Not sure where you want to see this project going to but:
-
While passkeys are completely fine with an empty allowCredentials list, this list still can provide hints to the web browser (like what identity is preset and shown to the user)
-
for authentication using older hardware keys (like FIDO2 and even U2F) the credential list is mandatory since these hardware keys are not saving the credential_id
That way if the email/user field of a login form is empty the allowCredentials will be an empty list and passkeys will be working as usual
If the email/user field has been filled out by the user the credentials will be get from the database and sent with the authentication request
Additional info
Right now I have a working draft.
The problem is:
While WAX_ is expecting the allowedCredentials in a certain format (id and cosekey) - the authentication_hook.js needs the data being serialized sent over the websocket.
Perhaps just the credential_ids are good enough since the format used there is:
allowCredentials = [
{
id: base64ToArray(allowCredentials.id1),
type: "public-key"
},
{
id: base64ToArray(allowCredentials.id2),
type: "public-key"
}
[...]
]
ignoring the cosekey which might not even been sent to the hook at all.
In general
There is more information which might be useful later, like I.E. the getTransports() method (ble, internal, hybrid, nfc, usb)
Not sure where you want to see this project going to but:
While passkeys are completely fine with an empty allowCredentials list, this list still can provide hints to the web browser (like what identity is preset and shown to the user)
for authentication using older hardware keys (like FIDO2 and even U2F) the credential list is mandatory since these hardware keys are not saving the credential_id
That way if the email/user field of a login form is empty the allowCredentials will be an empty list and passkeys will be working as usual
If the email/user field has been filled out by the user the credentials will be get from the database and sent with the authentication request
Additional info
Right now I have a working draft.
The problem is:
While WAX_ is expecting the allowedCredentials in a certain format (id and cosekey) - the authentication_hook.js needs the data being serialized sent over the websocket.
Perhaps just the credential_ids are good enough since the format used there is:
ignoring the cosekey which might not even been sent to the hook at all.
In general
There is more information which might be useful later, like I.E. the getTransports() method (
ble, internal, hybrid, nfc, usb)