Ready for Trial: WebAuthn: Large blob storage extension (largeBlob)

165 views
Skip to first unread message

Nina Satragno

unread,
Oct 28, 2020, 2:44:20 PM10/28/20
to blin...@chromium.org, Adam Langley, Martin Kreichgauer, Jeff Hodges, identity-dev, Ken Buchanan

Contact emails

nsat...@chromium.orgmart...@chromium.orga...@chromium.org

Explainer

https://w3c.github.io/webauthn/#sctn-large-blob-extension

Specification

https://w3c.github.io/webauthn/#sctn-large-blob-extension

Summary

Adds support for the WebAuthn largeBlob client authenticator extension. This extension allows relying parties to store opaque data associated with a credential.


Blink component

Blink>WebAuthentication

Search tags

webauthnlarge blobblobs

TAG review

N/A

TAG review status

Not applicable

Risks



Interoperability and Compatibility

Low, this is a new feature that's already part of the editor's draft [1] for WebAuthn. [1] https://w3c.github.io/webauthn/#sctn-large-blob-extension



Gecko: No signal

WebKit: No signal

Web developers: No signals

Ergonomics

WebAuthn is already an asynchronous API with a "long" time to get a response (in the order of seconds) since it needs user interaction. Adding this feature will not impact the "normal" webauthn flow. For relying parties (i.e. websites) using it, it won't significantly affect performance.



Activation

This feature can't be polyfilled since it relies on hardware support. Effectively the feature only exposes three methods as parameters on webauthn request options: querying for support, writing, and reading blobs. Integration with existing frameworks exercising webauthn should be straightforward.



Security

The implementation requires compressing and uncompressing arbitrary data. This is done in the data decoder service [1], which runs in a sandboxed process. This implementation feature was security-reviewed [2]. [1] https://source.chromium.org/chromium/chromium/src/+/master:services/data_decoder/gzipper.h [2] https://chromium-review.googlesource.com/c/chromium/src/+/2464011



Goals for experimentation

We are planning to slowly introduce this feature into the ecosystem to gather feedback.



Ongoing technical constraints

None



Debuggability

Developers can use the devtools webauthn tab to debug this feature. https://developers.google.com/web/tools/chrome-devtools/webauthn



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No

This feature will be supported on mac, linux, windows < 10 19h1, & chrome os. Windows >= 10 19h1 blocks access to authenticators through low-level APIs and relies on a high-level API that does not support this feature at the moment. Similarly, the android webauthn implementation relies on a higher level API that does not support this feature.



Is this feature fully tested by web-platform-tests?

Yes
See https://wpt.fyi/results/webauthn *large-blob* tests.

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1114875

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5657899357437952

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ


This intent message was generated by Chrome Platform Status.

--
Nina Satragno <nsat...@chromium.org>
Reply all
Reply to author
Forward
0 new messages