What are requirements when more than one SPC credential matches?

[ianbjacobs]

Based on some questions by @Goosth:

When more than once SPC credential matches, what requirements are there, and what should be left to browser innovation?

For example:

• We should not tell the browser how to display multiple credentials for the user to select one. We might in the API indicate factually that when more than one credential matches the user agent prompts the user to choose one.
• I think it may be an optimization (and thus not a requirement) for the browser to support user configuration of a default.

On the other hand, it might be a requirement for the browser to try to match the requirements in the order specified in the input to the API. This would allow the RP to express preferences, and this could be one way for the RP to say "I want you to go for frictionless first, then low friction."

[stephenmcgruer]

(Just documenting reality, not making any suggestions currently).

WebAuthn
If we look at WebAuthn as a model, the credentials passed into SPC are roughly analogous to allowCredentials, which states that they are:

in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list)

How this is ultimately used in WebAuthn appears to be a user dialog, step 7 of 6.3.3. The authenticatorGetAssertion Operation:

Prompt the user to select a public key credential source selectedCredential from credentialOptions.

(Where credentialOptions is allowCredentials filtered to those credentials that match the authenticator device).

How does this relate to SPC today?
Well, since the spec uses allowCredentials (step 5 of 4.1.6. Steps to respond to a payment request), by spec we should inherit WebAuthn's behavior and ultimately show . In practical reality, I believe in Chrome we just grab the first matching credential in the list and use that currently.

[ianbjacobs]

It seems to me that the specification addresses this issue in step 6 of 4.1.6. Steps to respond to a payment request [1]. The specification answers the question by saying to run the Credential Management API "Request a Credential" algorithm. Based on @stephenmcgruer's comment, that's not what the current implementation does, so I propose to add an implementation note. However, I propose that we close this issue with the currently specified behavior and move in that direction. (Please indicate support for that proposal on this thread. Thanks!)

[1] https://w3c.github.io/secure-payment-confirmation/#sctn-steps-to-respond-to-a-payment-request

[ianbjacobs]

The specification now includes an answer to the question in the algorithm of 4.1.6 along with a note that the Chrome implementation does not conform. We can decide in the future which needs to change.