Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AAGUID to credProps #2157

Open
timcappalli opened this issue Sep 26, 2024 · 6 comments
Open

Add AAGUID to credProps #2157

timcappalli opened this issue Sep 26, 2024 · 6 comments
Assignees
@agl @nicksteele @emlun @MasterKale
Labels
type:technical
Milestone
L4(First Publishe...

Comments

@timcappalli
Copy link
Member

timcappalli commented Sep 26, 2024
edited
Loading

In the TPAC discussions, there was a desire to rely solely on AAGUID for passkey provider / authenticator naming, and to remove authenticatorDisplayName from credProps.

The challenge is that authenticatorDisplayName is available on .get and the AAGUID is not. AAGUID on .get allows an RP to update the user visible name if a passkey is migrated between providers.

Proposed Change

Potential options:

  1. Add a client extension for AAGUID on .get
  2. Add AAGUID to credProps
  3. Keep authenticatorDisplayName instead
  4. Adding back attestation on get

I think option 2 was the preferred path from the discussion?
@Kieun
Copy link
Member

Kieun commented Sep 26, 2024

Meaning is that if the RP is willing to display provider name, RP should rely on some sources of record, Map<aaguid, providerName>?

@timcappalli
Copy link
Member Author

timcappalli commented Sep 26, 2024
edited
Loading

Meaning is that if the RP is willing to display provider name, RP should rely on some sources of record, Map<aaguid, providerName>?

Whatever you do for create to lookup the name/icon, you'd do for get.

@zacknewman
Copy link
Contributor

zacknewman commented Sep 26, 2024
edited
Loading

Will the credProps input and processing be changed too? If not, then that would suggest the practice of scrubbing the AAGUID during attestation when the "none" AttestationConveyancePreference is sent should be removed since now AAGUID can always be retrieved by an RP even for roaming authenticators.

Perhaps change the input from a boolean to an enum that allows an RP to still fetch rk without the AAGUID and directing user agents to remove AAGUID when a particular enum value is sent. User agents should be directed to receive user consent when AAGUID is queried the way some browsers do when something other than "none" attestation is requested.

@nadalin nadalin assigned agl and emlun Oct 2, 2024
@nadalin nadalin added this to the L3-WD-02 milestone Oct 2, 2024
@MasterKale
Copy link
Contributor

If we add it to credProps on .get() when how about we add it to credProps for .create() too? That way there becomes a single place to get unattested AAGUID for RPs that want it just for nicknaming, etc...

@timcappalli
Copy link
Member Author

2024-10-09 call: consensus on option 2 (adding a new credProps option)

@timcappalli timcappalli changed the title Providing AAGUID on Get Add AAGUID to credProps Oct 9, 2024
@timcappalli
Copy link
Member Author

timcappalli commented Oct 23, 2024
edited
Loading

@agl had an important point that we overlooked. How does the client get the AAGUID in the first place (as credProps is populated by the client)? I suppose on create, the client could copy it from the authData if provided, but that doesn't help on get.

For security keys, the client can get it via getInfo, but for passkey providers, this would require changes to platform WebAuthn APIs.

@nadalin nadalin modified the milestones: L3-WD-02, Futures (catch-all) Oct 23, 2024
@timcappalli timcappalli mentioned this issue Oct 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agl agl

@nicksteele nicksteele

@emlun emlun

@MasterKale MasterKale

Labels
type:technical
Projects
None yet
Milestone
L4(First Published Working Draft)
Development

No branches or pull requests
8 participants
@agl @nicksteele @emlun @MasterKale @timcappalli @nadalin @Kieun @zacknewman