You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This package validates and ignores / errors out on transports values that are not members of the AuthenticatorTransport struct. For example, during registration in the parse_registration_credential_json function, unknown transport values are ignored.
In other functions there are explicit checks that fail when confronted with unknown transport values. Like in parse_registration_options_json
The WebAuthn L2 spec (and also the L3 editors draft) mention that Relying Parties SHOULD store the transports from getTransports1 and warns that modifying or removing items could negatively impact the user experience. 2
It is clear to me that py_webauthn very deliberately ignores this advice and only accepts known values, which has resulted at least two PRs to add support for new transports: #137 and #129
My question: what motivates this deliberate design choice? Why not follow the advice in the spec and allow unknown transports? That would seem more future proof to me.
This package validates and ignores / errors out on
transportsvalues that are not members of the AuthenticatorTransport struct. For example, during registration in theparse_registration_credential_jsonfunction, unknown transport values are ignored.In other functions there are explicit checks that fail when confronted with unknown transport values. Like in
parse_registration_options_jsonThe WebAuthn L2 spec (and also the L3 editors draft) mention that Relying Parties SHOULD store the transports from
getTransports1 and warns that modifying or removing items could negatively impact the user experience. 2It is clear to me that py_webauthn very deliberately ignores this advice and only accepts known values, which has resulted at least two PRs to add support for new transports: #137 and #129
My question: what motivates this deliberate design choice? Why not follow the advice in the spec and allow unknown transports? That would seem more future proof to me.
Footnotes
https://www.w3.org/TR/webauthn-3/#dom-publickeycredentialdescriptor-transports ↩
https://www.w3.org/TR/webauthn-3/#abstract-opdef-credential-record-transports ↩
The text was updated successfully, but these errors were encountered: