<td>The [=backup state=] [=credential property=].</td>
<td>boolean</td>
</tr>
</tbody>
</table>
</figure>

The [=remote end steps=] are:

1. If |parameters| is not a JSON [=Object=], return a [=WebDriver error=] with [=WebDriver error code=]
[=invalid argument=].

Note: |parameters| is a [=Set Credential Properties Parameters=] object.
1. If |authenticatorId| does not match any [=Virtual Authenticator=] stored in the [=Virtual Authenticator
Database=], return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=].
1. Let |credential| be the [=public key credential source=] managed by |authenticator| matched by |credentialId|.
1. If |credential| is empty, return a [=WebDriver error=] with [=WebDriver error code=] [=invalid argument=].
1. Let |backupEligibility| be the |parameters|' |backupEligibility| property.
1. If |backupEligibility| is defined, set the [=backup eligibility=] [=credential property=] of |credential| to the value of |backupEligibility|.

Note: Normally, the |backupEligibility| property is permanent to a [=public key credential source=].
[=Set Credential Properties=] allows changing it for testing and debugging purposes.

1. Let |backupState| be the |parameters|' |backupState| property.
1. If |backupState| is defined, set the [=backup state=] [=credential property=] of |credential| to the value of |backupState|.
1. Return [=success=].

# IANA Considerations # {#sctn-IANA}

## WebAuthn Attestation Statement Format Identifier Registrations Updates ## {#sctn-att-fmt-reg-update}
Expand Down

0 comments on commit cf35363

Please sign in to comment.