Required UserHandle upon WebAuthn Authententication

38 views
Skip to first unread message

Dani Mező

unread,
Oct 20, 2021, 11:05:02 AMOct 20
to FIDO Dev (fido-dev)
Hi devs, Yuriy,

One of my collegue noticed a discrapency between the Confromance Test Api and the WebAuthn spec as follows.
In the api [1], the user handle is required:

dictionary ServerAuthenticatorAssertionResponse : ServerAuthenticatorResponse {
     required DOMString clientDataJSON; 
     required DOMString authenticatorData; 
     required DOMString signature; 
     required DOMString userHandle; 
};

While in the spec [2], it is nullable:

     [SameObject] readonly attribute ArrayBuffer authenticatorData
    [SameObject] readonly attribute ArrayBuffer signature
    [SameObject] readonly attribute ArrayBuffer? userHandle
};

This is interesting, because some browsers and authenticators do return a null userhandle. What is the idea behind it being required? Should it be injected artificially there by the JS client?

Thank you for the responses,
Daniel Mező

Philipp Junghannß

unread,
Oct 20, 2021, 11:14:11 AMOct 20
to Dani Mező, FIDO Dev (fido-dev)
Also notably is that it is practically not needed usually, as the credentialID can bw used to uniquely identify the credential which is then likely mapped to the user anyway in the database

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/a969b2b0-e6dc-4939-9f76-bf2ff9e185abn%40fidoalliance.org.

Shane Weeden

unread,
Oct 20, 2021, 4:53:59 PMOct 20
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Dani Mező
There is a previous thread on this topic with more of a discussion around user handle: https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/v_9WuZjXhrg

In my experience the user handle is only provided in the results from navigator.credentials.get when using discoverable credentials.

Regards,
Shane.

nuno sung

unread,
Oct 21, 2021, 1:10:51 AMOct 21
to FIDO Dev (fido-dev), Shane Weeden, My1, FIDO Dev (fido-dev), Dani Mező
ctap2 spec has the definition for related cases to return or not(optional)
PublicKeyCredentialUserEntity structure containing the user account information

Shane Weeden 在 2021年10月21日 星期四上午4:53:59 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages