stephenmcgruer
commented
3 years ago (Just documenting reality, not making any suggestions currently).
WebAuthn If we look at WebAuthn as a model, the credentials passed into SPC are roughly analogous to allowCredentials, which states that they are:
in descending order of the caller’s preference (the first item in the list is the most preferred credential, and so on down the list)
How this is ultimately used in WebAuthn appears to be a user dialog, step 7 of 6.3.3. The authenticatorGetAssertion Operation:
Prompt the user to select a public key credential source selectedCredential from credentialOptions.
(Where credentialOptions is allowCredentials filtered to those credentials that match the authenticator device).
How does this relate to SPC today? Well, since the spec uses allowCredentials (step 5 of 4.1.6. Steps to respond to a payment request), by spec we should inherit WebAuthn's behavior and ultimately show . In practical reality, I believe in Chrome we just grab the first matching credential in the list and use that currently.
ianbjacobs
Based on some questions by @goosth:
When more than once SPC credential matches, what requirements are there, and what should be left to browser innovation?
For example:
On the other hand, it might be a requirement for the browser to try to match the requirements in the order specified in the input to the API. This would allow the RP to express preferences, and this could be one way for the RP to say "I want you to go for frictionless first, then low friction."