Why are some verifications that are stated in the current WebAuthn Recommendation missing ?

[rneumann7]

For example why are in the current verify_authentication_response.py the checks for 7.2. Verifying an Authentication Assertion step 4 and 5 missing. When I look back at older versions, like 0.47, of this library I see they checks are used, but not in the newer versions. Can somebody clarify this for me ? Thank you.

[MasterKale]

I saw those steps as requiring too much RP-specific logic to abstract when I rewrote the library to be stateless, "data in, decision out" methods. An RP would necessarily have to identify the user logging in and make sure the returned response id is valid for that user to figure out which public key to try for signature verification, so the library currently assumes that happens before verify_authentication_response() gets called.

And because the library is purely methods now, with no state, then that puts a burden on the RP to store authentication options to then cross-reference when a response is received, which is going to be implementation-specific. It didn't feel right to try and impose architectural decisions on RPs, as a library like py_webauthn, any more than WebAuthn already requires.

That's been my thinking so far.

[rneumann7]

Yes that makes sense. But wouldn't it then be useful if, staying with the verify_authentication_response() example, the function had more arguments in order to make checks if needed? So for example it could have an allow_credentials parameter that can be optionally given to the function and if not empty, the check of step 4 is made that the id of the credential is in the allow_credentials parameter. Same for the user_handle, if given to the function the check would be made that the given user_handle is the same as the one in AuthenticatorAssertionResponse in the credential. In this way all the recommended checks from the Spec could be made with one function, if needed. I think this would give the users of the library more awareness of which checks are recommended from the spec and would also make it easier to conform to it.