Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new getClientCapabilities method #1923

Merged
merged 30 commits into from
Jan 10, 2024
Merged
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
4cc0670
add getClientCapabilites method and enum
timcappalli Jul 18, 2023
9214c75
add "the"
timcappalli Jul 26, 2023
5e47920
change enum to ClientCapability for consistency
timcappalli Jul 26, 2023
1600f58
add note about enum not being referenced
timcappalli Jul 26, 2023
450959b
updated interface to sequence of DOMStrings
timcappalli Jul 26, 2023
968040a
remove client-pin-entry per 2023-07-26 call
timcappalli Jul 26, 2023
6931dad
change to dict and add new values
timcappalli Aug 1, 2023
7307162
remove isPasskeyPlatformAuthenticatorAvailable
timcappalli Aug 1, 2023
baa930a
s/ClientCapability/ClientCapabilities
timcappalli Aug 2, 2023
9606e71
Merge branch 'tc-clientfeatmethod' into tc-remove-isPPAA
MasterKale Aug 9, 2023
82ec494
Merge pull request #1936 from w3c/tc-remove-isPPAA
timcappalli Aug 9, 2023
633a2da
first stab at new approach for getClientCapabilities
timcappalli Sep 6, 2023
244b54e
missing quote
timcappalli Sep 6, 2023
1fe9179
add SecureContext to result
timcappalli Sep 6, 2023
5c39e19
spelling
timcappalli Sep 7, 2023
699e9d1
add conditional-create
timcappalli Sep 7, 2023
53e8d8c
Incorporate Emil's changes
timcappalli Sep 29, 2023
b27eb4d
address AGL global namespace feedback
timcappalli Oct 27, 2023
ecc19d4
first pass at privacy considerations
timcappalli Dec 11, 2023
594e338
John's feedback
timcappalli Dec 11, 2023
75b9061
Merge branch 'main' into tc-clientfeatmethod
MasterKale Jan 3, 2024
a3fd6fd
Replace "maplike" with "record"
MasterKale Jan 3, 2024
a856b6d
Switch to camelCase for capability names
MasterKale Jan 3, 2024
4969d28
Prune readonly from record
MasterKale Jan 3, 2024
b0fdc69
Switch to a typedef
MasterKale Jan 3, 2024
903620e
Remove key sorting requirement
MasterKale Jan 5, 2024
ee7990c
Add link to Disclocing Client Capabilities section
MasterKale Jan 8, 2024
f6d2eb5
Restore mandate to sort capabilities
MasterKale Jan 9, 2024
803fa75
Lexicographically sort ClientCapability
MasterKale Jan 9, 2024
ef54380
Allow clients to omit capabilities
MasterKale Jan 9, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 54 additions & 10 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -2793,25 +2793,32 @@ Note: Invoking this method from a [=browsing context=] where the [=Web Authentic

</div>

### Availability of a [=passkey platform authenticator=] - PublicKeyCredential's `isPasskeyPlatformAuthenticatorAvailable()` Method ### {#sctn-isPasskeyPlatformAuthenticatorAvailable}
### Availability of [=client=] capabilities - PublicKeyCredential's `getClientCapabilities()` Method ### {#sctn-getClientCapabilities}

<div link-for-hint="WebAuthentication/isPasskeyPlatformAuthenticatorAvailable">
<div link-for-hint="WebAuthentication/getClientCapabilities">

[=[WRPS]=] use this method to determine whether they can create a new [=passkey=] using a [=user-verifying platform authenticator=] or a {{AuthenticatorTransport/hybrid}} authenticator.
Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover available [=user-verifying platform authenticators=] and the
availability of {{AuthenticatorTransport/hybrid}} transport.
If one or both are discovered, the promise is resolved with the value of [TRUE].
If neither is discovered, the promise is resolved with the value of [FALSE].
Based on the result, the [=[RP]=] can take further actions to guide the user to create a [=passkey=].
[=[WRPS]=] use this method to determine the availability of a limited set of [=WebAuthn Client|client=] capabilities to offer certain workflows and experiences to users. For example, an RP may offer a sign in button on clients where only {{AuthenticatorTransport/hybrid}} transport is available or where {{CredentialMediationRequirement/conditional}} mediation is unavailable (instead of showing a username field).

This method has no arguments and returns a Boolean value.
Upon invocation, the [=client=] employs a [=client platform=]-specific procedure to discover availablity of these capabilities.

This method has no arguments and returns a record of capability keys to Boolean values.

<xmp class="idl">
partial interface PublicKeyCredential {
static Promise<boolean> isPasskeyPlatformAuthenticatorAvailable();
static Promise<PublicKeyCredentialClientCapabilities> getClientCapabilities();
};

typedef record<DOMString, boolean> PublicKeyCredentialClientCapabilities;
</xmp>

[=map/Keys=] in {{PublicKeyCredentialClientCapabilities}} MUST be sorted in ascending lexicographical order.
MasterKale marked this conversation as resolved.
Show resolved Hide resolved
The set of [=map/keys=] SHOULD equal the set of [=enumeration values=] of {{ClientCapability}},
but the client MAY omit keys as it deems necessary; see [[#sctn-disclosing-client-capabilities]].

When the value for a given capability is [TRUE], the feature is known to be currently supported by the client.
When the value for a given capability is [FALSE], the feature is known to be not currently supported by the client.
When a capability does not [=map/exist=] as a key, the availability of the client feature is not known.
MasterKale marked this conversation as resolved.
Show resolved Hide resolved

Note: Invoking this method from a [=browsing context=] where the [=Web Authentication API=] is "disabled" according to the [=allowed to use=] algorithm&mdash;i.e., by a [=permissions policy=]&mdash;will result in the promise being rejected with a {{DOMException}} whose name is "{{NotAllowedError}}". See also [[#sctn-permissions-policy]].

</div>
Expand Down Expand Up @@ -4006,6 +4013,38 @@ Note: The {{UserVerificationRequirement}} enumeration is deliberately not refere
interest of minimizing disruption to the user interaction flow).
</div>

### Client Capability Enumeration (enum <dfn enum>ClientCapability</dfn>) ### {#enum-clientCapability}

<xmp class="idl">
enum ClientCapability {
"conditionalCreate",
"conditionalMediation",
"hybridTransport",
"passkeyPlatformAuthenticator",
"userVerifyingPlatformAuthenticator",
};
</xmp>

This enumeration defines a limited set of client capabilities which a [=[WRP]=] may evaluate to offer certain workflows and experiences to users.

timcappalli marked this conversation as resolved.
Show resolved Hide resolved
Note: The {{ClientCapability}} enumeration is deliberately not referenced, see [[#sct-domstring-backwards-compatibility]].

<div dfn-type="enum-value" dfn-for="ClientCapability">
: <dfn>conditionalCreate</dfn>
:: The [=WebAuthn Client=] is capable of a {{CredentialMediationRequirement/conditional}} credential creation operation.

: <dfn>conditionalMediation</dfn>
:: The [=WebAuthn Client=] is capable of {{CredentialMediationRequirement/conditional}} mediation.

: <dfn>hybridTransport</dfn>
:: The [=WebAuthn Client=] supports usage of the {{AuthenticatorTransport/hybrid}} transport.

: <dfn>passkeyPlatformAuthenticator</dfn>
:: The [=WebAuthn Client=] supports usage of a [=passkey platform authenticator=], locally and/or via {{AuthenticatorTransport/hybrid}} transport.

: <dfn>userVerifyingPlatformAuthenticator</dfn>
:: The [=WebAuthn Client=] supports usage of a [=user-verifying platform authenticator=].
</div>

### User-agent Hints Enumeration (enum <dfn enum>PublicKeyCredentialHints</dfn>) ### {#enum-hints}

Expand Down Expand Up @@ -8905,6 +8944,11 @@ If a [=platform authenticator=] is included in a [=client device=] with a multi-
authenticator=] and [=client device=] SHOULD work together to ensure that the existence of any [=platform credential=] is revealed
only to the operating system user that created that [=platform credential=].

### Disclosing Client Capabilities ### {#sctn-disclosing-client-capabilities}

The {{getClientCapabilities}} method assists [=[WRPS]=] in crafting registration and authentication experiences which have a high chance of success with the client and/or user.

The client's support or lack of support of a WebAuthn capability may pose a fingerprinting risk. Client implementations MAY wish to limit capability disclosures based on client policy and/or user consent.

## Privacy considerations for [=[RPS]=] ## {#sctn-privacy-considerations-rp}

Expand Down