Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new error codes #2095

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open
Changes from 11 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 102 additions & 8 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -1975,7 +1975,23 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o

: If the user exercises a user agent user-interface option to cancel the process,
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}.
and [=set/remove=] |authenticator| from |issuedRequests|.

If the user agent is informing the user of an inability to continue the ceremony
MasterKale marked this conversation as resolved.
Show resolved Hide resolved
due to missing {{AuthenticatorTransport/hybrid}} prerequisites,
throw a "{{HybridPrerequisitesError}}" {{DOMException}}.

If the user agent is prompting the user to complete the ceremony using an authenticator
that may be available over the {{AuthenticatorTransport/hybrid}} transport,
throw a "{{UserHybridCancellationError}}" {{DOMException}}.

If the user agent is informing the user that
the last used |authenticator| cannot collect [=user verification=] when
<code>|pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>
is set to {{UserVerificationRequirement/required}},
throw a "{{UserVerificationError}}" {{DOMException}}.
Comment on lines +1970 to +1974
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The equivalent error on the authenticator layer is error code equivalent to "ConstraintError", so I think that could be used here too?

This would lump this together with another ConstraintError thrown when authenticatorSelection.userVerification == "required" and mediation == "conditional", but that is also an error expressing that UV was required but couldn't be performed, so I think that can be okay?

Then we could also add a case to pass through error code equivalent to "ConstraintError" from the authenticator layer, like we do with InvalidStateError.


Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}.
MasterKale marked this conversation as resolved.
Show resolved Hide resolved

: If <code>|options|.{{CredentialCreationOptions/signal}}</code> is present and [=AbortSignal/aborted=],
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=]
Expand Down Expand Up @@ -2244,7 +2260,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
</dl>
</li>

1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the
emlun marked this conversation as resolved.
Show resolved Hide resolved
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-make-credential-privacy]] for details.

Expand Down Expand Up @@ -2278,6 +2294,10 @@ The following {{DOMException}} exceptions can be raised:
: {{InvalidStateError}}
:: The authenticator used in the ceremony recognized an entry in {{PublicKeyCredentialCreationOptions/excludeCredentials}}
after the user [=user consent|consented=] to registering a credential.

: {{HybridPrerequisitesError}}
:: The ceremony was cancelled due to missing prerequisites for use of
the {{AuthenticatorTransport/hybrid}} transport.

: {{NotSupportedError}}
:: No entry in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}} had a {{PublicKeyCredentialDescriptor/type}} property of {{PublicKeyCredentialType/public-key}},
Expand All @@ -2294,10 +2314,21 @@ The following {{DOMException}} exceptions can be raised:
: {{UnknownError}}
:: The [=authenticator=] could not process the supplied options,
or encountered an error while creating the new credential.

: {{UserCancellationError}}
:: The user has exercised a user agent user-interface option
to end the ceremony.

: {{UserHybridCancellationError}}
:: The user has exercised a user agent user-interface option
MasterKale marked this conversation as resolved.
Show resolved Hide resolved
to end the ceremony while being prompted to complete a ceremony
via the {{AuthenticatorTransport/hybrid}} transport.

: {{UserVerificationError}}
:: The user was unable to complete [=user verification=] as required by the [=[RP]=].

: {{NotAllowedError}}
:: A catch-all error covering a wide range of possible reasons,
including common ones like the user canceling out of the ceremony.
:: A catch-all error covering a wide range of possible reasons.
Some of these causes are documented throughout this spec,
while others are client-specific.

Expand Down Expand Up @@ -2519,7 +2550,23 @@ When this method is invoked, the user agent MUST execute the following algorithm

: If the user exercises a user agent user-interface option to cancel the process,
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}.
and [=set/remove=] |authenticator| from |issuedRequests|.

If the user agent is informing the user of an inability to continue the ceremony
MasterKale marked this conversation as resolved.
Show resolved Hide resolved
due to missing {{AuthenticatorTransport/hybrid}} prerequisites,
throw a "{{HybridPrerequisitesError}}" {{DOMException}}.

If the user agent is prompting the user to complete the ceremony using an authenticator
that may be available over the {{AuthenticatorTransport/hybrid}} transport,
throw a "{{UserHybridCancellationError}}" {{DOMException}}.

If the user agent is informing the user that
MasterKale marked this conversation as resolved.
Show resolved Hide resolved
the last used |authenticator| cannot collect [=user verification=] when
<code>|pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>
is set to {{UserVerificationRequirement/required}},
throw a "{{UserVerificationError}}" {{DOMException}}.

Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}.

: If <code>|options|.{{CredentialRequestOptions/signal}}</code> is present and [=AbortSignal/aborted=],
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
Expand Down Expand Up @@ -2698,7 +2745,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Return |constructAssertionAlg| and terminate this algorithm.
</dl>

1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the
1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the
emlun marked this conversation as resolved.
Show resolved Hide resolved
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-assertion-privacy]] for details.

Expand Down Expand Up @@ -2846,6 +2893,10 @@ The following {{DOMException}} exceptions can be raised:
:: The ceremony was cancelled by an {{AbortController}}.
See [[#sctn-abortoperation]] and [[#sctn-sample-aborting]].

: {{HybridPrerequisitesError}}
MasterKale marked this conversation as resolved.
Show resolved Hide resolved
:: The ceremony was cancelled due to missing prerequisites for use of
the {{AuthenticatorTransport/hybrid}} transport.

: {{SecurityError}}
:: The [=effective domain=] was not a [=valid domain=],
or <code>{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> was not equal to or a registrable domain suffix of the [=effective domain=].
Expand All @@ -2857,10 +2908,21 @@ The following {{DOMException}} exceptions can be raised:
: {{UnknownError}}
:: The [=authenticator=] could not process the supplied options,
or encountered an error while generating an [=assertion signature=].

: {{UserCancellationError}}
:: The user has exercised a user agent user-interface option
to end the ceremony.

: {{UserHybridCancellationError}}
:: The user has exercised a user agent user-interface option
to end the ceremony while being prompted to complete a ceremony
via the {{AuthenticatorTransport/hybrid}} transport.

: {{UserVerificationError}}
:: The user was unable to complete [=user verification=] as required by the [=[RP]=].

: {{NotAllowedError}}
:: A catch-all error covering a wide range of possible reasons,
including common ones like the user canceling out of the ceremony.
:: A catch-all error covering a wide range of possible reasons.
Some of these causes are documented throughout this spec,
while others are client-specific.
</dl>
Expand Down Expand Up @@ -3726,6 +3788,38 @@ SHOULD be aborted.
See [WHATWG HTML WG Issue #2711](https://github.com/whatwg/html/issues/2711) for more details.


## WebAuthn Interfaces ## {#sctn-interfaces}

The subection below defines custom interfaces used throughout WebAuthn.

### Custom WebAuthn Exceptions ### {#iface-custom-webauthn-exceptions}

For descriptions of these exceptions,
please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exceptions]].

<xmp class="idl">
[Exposed=Window, Serializable]
interface HybridPrerequisitesError : DOMException {
};
MasterKale marked this conversation as resolved.
Show resolved Hide resolved

[Exposed=Window, Serializable]
interface TimeoutError : DOMException {
};
MasterKale marked this conversation as resolved.
Show resolved Hide resolved

[Exposed=Window, Serializable]
interface UserCancellationError : DOMException {
};

[Exposed=Window, Serializable]
interface UserHybridCancellationError : DOMException {
};

[Exposed=Window, Serializable]
interface UserVerificationError : DOMException {
};
</xmp>


emlun marked this conversation as resolved.
Show resolved Hide resolved
## WebAuthn Extensions Inputs and Outputs ## {#sctn-extensions-inputs-outputs}

The subsections below define the data types used for conveying [=WebAuthn extension=] inputs and outputs.
Expand Down