Skip to content

[REQUEST] - Support allowCredentials (and excludeCredentials?) #88

Description

@Terbium-135

Not sure where you want to see this project going to but:

  • While passkeys are completely fine with an empty allowCredentials list, this list still can provide hints to the web browser (like what identity is preset and shown to the user)

  • for authentication using older hardware keys (like FIDO2 and even U2F) the credential list is mandatory since these hardware keys are not saving the credential_id

That way if the email/user field of a login form is empty the allowCredentials will be an empty list and passkeys will be working as usual

If the email/user field has been filled out by the user the credentials will be get from the database and sent with the authentication request

Additional info

Right now I have a working draft.
The problem is:
While WAX_ is expecting the allowedCredentials in a certain format (id and cosekey) - the authentication_hook.js needs the data being serialized sent over the websocket.

Perhaps just the credential_ids are good enough since the format used there is:

allowCredentials = [
  {
    id: base64ToArray(allowCredentials.id1),
    type: "public-key"
  },
  {
    id: base64ToArray(allowCredentials.id2),
    type: "public-key"
  }
[...]
]

ignoring the cosekey which might not even been sent to the hook at all.

In general

There is more information which might be useful later, like I.E. the getTransports() method (ble, internal, hybrid, nfc, usb)

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requesttriageNeeds to be prioritized

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions