Should the WebAuth API have a cancel() method?

[kpaulh]

Hey gang,

The spec details an authenticatorCancel method, but the client doesn't necessarily know when to invoke it. We have seen a couple scenarios where not having a way to cancel an existing authenticator operation from Javascript might present an undesirable user experience.

For example, having multiple tabs that are attempting operations and losing focus on one. The user opens two registration tabs. The device will blink until it receives two taps.

Since promises aren't themselves cancelable, it seems that a cancel() method is the best option - assuming these use cases are concerning enough to warrant one. (We're not entirely convinced that they are). We also briefly considered having smaller timeouts, say, 10 seconds, but this presents problems for bluetooth authenticators.

Thoughts?

[jyasskin]

I believe @jakearchibald is working on promise cancellation in the context of fetch() and may be able to say how WebAuth can match that.

[jakearchibald]

We plan to represent cancellation by rejecting with an AbortError. Here's the latest proposal whatwg/fetch#447 (comment).

[vijaybh]

It seems that this puts good UI at the mercy of every web developer. This seems wrong.

The UA could for example cancel operations when a tab is occluded. But it seems like that would not require a Javascript method for the webpage to do so?

[equalsJeffH]

see also #316 "Define what happens when the Document loses focus"

[kpaulh]

I see. Right, the browser could certainly handle losing focus.
However, as another example, we also have scenarios involving in-page Javascript that can change UI without navigation or losing focus that I believe is currently being used for some security-key related flows.

[kpaulh]

@mikewest boiled down the fetch proposal for canceling promises into a pretty simple mechanism with PR whatwg/dom#434 [the relevant whatwg/dom PR is now this one: whatwg/dom#437 -JeffH]. Rather than adding an explicit cancel() method, we would makeCredential and getAssertion accept a CancellationSignal.

I believe this is a pretty good fit for our use-case - if we decided this was something we needed to do.

[jyasskin]

The PR moved to whatwg/dom#437.

[equalsJeffH]

@jyasskin notes on call today that the web platform folks are working on a general cancellation mech and it will likely be another option -- @AngeloKai sez he'll talk with their fetch folks to see what the status is on what's mentioned in #380 (comment)

Also, the relevant whatwg/dom PR is now this one: whatwg/dom#437

[mikewest]

Looks like this has solidified into https://dom.spec.whatwg.org/#aborting-ongoing-activities.

[jakearchibald]

It sure has! Is it suitable for what you need?

[AngeloKai]

@mikewest The PR looks enough for this need. Looking through the PR, it looks like we still need to add a few sentences in our algorithm section about how we accept the AbortSignal.

[AngeloKai]

Because the issue has to do with changing the algorithm and this issue would impact cornercase user experience, I am moving the issue back to WD07.

[jcjones]

Closed by #544