search

1Password / passkey-rs

A framework for defining Webauthn Authenticators that support passkeys
Apache License 2.0
98 stars 17 forks source link

Add a client setting around UV boolean on `preferred` #25

Open Progdrasil opened 1 month ago

Progdrasil commented 1 month ago

Suggestion(follow-up): So this would put uv = true on preferred and required. This may not be true for other providers, they may want to do UV only on required for example. This should be a setting on the client that can be enabled. Not a blocking issue for this PR, I'm mainly adding this to create a follow-up issue about it.

_Originally posted by @Progdrasil in https://github.com/1Password/passkey-rs/pull/22#discussion_r1633616876_

coroiu commented 1 month ago

Wouldn't this be against the spec?

https://www.w3.org/TR/webauthn-3/#sctn-createCredential image

Progdrasil commented 1 month ago

Yes, however the operation should not fail if UV was not performed and the preference is "preferred". In practice its also been interpreted as "up to the client".

The thing is, I personally think this enum should have been passed to the authenticator directly and let the authenticator decide. I could have done that in this library but decided to follow CTAP which sets this as a boolean.

coroiu commented 1 month ago

I personally think this enum should have been passed to the authenticator directly and let the authenticator decide

That's exactly how we've implemented it, we're setting aside value before calling the client and then use it in a wrapper around our own UserValidationMethod

Progdrasil commented 1 month ago

As a way to keep CTAP interface compatibility, we could implement this as an authenticator extension. We'll be bringing PRs soon adding extension infrastructure