-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new getClientCapabilities method #1923
Conversation
I'm happy to have such features to enhance the UX and for RPs to have some controls. But, adding each function for specific features would not be scale.
At that time, browser vendors were not comfortable to expose such features to the relying parties due to privacy issues. |
Would this make these expressions (ignoring
|
@emlun logically, yes. isPPAA() is for the masses (basic use cases), whereas gCC() is for more advanced use cases, and can easily be expanded. |
I think it would be great if we added an equivalent capability enums for |
Some discussion points from the 2023-07-26 WG call:
|
Note that
How is it not? But perhaps that's a moot point anyway. Again, I don't think there should be both a |
@emlun I think I'd rather withdraw this PR than lose isPPAA() as that new method is more valuable to a larger number of developers. |
Ok, let's hear some more opinions before we decide either way (keep In the meantime, this just occurred to me: perhaps instead of a list of values, this should be structured as object attributes like the Say that we add a new capability value for a feature that already exists in some clients. Some clients immediately update and start reporting the new enum value, but some clients are slower to update and for a while don't report the new value - even though they do in fact support the feature. This leads RPs to incorrectly conclude that the feature isn't available. So perhaps it would be better to structure the data model like this?
so then, if
|
In response to this point, I don't want a point I made earlier to get glossed over:
I don't see |
I am worried we are getting into "too complex" territory. It's always the case that with standards like webauth, oauth2, oidc, ldap, or anything else, that while the standard may support 100 different options, what evolves is a small subset that is actually used day to day by implementors. For example, LDAP spans many rfc's with complex search options and extensions, and in reality most people just use search and bind. I'm worried we are heading down this path - most RP's will never use 90% of what is being created here like getCC or isPPAA because these features end up causing UI/UX issues rather than solving them. For example, isUVPAA() exists and is now being forgotten by the wayside because we keep chasing these micro UI/UX tweaks that no one seems to need. isPPAA is probably going to end up the same, as RP's realise that security keys like yubikeys exist and they can't just force users to use their phones with extremely slow and awkward cable workflows (did you know in latency it takes ~15 seconds to use phone for cable in AU? And this doesn't even include all the time to get the camera open and dive through all the choose your own adventure menus chrome gives you) . Even getCC querying for hybrid begs a lot of questions to what you are trying to achieve since the browser itself is already going to offer cable as an option without you needing to tweak anything. I don't think many rp's really even need this capability, since the user should be the one choosing what they want. I think you need to expand on what you are trying to actually achieve here and how that works for the positive and inverse cases, because currently this seems like an internal MS detail or plan leaking into the specification rather than a change that I can broadly see RP's embracing. |
Chrome doesn't believe that existing functions should be removed, but a) we are against adding more and more static methods to PublicKeyCredential in the future, and b) favour having this function return values that duplicate the return values of the existing feature-detection functions so that sites could just call this for all their needs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving to clear up my own request for change since I made the changes I requested.
Tagging @emlun @agl @pascoej @jschanck to confirm the change to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing maplike
to record
looks good to me, thanks for catching that!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
SHA: 80b478c Reason: push, by MasterKale Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
rdar://120442670 https://bugs.webkit.org/show_bug.cgi?id=267068 Reviewed by Brent Fulgham. The spec has changed such that getClientCapabilities needs to return a record instead of a maplike. This patch makes that change. For more context, see the change at w3c/webauthn#1923. * Source/WebCore/DerivedSources-input.xcfilelist: * Source/WebCore/DerivedSources-output.xcfilelist: * Source/WebCore/DerivedSources.make: * Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.cpp: (WebCore::AuthenticatorCoordinator::getClientCapabilities const): * Source/WebCore/Modules/webauthn/AuthenticatorCoordinator.h: * Source/WebCore/Modules/webauthn/AuthenticatorCoordinatorClient.h: * Source/WebCore/Modules/webauthn/PublicKeyCredential.cpp: (WebCore::PublicKeyCredential::getClientCapabilities): * Source/WebCore/Modules/webauthn/PublicKeyCredential.h: * Source/WebCore/Modules/webauthn/PublicKeyCredential.idl: * Source/WebCore/Modules/webauthn/PublicKeyCredentialClientCapabilities.cpp: Removed. * Source/WebCore/Modules/webauthn/PublicKeyCredentialClientCapabilities.h: Removed. * Source/WebCore/Modules/webauthn/PublicKeyCredentialClientCapabilities.idl: Removed. * Source/WebCore/Sources.txt: * Source/WebCore/WebCore.xcodeproj/project.pbxproj: * Source/WebKit/Scripts/webkit/messages.py: (class_template_headers): * Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticatorCoordinatorProxy.mm: * Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.h: * Source/WebKit/UIProcess/WebAuthentication/WebAuthenticatorCoordinatorProxy.messages.in: Canonical link: https://commits.webkit.org/272998@main
I 100% agree with the camelCase convention reasons, but just a technical note:
This is actually possible to do using a const { 'user-verifying-platform-authenticator': userVerifyingPlatformAuthenticator } = capabilities; However, this is definitely not as ergonomic, more code to ship to the end-user for no good reason, and a less debuggable than if the exact same string is used to refer this the destructured value throughout the JSON and the code. |
This PR adds a new method,
getClientCapabilities()
and a matching enum for the response (currentlyhybrid-transport
andclient-pin-entry
).These capabilities can help an RP craft a sign in or registration experience based on client capabilities. For example, an RP that requires user verification may not want to offer security key registration on a client where PIN entry is not supported. Another example would be a smart TV or kiosk where only hybrid is available (no local platform authenticator). In this scenario, offering a username field doesn't make a lot of sense and a "Sign in with a passkey" button would offer a better user experience.
💥 Error: connect ETIMEDOUT 173.230.149.95:443 💥
PR Preview failed to build. (Last tried on Jan 9, 2024, 6:30 PM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 CSS Spec Preprocessor - CSS Spec Preprocessor is the web service used to build Bikeshed specs.
🔗 Related URL
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.