You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Credit and thanks to @akshayku for pointing this out
The "payment" WebAuthn extension defined in the SPC spec does not define any client extension outputs:
Client extension output
None
This means that it is not possible for a relying party to know that the 'thirdPartyPayment' bit was supported and has been successfully stored, and thus that they can use the created credential in a cross-domain SPC call. We should probably do something similar to largeBlob and return a supported bit which will be true (and really, would exist at all?) only if the authenticator supported and set the bit.
(Practically speaking, we would also return true if the browser cached the bit on the authenticators behalf. Maybe we should just make that explicit and have an enum of {kFailed, kSuccess, kBrowserStoredIt}?)
Sidenote: This issue also highlights once again what was discussed but never actioned in SPC: From browser cache to FIDO/WebAuthn integration, which is that we'd really be better off separating the "payment" auth-time extension from the "thirdPartyPayment" create-time extension. Today only the former really exists at the browser level, and the latter only exists at the CTAP/authenticator level, and we glue it all together and pretend the mess doesn't exist. But it does.
The text was updated successfully, but these errors were encountered:
Credit and thanks to @akshayku for pointing this out
The "payment" WebAuthn extension defined in the SPC spec does not define any client extension outputs:
This means that it is not possible for a relying party to know that the 'thirdPartyPayment' bit was supported and has been successfully stored, and thus that they can use the created credential in a cross-domain SPC call. We should probably do something similar to largeBlob and return a
supportedbit which will be true (and really, would exist at all?) only if the authenticator supported and set the bit.(Practically speaking, we would also return
trueif the browser cached the bit on the authenticators behalf. Maybe we should just make that explicit and have an enum of{kFailed, kSuccess, kBrowserStoredIt}?)Sidenote: This issue also highlights once again what was discussed but never actioned in SPC: From browser cache to FIDO/WebAuthn integration, which is that we'd really be better off separating the "payment" auth-time extension from the "thirdPartyPayment" create-time extension. Today only the former really exists at the browser level, and the latter only exists at the CTAP/authenticator level, and we glue it all together and pretend the mess doesn't exist. But it does.
The text was updated successfully, but these errors were encountered: