Intent to Implement and Ship: `mediation` enum argument to `CredentialsContainer::get()` in Credential Manager API

[Jan Wilken]

Contact emails

jdoe...@chromium.org

 

Specification

https://w3c.github.io/webappsec-credential-management/

Summary

This intent introduces a mediation enum argument to CredentialsContainer::get() and deprecates the current unmediated flag. The enum has three options, “silent”, “optional” and "required”. “silent” is equivalent to unmediated == true, while “optional” is equivalent to unmediated == false and will be the default option. “required” is new and will always require user mediation when specified.

 

For more details and examples see the corresponding section in the spec: https://w3c.github.io/webappsec-credential-management/#enumdef-credentialmediationrequirement

Until the boolean flag is removed completely in M62, mediation will take the following values depending on what is provided as arguments:

• If neither unmediated nor mediation is specified, mediation will be set to “optional”, the default value.

• If only unmediated is specified, mediation will be set appropriately, i.e. “silent” in case of unmediated == true and “optional” otherwise.

• If only mediation is specified just use that value.

• If both are specified, ignore the value of unmediated and use what was specified for mediation.

  

Motivation

The WebAuthn API was rewritten in https://github.com/w3c/webauthn/pull/384 to extend the Credential Manager API.

There were several minor changes required for the CM API to make this integration possible, this is one of them.

Usage information

Usage of the Credential Manager API is low in general: https://www.chromestatus.com/metrics/feature/popularity#CredentialManagerGet

Interoperability and Compatibility Risk

Low risk, since overall usage is low and no other browser has shipped the Credential Manager API yet.

 

Alternative implementation suggestion for web developers

Instead of using the unmediated flag web developers should use the mediation enum instead.

 

OWP launch tracking bug

http://crbug.com/721399

Entry on the feature dashboard

https://www.chromestatus.com/feature/6076479909658624

 

Requesting approval to remove unmediated flag?

No, removal is planned for M62.

 

Requesting approval to ship mediation enum?

Yes.

[TAMURA, Kent]

LGTM1.

The transition plan looks good.  Please don't forget to show a warning for usage of "unmediated".

Do we have web-platform-tests coverage for this change?

--

TAMURA Kent
Software Engineer, Google

[Jan Wilken]

Thank you! Yes, web-platform-tests are available in https://github.com/w3c/web-platform-tests/tree/master/credential-management and will be updated with the implementation CL.

[Rick Byers]

Generally we don't like to deprecate things without a concrete removal plan (the warnings in Deprecation.cpp generally have a specific milestone when they will be removed).  But the compat risk seems low enough to me that removal in M62 is entirely reasonable (overall API usage is low, and breakage will be small - unmediated will just be ignored).

So LGTM2 to ship now and remove unmediated in M62 as long as we land a console warning now about the impending removal.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/204c98b7-f851-4c24-a8da-3ae11b5d9944%40chromium.org.

[Philip Jägenstedt]

LGTM3, the interim behavior (use mediation and fall back to unmediated) looks good and given how new the API is it'll probably be smooth sailing. If there's any web developer feedback at all, please circle back here, that would be a good learning experience for future attempts.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_Z%3DvbBkTcycncFWtDLbxP8yorWVV1DmhBMgb7QExC%3Djw%40mail.gmail.com.

[Philip Jägenstedt]

As a minor additional point, since the spec used to have "unmediated" and still mentions it in a note, can you add historical tests for it when updating wpt? If we successfully remove it then it's unlikely anyone else will ever add it, but we might get unlucky timing.