search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
439 stars 137 forks source link

Question on theory: multiple uses of navigator.credentials.create #321

Closed igorlogvin closed 9 months ago

igorlogvin commented 9 months ago

Hello! One question has arisen regarding registration in the device. Let’s say the backend does not limit the creation of credentials for one user in any way. At the same time, how does the device behave if it is sent the same set of options (excluding challenge) in the navigator.credentials.create function?

And a question regarding the assertion operation. If several credentials are created on the backend from one browser and website for one user, how will the device behave if all created values ​​are given in the allowCredentials list? Which one will he choose? It’s probably worth explaining what the credentialId on the device is formed from in order to understand more precisely.

emlun commented 9 months ago

At the same time, how does the device behave if it is sent the same set of options (excluding challenge) in the navigator.credentials.create function?

If any of the credentials listed in excludeCredentials exist on the authenticator, the authenticator will refuse to create a credential. When this happens, browsers typically show the user an error message saying something like "You have already registered this device, please use a different one". java-webauthn-server by default sets excludeCredentials to include all of the user's registered credentials, because there is little reason to have more than one credential for the same account on the same authenticator.

If several credentials are created on the backend from one browser and website for one user, how will the device behave if all created values ​​are given in the allowCredentials list? Which one will he choose?

First, the browser will prompt the user for which authenticator to use. Platforms with a built-in platform authenticator may offer the platform authenticator most prominently, but also offer the option to use an external security key, for example. Some browsers also allow the user to choose to use a security key by simply tapping the security key, instead of having to explicitly click the option in the browser UI.

If the chosen authenticator has more than one credential for the service (each usually corresponding to a different account), then the browser will ask the user which credential to use. If the chosen has no credential listed in allowCredentials, then the browser will show an error message saying something like "That authenticator is not registered with this site, please try a different one".

java-webauthn-server by default sets allowCredentials to contain all of the user's credentials (assuming the user is already identified - otherwise allowCredentials will be empty), because there is little reason to prefer any one over any other, but this can be overridden if necessary.

It’s probably worth explaining what the credentialId on the device is formed from in order to understand more precisely.

Credential IDs are specified as opaque byte strings, any structure to them is an authenticator implementation detail.

Does that answer your questions?

igorlogvin commented 9 months ago

Thanks for answer! I got it.