w3ctag / design-reviews

W3C specs and API reviews
Creative Commons Zero v1.0 Universal
332 stars 56 forks source link

Web Authentication: Large Blob extension #820

Closed nsatragno closed 1 year ago

nsatragno commented 1 year ago

Salutations TAG!

I'm requesting a TAG review of the Web Authentication Large Blob extension.

The Web Authentication Large Blob extension allows relying parties to store small amounts of opaque data associated with a credential on an authenticator. This is useful for authentication schemes involving storing certificates on authenticators.

Further details:

You should also know that...

This feature requires OS-level support for platforms where the OS handles WebAuthn requests (this is the case for Windows). Support on Windows has already shipped.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

šŸ’¬ leave review feedback as a comment in this issue and @-notify @nsatragno

plinss commented 1 year ago

@maxpassion and I took a look a this during our Tokyo F2F and we have some questions:

1) The explainer talks about a 'small amount of data', why is this called 'largeBlob'? 2) Why is it called a blob if it's reading and writing array buffers? The property name should be relevant to the data type, either make the API accept a Blob or use a name that doesn't imply Blobs. 3) What's the size limit of the data? If there any way for the RP to know what's available? 4) Is there expected to be a mechanism for the user to clear this data? (Independent of clearing the entire auth for the RP) Either via UA UI or a future API call?

rhiaro commented 1 year ago

hi @nsatragno, have you had any chance to look at the questions @plinss left a couple of months ago?

Also, do you have an update on the implementation status, and any multi-stakeholder support? We see that Webkit is tentatively supportive and prototyping an implementation. We'd love to hear of any changes or iterations or emerging issues as a result of working with other implementers. Thanks.

nsatragno commented 1 year ago

This slipped through my emails, sorry!

The explainer talks about a 'small amount of data', why is this called 'largeBlob'? Why is it called a blob if it's reading and writing array buffers? The property name should be relevant to the data type, either make the API accept a Blob or use a name that doesn't imply Blobs.

The name comes from CTAP. 1kb is "large" with respect to the available memory on security keys, and with respect to the older credBlob extension that supports 32 bytes. Array buffers are used to write and read binary data all through the webauthn spec.

What's the size limit of the data?

This depends on the authenticator, the specification does not state a maximum size.

If there any way for the RP to know what's available?

A relying party can set largeBlob's support to required (or preferred) to discover availability when creating a credential, but cannot query the available space on the authenticator.

Is there expected to be a mechanism for the user to clear this data? (Independent of clearing the entire auth for the RP) Either via UA UI or a future API call?

User agent management of authenticators is not specified by webauthn or CTAP, but the authenticator API endpoints to manage credentials (and large blobs) are. On some platforms, Chrome has the ability to delete credentials with an associated large blob which will clear the blob as well. Some authenticator vendors provide their own management software.

RPs can clear a large blob without deleting the credential by writing an empty blob.

Also, do you have an update on the implementation status, and any multi-stakeholder support?

It's shipped on Chrome 113 and Safari 17. The compression algorithm turned to be a subtle source of incompatibility, so if we could redesign the API we would probably change that.

At this time, the only improvement we are working on is support over the hybrid protocol. This will let websites create & retrieve large blobs for authenticators such as phones. This has no effect on the web API surface, but required a few changes on CTAP (not published yet, sorry).

agl commented 1 year ago

Also, do you have an update on the implementation status, and any multi-stakeholder support?

While we don't have any details about how Apple are using it, largeBlob support is required when signing into iCloud on a desktop machine with an iOS 17 device.

plinss commented 1 year ago

@nsatragno Thanks for the reply. We're closing this as satisfied. I personally think the naming is a bit unfortunate (and confusing with platform Blobs) but understand that it matches other usage and is too late to change.

spencercap commented 1 year ago

@nsatragno + others, thanks for your developments on this!

unfortunately I'm finding that Chrome (ver 117.0.5938.88) is NOT able to save a largeBlob in the glitch demo, but Safari 17 (desktop + iOS17) is able to save it successfully while running the same code.

I see these tests are passing... and what's strange is that extensions.largeBlob is defined (as in supported) but then the response keeps coming back as extensions.largeBlob.written == false when trying to write a largeBlob in Chrome. Is this a Chrome bug?

I'm testing with TouchID on macOS and FaceID on iOS.

miketaylr commented 1 year ago

Is this a Chrome bug?

crbug.com/new is a better place to discuss, rather than a closed TAG review. Thanks! šŸ˜ƒ