Closed igorlogvin closed 9 months ago
At the same time, how does the device behave if it is sent the same set of options (excluding
challenge
) in thenavigator.credentials.create
function?
If any of the credentials listed in excludeCredentials
exist on the authenticator, the authenticator will refuse to create a credential. When this happens, browsers typically show the user an error message saying something like "You have already registered this device, please use a different one". java-webauthn-server
by default sets excludeCredentials
to include all of the user's registered credentials, because there is little reason to have more than one credential for the same account on the same authenticator.
If several credentials are created on the backend from one browser and website for one user, how will the device behave if all created values are given in the
allowCredentials
list? Which one will he choose?
First, the browser will prompt the user for which authenticator to use. Platforms with a built-in platform authenticator may offer the platform authenticator most prominently, but also offer the option to use an external security key, for example. Some browsers also allow the user to choose to use a security key by simply tapping the security key, instead of having to explicitly click the option in the browser UI.
If the chosen authenticator has more than one credential for the service (each usually corresponding to a different account), then the browser will ask the user which credential to use. If the chosen has no credential listed in allowCredentials
, then the browser will show an error message saying something like "That authenticator is not registered with this site, please try a different one".
java-webauthn-server
by default sets allowCredentials
to contain all of the user's credentials (assuming the user is already identified - otherwise allowCredentials
will be empty), because there is little reason to prefer any one over any other, but this can be overridden if necessary.
It’s probably worth explaining what the credentialId on the device is formed from in order to understand more precisely.
Credential IDs are specified as opaque byte strings, any structure to them is an authenticator implementation detail.
Does that answer your questions?
Thanks for answer! I got it.
Hello! One question has arisen regarding registration in the device. Let’s say the backend does not limit the creation of credentials for one user in any way. At the same time, how does the device behave if it is sent the same set of options (excluding
challenge
) in thenavigator.credentials.create
function?And a question regarding the
assertion
operation. If several credentials are created on the backend from one browser and website for one user, how will the device behave if all created values are given in theallowCredentials
list? Which one will he choose? It’s probably worth explaining what the credentialId on the device is formed from in order to understand more precisely.