Intent to Ship: Web Authentication API: JSON serialization methods

[Martin Kreichgauer]

Contact emails

mart...@google.com

Explainer

https://github.com/w3c/webauthn/wiki/Explainer:-JSON-Serialization-Methods

Specification

https://w3c.github.io/webauthn/#publickeycredential

Summary

The WebAuthn PublicKeyCredential.toJSON(), parseCreationOptionsFromJSON() and parseRequestOptionsFromJSON() methods let developers serialize a WebAuthn response into a JSON object or deserialize a WebAuthn request object from its JSON representation.

Blink component

Blink>WebAuthentication

TAG review

None

TAG review status

Not applicable

Risks

Interoperability and Compatibility

None

Gecko: Shipped/Shipping (https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/toJSON#browser_compatibility)

WebKit: No signal

Web developers: Positive (https://github.com/github/webauthn-json) webauthn-json is a widely used polyfill for this API maintained by Github.

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None

Debuggability

None

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

This feature is implemented in Blink renderer code and shipping on all platforms.

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/webauthn/public-key-credential-creation-options-from-json.https.window.html https://wpt.fyi/results/webauthn/public-key-credential-request-options-from-json.https.window.html https://wpt.fyi/results/webauthn/public-key-credential-to-json.https.window.html

DevTrial instructions

https://docs.google.com/document/d/e/2PACX-1vSl4jywfU4xD3fkWrC-T5hHI79xs90oOq9tVSx4M63WkcI-wuk-nnFlPlDIAttrpTEd5BbXABJnDuxT/pub

Flag name on chrome://flags

enable-experimental-web-platform-features

Finch feature name

WebAuthenticationJSONSerialization

Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1401128

Availability expectation

Firefox has shipped an implementation already.

Adoption expectation

There is a widely used polyfill (https://github.com/github/webauthn-json), which suggests there is demand from developers for this feature.

Estimated milestones

Shipping on desktop	128
DevTrial on desktop	128

Shipping on Android	128
DevTrial on Android	128

Shipping on WebView

128

Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5141695044255744?gate=6322764007342080

Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEbBz4a%2BEE-KbbRDkEexDON8hCfCC-saD600J7fo9J3jZg%40mail.gmail.com

This intent message was generated by Chrome Platform Status.

[Daniel Clark]

Could you request WebKit’s position for this? https://github.com/WebKit/standards-positions/issues/

 

-- Dan

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEYktBpGbDOw9pT40jjE%2B6T4HVCq%2Bzu-P3KMf1PQQuzaew%40mail.gmail.com.

[Martin Kreichgauer]

Done: https://github.com/WebKit/standards-positions/issues/373. Also added to the chromestatus entry.

[Domenic Denicola]

One request: the use of static method syntax for all three methods, when only 2 are static, is pretty confusing. It'd be ideal to update the explainer and ChromeStatus entry to make it clearer which methods are static methods (PublicKeyCredential.parseCreationOptionsFromJSON(), PublicKeyCredential.parseRequestOptionsFromJSON()) and which methods are instance methods (PublicKeyCredential.prototype.toJSON()).

Regarding Firefox's position: I notice they are not passing the web platform tests: 1, 2. Are you sure you have their position accurately recorded? 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEZ8WjawY1xMJcvqJ0gsk4wTBMQHYFR3QdBEL0H_ciT0%3DA%40mail.gmail.com.

[Martin Kreichgauer]

On Mon, Jul 15, 2024 at 8:04 PM Domenic Denicola <dom...@chromium.org> wrote:

One request: the use of static method syntax for all three methods, when only 2 are static, is pretty confusing. It'd be ideal to update the explainer and ChromeStatus entry to make it clearer which methods are static methods (PublicKeyCredential.parseCreationOptionsFromJSON(), PublicKeyCredential.parseRequestOptionsFromJSON()) and which methods are instance methods (PublicKeyCredential.prototype.toJSON()).

Done.

 

Regarding Firefox's position: I notice they are not passing the web platform tests: 1, 2. Are you sure you have their position accurately recorded? 

Yes: 1, 2, 3, 4. These appear to be issues with the WPTs.

[Domenic Denicola]

On Wed, Jul 17, 2024 at 7:20 AM Martin Kreichgauer <mart...@google.com> wrote:

On Mon, Jul 15, 2024 at 8:04 PM Domenic Denicola <dom...@chromium.org> wrote:

One request: the use of static method syntax for all three methods, when only 2 are static, is pretty confusing. It'd be ideal to update the explainer and ChromeStatus entry to make it clearer which methods are static methods (PublicKeyCredential.parseCreationOptionsFromJSON(), PublicKeyCredential.parseRequestOptionsFromJSON()) and which methods are instance methods (PublicKeyCredential.prototype.toJSON()).

Done.

 

Regarding Firefox's position: I notice they are not passing the web platform tests: 1, 2. Are you sure you have their position accurately recorded? 

Yes: 1, 2, 3, 4. These appear to be issues with the WPTs.

OK. Can you work on ensuring we have accurate web platform tests then, before shipping?

[Yoav Weiss (@Shopify)]

https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential says that the broader feature is not available in Android WebView.

Is that correct? If so, can you clarify what that means for this feature?

 

--

[Martin Kreichgauer]

Work is underway to enable WebAuthn broadly on WebView. As far as I'm aware, that work hasn't quite roll out yet due to some dependency on the Android side. I'll ask the people working on that to ensure they update the MDN compat table once we know a minimum version.

Once WebAuthn is available in WebView, the JSON serialization parts are included there automatically.

[Yoav Weiss (@Shopify)]

Friendly reminder that this is blocked on addressing Domenic's feedback RE the WPTs :)

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

[Martin Kreichgauer]

The WPTs should be passing in Firefox now [1] [2] [3].

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

[Domenic Denicola]

LGTM1

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAB%3DfcEbiL43GSxtEmXOdw4NM-GPZRfP9vb2VnvK28ATbYVU50w%40mail.gmail.com.

[Yoav Weiss (@Shopify)]

LGTM2

[Daniel Bratell]

LGTM3

/Daniel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2BJFg%2BogPEtPLMn9Unnsm85VFpaaMe-5WTBTZQ7OTmTGA%40mail.gmail.com.