Understanding WebAuthn silent mediation in Chrome
683 views
Skip to first unread message
Brandon Thorpe
Apr 21, 2023, 6:51:19 PM4/21/23
to Chromium-dev, Brandon Thorpe
Hello,
I'm using WebAuthn to do hardware based platform authentication, via the navigator.credentials.create and navigator.credentials.get APIs. IIUC, the following code should return null if there are no credentials on the device for the origin domain relying party:
await navigator.credentials.get({
mediation: "silent",
publicKey: {
challenge: new TextEncoder().encode("/challenge/foo"),
},
});
I'm using Chrome version 112.0.5615.137 (Official Build) (x86_64), and the browser unconditionally asks the user to search for a passkey (e.g. using Bluetooth or USB) on this call, rather than returning null.
I appreciate any insight you may be able to provide.
Thank you.
await navigator.credentials.get({
mediation: "silent",
publicKey: {
challenge: new TextEncoder().encode("/challenge/foo"),
},
});
I'm using Chrome version 112.0.5615.137 (Official Build) (x86_64), and the browser unconditionally asks the user to search for a passkey (e.g. using Bluetooth or USB) on this call, rather than returning null.
I appreciate any insight you may be able to provide.
Thank you.
-Brandon
Roger Tawa
Apr 25, 2023, 3:34:39 PM4/25/23
to bra...@formless.la, Chromium-dev, Brandon Thorpe
Hey Brandon,
That property does not seem part of the current spec, only part of a proposed spec. Have you tried seeing if there is a command line arg or about:flag to possibly turn this on?
Thanks,
Roger
-
Roger
-
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/25814acc-e92c-4f4b-8687-0159ee22f6acn%40chromium.org.
Roger Tawa
Apr 27, 2023, 10:53:26 AM4/27/23
to Brandon, Chromium-dev
Hi Brandon,
It appears you are more informed than I am. I'm not aware of the current or future plans of webauthn, sorry.
Thanks,
Roger
-
Roger
-
On Wed, Apr 26, 2023 at 8:09 PM Brandon <bra...@formless.xyz> wrote:
Roger,Thanks so much for the response. The MDN dev docs show that Chrome has full support for navigator.credentials.get as of version 67, including the mediation option with value "silent". That said, this bug tracker seems to imply that the conditional WebAuthn UI logic is not yet shipped.Where it gets particularly confusing for me is this blog post about Chrome version 60––which states "navigator.credentials.get() now accepts an enum mediation instead of boolean flag unmediated." This seems to imply that the silent mediation option is supported in Chrome versions 60 and up. Regarding flags, I was able to find this great design doc about WebAuthn Conditional UI––this doc seems to be the clearest source of truth and states:
"navigator.credentials.get, which is used to query both password and WebAuthn credentials, already supports a mediation parameter. This parameter is currently being ignored, but it can be augmented with a conditional value to trigger the conditional UI."I appreciate any insight you may be able to provide here on state and/or future plans.-Brandon
--Illuminating true human purpose through technology.
*Content is technology.
Brandon
May 2, 2023, 8:06:34 PM5/2/23
to Roger Tawa, Chromium-dev, Brandon Thorpe
Roger,
Thanks so much for the response. The MDN dev docs show that Chrome has full support for navigator.credentials.get as of version 67, including the mediation option with value "silent". That said, this bug tracker seems to imply that the conditional WebAuthn UI logic is not yet shipped.
Where it gets particularly confusing for me is this blog post about Chrome version 60––which states "navigator.credentials.get() now accepts an enum mediation instead of boolean flag unmediated." This seems to imply that the silent mediation option is supported in Chrome versions 60 and up. Regarding flags, I was able to find this great design doc about WebAuthn Conditional UI––this doc seems to be the clearest source of truth and states:
"navigator.credentials.get, which is used to query both password and WebAuthn credentials, already supports a mediation parameter. This parameter is currently being ignored, but it can be augmented with a conditional value to trigger the conditional UI."
"navigator.credentials.get, which is used to query both password and WebAuthn credentials, already supports a mediation parameter. This parameter is currently being ignored, but it can be augmented with a conditional value to trigger the conditional UI."
I appreciate any insight you may be able to provide here on state and/or future plans.
-Brandon
On Tue, Apr 25, 2023 at 12:32 PM Roger Tawa <rog...@chromium.org> wrote:
Martin Kreichgauer
May 2, 2023, 8:06:41 PM5/2/23
to rog...@chromium.org, Brandon, Chromium-dev
Hi there,
Cheers,
Martin
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAFv%2B6UqzFhN%2BnTcxQQdwBUER%3DuW1G9NSLfAJvZ3-UgaNmU7Lsg%40mail.gmail.com.
Brandon
May 2, 2023, 8:07:01 PM5/2/23
to Martin Kreichgauer, rog...@chromium.org, Chromium-dev, Brandon Thorpe
Thanks Martin! Is conditional mediation, e.g. as specified in this design doc, currently supported?
Martin Kreichgauer
May 2, 2023, 8:08:17 PM5/2/23
to Brandon, rog...@chromium.org, Chromium-dev
Yes, conditional mediation is supported for WebAuthn through autofill as of Chrome 108. You can learn more in this blog post: https://developer.chrome.com/blog/webauthn-conditional-ui/
Brandon
May 2, 2023, 8:08:30 PM5/2/23
to Martin Kreichgauer, rog...@chromium.org, Chromium-dev, Brandon Thorpe
Hi Martin,
A follow up question as I may be thinking about mediation the wrong way––I think more concretely my problem is that if I call navigator.credentials.get, from a device which does not have a credential stored for the relying party, Chrome will unconditionally ask the user to select another option for authentication such as using Bluetooth or some other roaming authenticator. My goal here is for instead the call to navigator.credentials.get to just return null or throw an exception in these cases, rather than asking the user to look for something that they would find very confusing (e.g. I just want to know that there are no credentials, rather than asking them about potential roaming authenticators).
Is this possible today?
Thanks again.
-Brandon
On Thu, Apr 27, 2023 at 2:07 PM Brandon <bra...@formless.xyz> wrote:
Thank you!
Brandon
May 2, 2023, 8:08:30 PM5/2/23
to Martin Kreichgauer, rog...@chromium.org, Chromium-dev
Martin Kreichgauer
May 3, 2023, 1:33:06 PM5/3/23
to Brandon, rog...@chromium.org, Chromium-dev
By design, WebAuthn doesn't let websites silently discover whether the local device has a known credential for a particular RP ID. Autofill will always offer the user to use a passkey from another device, such as a passkey stored on their phone.
Reply all
Reply to author
Forward
0 new messages