Add `mediation` to `PublicKeyCredentialJSON`

[zacknewman]

WebAuthn Relying Party Operations states (emphasis added):

Upon successful execution of create() or get(), the Relying Party's script receives a PublicKeyCredential containing an AuthenticatorAttestationResponse or AuthenticatorAssertionResponse structure, respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these structures.

Based on this description, I interpret that the expectation is for the server to perform all of the necessary validation. Step 14 of Registering a New Credential cannot be performed without CredentialCreationOptions.mediation:

14. Verify that the UP bit of the flags in authData is set, unless options.mediation is set to conditional.

Either mediation should be added to RegistrationResponseJSON and AuthenticatorAssertionResponseJSON so that the ceremony has a defined way of receiving this value, or it should be part of PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions so the server has the value already upon receiving PublicKeyCredentialJSON. I realize adding to the PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions is somewhat silly since mediation is already part of CredentialCreationOptions which PublicKeyCredentialCreationOptions is also part via publicKey.

The point of the JSON types is having a defined way for the server to send and receive all necessary information to perform the registration and authentication ceremony criteria, correct? Without this, there is still necessary information missing which sort of defeats the purpose for the JSON types since clients and servers will be forced to come up with their own mechanism and not rely on a standardized way.

Does it make sense to create CredentialCreationOptionsJSON and CredentialRequestOptionsJSON types?

* Note step 14 is technically incorrect since mediation is not a key of PublicKeyCredentialCreationOptions (see #2122).

[BlingBling43]

WebAuthn Relying Party Operations states (emphasis added):

Upon successful execution of create() or get(), the Relying Party's script receives a PublicKeyCredential containing an AuthenticatorAttestationResponse or AuthenticatorAssertionResponse structure, respectively, from the client. It must then deliver the contents of this structure to the Relying Party server, using methods outside the scope of this specification. This section describes the operations that the Relying Party must perform upon receipt of these structures.

Based on this description, I interpret that the expectation is for the server to perform all of the necessary validation. Step 14 of Registering a New Credential cannot be performed without CredentialCreationOptions.mediation:

14. Verify that the UP bit of the flags in authData is set, unless options.mediation is set to conditional.

Either mediation should be added to RegistrationResponseJSON and AuthenticatorAssertionResponseJSON so that the ceremony has a defined way of receiving this value, or it should be part of PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions so the server has the value already upon receiving PublicKeyCredentialJSON. I realize adding to the PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions is somewhat silly since mediation is already part of CredentialCreationOptions which PublicKeyCredentialCreationOptions is also part via publicKey.

The point of the JSON types is having a defined way for the server to send and receive all necessary information to perform the registration and authentication ceremony criteria, correct? Without this, there is still necessary information missing which sort of defeats the purpose for the JSON types since clients and servers will be forced to come up with their own mechanism and not rely on a standardized way.

* Note step 14 is technically incorrect since mediation is not a - [ ] - key of PublicKeyCredentialCreationOptions (see #2122).- - [^ # The Elf Is Null ! # 3 D is C++ , # small Cap , is Null,0💞

[emlun]

Step 1 of Registering a New Credential reads:

1. Let options be a new PublicKeyCredentialCreationOptions structure configured to the Relying Party's needs for the ceremony.

Indeed this is currently a bit obscured due to the inconsistency you note in the footnote (#2122), but PR #2125 would correct this to:

1. Let options be a new CredentialCreationOptions structure configured to the Relying Party's needs for the ceremony. Let pkOptions be options.publicKey.

So the RP should already know the value of options.mediation, because it was one of the input arguments the RP set at the beginning of the procedure. There is no need to feed it back to the RP in the output types.