How to use webauthn extension?

[Josh Ji]

Hi every one,

I want to make a custem extension and send my extension data to authenticator.

But when I use Chrome to send my extension data in makeCredential request,

Chrome didn't send my data to authenticator.

Moreover, I use the extension field in the authenticatorData in attestationObject in the makeCredential response to send my data, chrome will popup authenticator selection window again and then make an error.

My Question is, dose chome support custom extension? 

If it does, how to make a custom extension?

[Shane Weeden]

Browsers do not pass extensions they don’t know about through to authenticators.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/273b7808-d220-4d80-a2f3-73fe286c7318n%40fidoalliance.org.

[Josh Ji]

why?

According to the spec. they can convert to CBOR and send to Authenticator.

Shane Weeden 在 2022年12月22日 星期四上午9:11:48 [UTC+8] 的信中寫道：

[Adam Langley]

On Wednesday, December 21, 2022 at 5:37:43 PM UTC-8 josh201...@gmail.com wrote:

why?

According to the spec. they can convert to CBOR and send to Authenticator.

Chromium does not transcribe unknown extensions. For arbitrary control over a USB device, please see the Web USB API.

Cheers

AGL

[My1]

Quick reminder tho. w10/11 blocks access to fido devices for non-admin programs.

What does the spec say regarding extensions, should the client pass them through or block them, and if it should pass, why doesn't Chrome do that? Especially hmac-secret would be awesome for passwordless password managers. 

Regards

My1

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2e874024-9fe1-486c-9d2c-a45abe0d3b2dn%40fidoalliance.org.

[Adam Langley]

On Friday, December 23, 2022 at 2:22:05 PM UTC-8 My1 wrote:

Quick reminder tho. w10/11 blocks access to fido devices for non-admin programs.

Yes, a different USB endpoint should be used for arbitrary control of devices. Web USB cannot be used to speak CTAP to a device and an authenticator must not expose anything connected to its CTAP interface over another interface.

What does the spec say regarding extensions, should the client pass them through or block them, and if it should pass, why doesn't Chrome do that? Especially hmac-secret would be awesome for passwordless password managers. 

Originally the spec was written with the assumption that unknown extensions could be generically transformed to CBOR. No implementation, to my knowledge, ever did that and the current working spec has been updated to remove it. Even with generic pass-through, hmac-secret wouldn't be usable because it requires exercising the PIN/UV auth protocol to encrypt the transfer, so must be specially handled by the platform. The newly readded prf WebAuthn extension is designed to expose hmac-secret and support should be available in Chromium (behind a flag, initially) by February, at least for platforms where Chromium speaks CTAP directly to the device.

Cheers

AGL