From 7d5d14119928f6c932486cabf8898caa9b19ac92 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Thu, 11 Jul 2024 15:52:18 -0700 Subject: [PATCH 01/14] Add UserCancelledError --- index.bs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 5b6bb97a4..96b2cc935 100644 --- a/index.bs +++ b/index.bs @@ -1950,7 +1950,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| - and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}. + and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=create/UserCancelledError=]" {{DOMException}}. : If |options|.{{CredentialCreationOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] @@ -2261,6 +2261,10 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m : {{UnknownError}} :: The [=authenticator=] could not process the supplied options, or encountered an error while creating the new credential. + + : UserCancelledError + :: The user has exercised a user agent user-interface option + to end the ceremony. : {{NotAllowedError}} :: A catch-all error covering a wide range of possible reasons, @@ -2464,7 +2468,7 @@ When this method is invoked, the user agent MUST execute the following algorithm : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| - and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}. + and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=get/UserCancelledError=]" {{DOMException}}. : If |options|.{{CredentialRequestOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2793,6 +2797,10 @@ The steps for [=issuing a credential request to an authenticator=] are as follow : {{UnknownError}} :: The [=authenticator=] could not process the supplied options, or encountered an error while generating an [=assertion signature=]. + + : UserCancelledError + :: The user has exercised a user agent user-interface option + to end the ceremony. : {{NotAllowedError}} :: A catch-all error covering a wide range of possible reasons, From d055e4c604f7ab1811e79e7fcf8a15a34720ef12 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Thu, 11 Jul 2024 16:22:19 -0700 Subject: [PATCH 02/14] Add HybridPrerequisitesError --- index.bs | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 96b2cc935..af6b7807f 100644 --- a/index.bs +++ b/index.bs @@ -1950,7 +1950,13 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| - and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=create/UserCancelledError=]" {{DOMException}}. + and [=set/remove=] |authenticator| from |issuedRequests|. + + If the user agent is informing the user of an inability to continue the ceremony + due to missing {{AuthenticatorTransport/hybrid}} prerequisites, + throw a "[=create/HybridPrerequisitesError=]" {{DOMException}}. + + Otherwise, throw a "[=create/UserCancelledError=]" {{DOMException}}. : If |options|.{{CredentialCreationOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] @@ -2245,6 +2251,10 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m : {{InvalidStateError}} :: The authenticator used in the ceremony recognized an entry in {{PublicKeyCredentialCreationOptions/excludeCredentials}} after the user [=user consent|consented=] to registering a credential. + + : HybridPrerequisitesError + :: The ceremony was cancelled due to missing prerequisites for use of + the {{AuthenticatorTransport/hybrid}} transport. : {{NotSupportedError}} :: No entry in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}} had a {{PublicKeyCredentialDescriptor/type}} property of {{PublicKeyCredentialType/public-key}}, @@ -2468,7 +2478,13 @@ When this method is invoked, the user agent MUST execute the following algorithm : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| - and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=get/UserCancelledError=]" {{DOMException}}. + and [=set/remove=] |authenticator| from |issuedRequests|. + + If the user agent is informing the user of an inability to continue the ceremony + due to missing {{AuthenticatorTransport/hybrid}} prerequisites, + throw a "[=get/HybridPrerequisitesError=]" {{DOMException}}. + + Otherwise, throw a "[=get/UserCancelledError=]" {{DOMException}}. : If |options|.{{CredentialRequestOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2787,6 +2803,10 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The ceremony was cancelled by an {{AbortController}}. See [[#sctn-abortoperation]] and [[#sctn-sample-aborting]]. + : HybridPrerequisitesError + :: The ceremony was cancelled due to missing prerequisites for use of + the {{AuthenticatorTransport/hybrid}} transport. + : {{SecurityError}} :: The [=effective domain=] was not a [=valid domain=], or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not equal to or a registrable domain suffix of the [=effective domain=]. From aee523292a9fbc621f3867604f77a636026957a0 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Thu, 11 Jul 2024 16:22:26 -0700 Subject: [PATCH 03/14] Add TimeoutError --- index.bs | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index af6b7807f..ae83dd70b 100644 --- a/index.bs +++ b/index.bs @@ -1946,7 +1946,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
: If |lifetimeTimer| expires, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| - and [=set/remove=] |authenticator| from |issuedRequests|. + and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=create/TimeoutError=]" {{DOMException}}. : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2264,6 +2264,10 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The [=effective domain=] was not a [=valid domain=], or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not equal to or a registrable domain suffix of the [=effective domain=]. + : TimeoutError + :: The ceremony was cancelled by the user agent after exceeding the time limit permitted for the ceremony. + See [[#sctn-timeout-recommended-range]] for more information. + : {{TypeError}} :: The |options| argument was not a valid [[#sctn-credentialcreationoptions-extension|CredentialCreationOptions]] value, or the value of {{PublicKeyCredentialCreationOptions/user}}.{{PublicKeyCredentialUserEntity/id}} was empty or was longer than 64 bytes. @@ -2474,7 +2478,7 @@ When this method is invoked, the user agent MUST execute the following algorithm : If |lifetimeTimer| expires, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on - |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. + |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=get/TimeoutError=]" {{DOMException}}. : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2811,6 +2815,10 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The [=effective domain=] was not a [=valid domain=], or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not equal to or a registrable domain suffix of the [=effective domain=]. + : TimeoutError + :: The ceremony was cancelled by the user agent after exceeding the time limit permitted for the ceremony. + See [[#sctn-timeout-recommended-range]] for more information. + : {{TypeError}} :: The |options| argument was not a valid [[#sctn-credentialrequestoptions-extension|CredentialRequestOptions]] value. From 7c45c45981fe05faab746fb31d9d214a25f0135b Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 12 Jul 2024 15:29:28 -0700 Subject: [PATCH 04/14] Add UserHybridCancelledError --- index.bs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/index.bs b/index.bs index ae83dd70b..470da5048 100644 --- a/index.bs +++ b/index.bs @@ -1955,6 +1955,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o If the user agent is informing the user of an inability to continue the ceremony due to missing {{AuthenticatorTransport/hybrid}} prerequisites, throw a "[=create/HybridPrerequisitesError=]" {{DOMException}}. + + If the user agent is prompting the user to complete the ceremony using an authenticator + available over the {{AuthenticatorTransport/hybrid}} transport, + throw a "[=create/UserHybridCancelledError=]" {{DOMException}}. Otherwise, throw a "[=create/UserCancelledError=]" {{DOMException}}. @@ -2280,6 +2284,11 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The user has exercised a user agent user-interface option to end the ceremony. + : UserHybridCancelledError + :: The user has exercised a user agent user-interface option + to end the ceremony while being prompted to complete a ceremony + via the {{AuthenticatorTransport/hybrid}} transport. + : {{NotAllowedError}} :: A catch-all error covering a wide range of possible reasons, including common ones like the user canceling out of the ceremony. @@ -2487,6 +2496,10 @@ When this method is invoked, the user agent MUST execute the following algorithm If the user agent is informing the user of an inability to continue the ceremony due to missing {{AuthenticatorTransport/hybrid}} prerequisites, throw a "[=get/HybridPrerequisitesError=]" {{DOMException}}. + + If the user agent is prompting the user to complete the ceremony using an authenticator + available over the {{AuthenticatorTransport/hybrid}} transport, + throw a "[=get/UserHybridCancelledError=]" {{DOMException}}. Otherwise, throw a "[=get/UserCancelledError=]" {{DOMException}}. @@ -2829,6 +2842,11 @@ The steps for [=issuing a credential request to an authenticator=] are as follow : UserCancelledError :: The user has exercised a user agent user-interface option to end the ceremony. + + : UserHybridCancelledError + :: The user has exercised a user agent user-interface option + to end the ceremony while being prompted to complete a ceremony + via the {{AuthenticatorTransport/hybrid}} transport. : {{NotAllowedError}} :: A catch-all error covering a wide range of possible reasons, From 35d7b3a779a227a7870f0b83b586cb711f147027 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 12 Jul 2024 15:53:25 -0700 Subject: [PATCH 05/14] Replace "cancelled" with "cancellation" --- index.bs | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/index.bs b/index.bs index 470da5048..6f245b37b 100644 --- a/index.bs +++ b/index.bs @@ -1957,10 +1957,10 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o throw a "[=create/HybridPrerequisitesError=]" {{DOMException}}. If the user agent is prompting the user to complete the ceremony using an authenticator - available over the {{AuthenticatorTransport/hybrid}} transport, - throw a "[=create/UserHybridCancelledError=]" {{DOMException}}. + that may be available over the {{AuthenticatorTransport/hybrid}} transport, + throw a "[=create/UserHybridCancellationError=]" {{DOMException}}. - Otherwise, throw a "[=create/UserCancelledError=]" {{DOMException}}. + Otherwise, throw a "[=create/UserCancellationError=]" {{DOMException}}. : If |options|.{{CredentialCreationOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] @@ -2280,11 +2280,11 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The [=authenticator=] could not process the supplied options, or encountered an error while creating the new credential. - : UserCancelledError + : UserCancellationError :: The user has exercised a user agent user-interface option to end the ceremony. - : UserHybridCancelledError + : UserHybridCancellationError :: The user has exercised a user agent user-interface option to end the ceremony while being prompted to complete a ceremony via the {{AuthenticatorTransport/hybrid}} transport. @@ -2498,10 +2498,10 @@ When this method is invoked, the user agent MUST execute the following algorithm throw a "[=get/HybridPrerequisitesError=]" {{DOMException}}. If the user agent is prompting the user to complete the ceremony using an authenticator - available over the {{AuthenticatorTransport/hybrid}} transport, - throw a "[=get/UserHybridCancelledError=]" {{DOMException}}. - - Otherwise, throw a "[=get/UserCancelledError=]" {{DOMException}}. + that may be available over the {{AuthenticatorTransport/hybrid}} transport, + throw a "[=get/UserHybridCancellationError=]" {{DOMException}}. + + Otherwise, throw a "[=get/UserCancellationError=]" {{DOMException}}. : If |options|.{{CredentialRequestOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2839,11 +2839,11 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The [=authenticator=] could not process the supplied options, or encountered an error while generating an [=assertion signature=]. - : UserCancelledError + : UserCancellationError :: The user has exercised a user agent user-interface option to end the ceremony. - : UserHybridCancelledError + : UserHybridCancellationError :: The user has exercised a user agent user-interface option to end the ceremony while being prompted to complete a ceremony via the {{AuthenticatorTransport/hybrid}} transport. From 4dcbd9bfe9542fa74bc80a0e588a596354f6fa04 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 12 Jul 2024 15:53:30 -0700 Subject: [PATCH 06/14] Add UserVerificationError --- index.bs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/index.bs b/index.bs index 6f245b37b..f97a9cc15 100644 --- a/index.bs +++ b/index.bs @@ -1960,6 +1960,12 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o that may be available over the {{AuthenticatorTransport/hybrid}} transport, throw a "[=create/UserHybridCancellationError=]" {{DOMException}}. + If the user agent is informing the user that + the last used |authenticator| cannot collect [=user verification=] when + |pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}} + is set to {{UserVerificationRequirement/required}}, + throw a "[=create/UserVerificationError=]" {{DOMException}}. + Otherwise, throw a "[=create/UserCancellationError=]" {{DOMException}}. : If |options|.{{CredentialCreationOptions/signal}} is present and [=AbortSignal/aborted=], @@ -2288,6 +2294,9 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The user has exercised a user agent user-interface option to end the ceremony while being prompted to complete a ceremony via the {{AuthenticatorTransport/hybrid}} transport. + + : UserVerificationError + :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. : {{NotAllowedError}} :: A catch-all error covering a wide range of possible reasons, @@ -2501,6 +2510,12 @@ When this method is invoked, the user agent MUST execute the following algorithm that may be available over the {{AuthenticatorTransport/hybrid}} transport, throw a "[=get/UserHybridCancellationError=]" {{DOMException}}. + If the user agent is informing the user that + the last used |authenticator| cannot collect [=user verification=] when + |pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}} + is set to {{UserVerificationRequirement/required}}, + throw a "[=get/UserVerificationError=]" {{DOMException}}. + Otherwise, throw a "[=get/UserCancellationError=]" {{DOMException}}. : If |options|.{{CredentialRequestOptions/signal}} is present and [=AbortSignal/aborted=], @@ -2848,6 +2863,9 @@ The steps for [=issuing a credential request to an authenticator=] are as follow to end the ceremony while being prompted to complete a ceremony via the {{AuthenticatorTransport/hybrid}} transport. + : UserVerificationError + :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. + : {{NotAllowedError}} :: A catch-all error covering a wide range of possible reasons, including common ones like the user canceling out of the ceremony. From 0906982ffc4320eebf21cb75caee87815a5bc434 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Fri, 12 Jul 2024 16:05:52 -0700 Subject: [PATCH 07/14] Remove user cancellation from NotAllowedError --- index.bs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index f97a9cc15..656a56774 100644 --- a/index.bs +++ b/index.bs @@ -2299,8 +2299,7 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. : {{NotAllowedError}} - :: A catch-all error covering a wide range of possible reasons, - including common ones like the user canceling out of the ceremony. + :: A catch-all error covering a wide range of possible reasons. Some of these causes are documented throughout this spec, while others are client-specific or caused by issues that may occur during processing of [=WebAuthn Extensions=] defined outside of this specification. @@ -2867,8 +2866,7 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. : {{NotAllowedError}} - :: A catch-all error covering a wide range of possible reasons, - including common ones like the user canceling out of the ceremony. + :: A catch-all error covering a wide range of possible reasons. Some of these causes are documented throughout this spec, while others are client-specific or caused by issues that may occur during processing of [=WebAuthn Extensions=] defined outside of this specification. From 6bd97570a45023cc8c4c2e841a5514eba382cfb9 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 16 Jul 2024 12:25:27 -0700 Subject: [PATCH 08/14] Move where TimeoutError is raised --- index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index 656a56774..40c56200d 100644 --- a/index.bs +++ b/index.bs @@ -1946,7 +1946,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
: If |lifetimeTimer| expires, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| - and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=create/TimeoutError=]" {{DOMException}}. + and [=set/remove=] |authenticator| from |issuedRequests|. : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2235,7 +2235,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
-1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the +1. Throw a "[=create/TimeoutError=]" {{DOMException}}. In order to prevent information leak that could identify the user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See [[#sctn-make-credential-privacy]] for details. @@ -2495,7 +2495,7 @@ When this method is invoked, the user agent MUST execute the following algorithm : If |lifetimeTimer| expires, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on - |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "[=get/TimeoutError=]" {{DOMException}}. + |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. : If the user exercises a user agent user-interface option to cancel the process, :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2694,7 +2694,7 @@ When this method is invoked, the user agent MUST execute the following algorithm 1. Return |constructAssertionAlg| and terminate this algorithm.
-1. Throw a "{{NotAllowedError}}" {{DOMException}}. In order to prevent information leak that could identify the +1. Throw a "[=get/TimeoutError=]" {{DOMException}}. In order to prevent information leak that could identify the user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See [[#sctn-assertion-privacy]] for details. From c4140c735ef7ddc81aebfdfcebaec9d24dcc6be9 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Thu, 18 Jul 2024 08:46:37 -0700 Subject: [PATCH 09/14] Define new error interfaces --- index.bs | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/index.bs b/index.bs index 40c56200d..76ce09c1b 100644 --- a/index.bs +++ b/index.bs @@ -3724,6 +3724,38 @@ SHOULD be aborted. See [WHATWG HTML WG Issue #2711](https://github.com/whatwg/html/issues/2711) for more details. +## WebAuthn Interfaces ## {#sctn-interfaces} + +The subection below defines custom interfaces used throughout WebAuthn. + +### Custom WebAuthn Exceptions ### {#iface-custom-webauthn-exceptions} + +For descriptions of these exceptions, +please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exceptions]]. + + +[Exposed=Window, Serializable] +interface HybridPrerequisitesError : DOMException { +}; + +[Exposed=Window, Serializable] +interface TimeoutError : DOMException { +}; + +[Exposed=Window, Serializable] +interface UserCancellationError : DOMException { +}; + +[Exposed=Window, Serializable] +interface UserHybridCancellationError : DOMException { +}; + +[Exposed=Window, Serializable] +interface UserVerificationError : DOMException { +}; + + + ## WebAuthn Extensions Inputs and Outputs ## {#sctn-extensions-inputs-outputs} The subsections below define the data types used for conveying [=WebAuthn extension=] inputs and outputs. From 4986178683c8f933559e5775b4855b6e75dc95f1 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Thu, 18 Jul 2024 08:46:54 -0700 Subject: [PATCH 10/14] Update error references to use new interfaces --- index.bs | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/index.bs b/index.bs index 76ce09c1b..404323ccc 100644 --- a/index.bs +++ b/index.bs @@ -1954,19 +1954,19 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o If the user agent is informing the user of an inability to continue the ceremony due to missing {{AuthenticatorTransport/hybrid}} prerequisites, - throw a "[=create/HybridPrerequisitesError=]" {{DOMException}}. + throw a "{{HybridPrerequisitesError}}" {{DOMException}}. If the user agent is prompting the user to complete the ceremony using an authenticator that may be available over the {{AuthenticatorTransport/hybrid}} transport, - throw a "[=create/UserHybridCancellationError=]" {{DOMException}}. + throw a "{{UserHybridCancellationError}}" {{DOMException}}. If the user agent is informing the user that the last used |authenticator| cannot collect [=user verification=] when |pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}} is set to {{UserVerificationRequirement/required}}, - throw a "[=create/UserVerificationError=]" {{DOMException}}. + throw a "{{UserVerificationError}}" {{DOMException}}. - Otherwise, throw a "[=create/UserCancellationError=]" {{DOMException}}. + Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}. : If |options|.{{CredentialCreationOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] @@ -2235,7 +2235,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o -1. Throw a "[=create/TimeoutError=]" {{DOMException}}. In order to prevent information leak that could identify the +1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See [[#sctn-make-credential-privacy]] for details. @@ -2262,7 +2262,7 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The authenticator used in the ceremony recognized an entry in {{PublicKeyCredentialCreationOptions/excludeCredentials}} after the user [=user consent|consented=] to registering a credential. - : HybridPrerequisitesError + : {{HybridPrerequisitesError}} :: The ceremony was cancelled due to missing prerequisites for use of the {{AuthenticatorTransport/hybrid}} transport. @@ -2274,7 +2274,7 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The [=effective domain=] was not a [=valid domain=], or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not equal to or a registrable domain suffix of the [=effective domain=]. - : TimeoutError + : {{TimeoutError}} :: The ceremony was cancelled by the user agent after exceeding the time limit permitted for the ceremony. See [[#sctn-timeout-recommended-range]] for more information. @@ -2286,16 +2286,16 @@ authorizing an authenticator. When |options|.{{CredentialCreationOptions/m :: The [=authenticator=] could not process the supplied options, or encountered an error while creating the new credential. - : UserCancellationError + : {{UserCancellationError}} :: The user has exercised a user agent user-interface option to end the ceremony. - : UserHybridCancellationError + : {{UserHybridCancellationError}} :: The user has exercised a user agent user-interface option to end the ceremony while being prompted to complete a ceremony via the {{AuthenticatorTransport/hybrid}} transport. - : UserVerificationError + : {{UserVerificationError}} :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. : {{NotAllowedError}} @@ -2503,19 +2503,19 @@ When this method is invoked, the user agent MUST execute the following algorithm If the user agent is informing the user of an inability to continue the ceremony due to missing {{AuthenticatorTransport/hybrid}} prerequisites, - throw a "[=get/HybridPrerequisitesError=]" {{DOMException}}. + throw a "{{HybridPrerequisitesError}}" {{DOMException}}. If the user agent is prompting the user to complete the ceremony using an authenticator that may be available over the {{AuthenticatorTransport/hybrid}} transport, - throw a "[=get/UserHybridCancellationError=]" {{DOMException}}. + throw a "{{UserHybridCancellationError}}" {{DOMException}}. If the user agent is informing the user that the last used |authenticator| cannot collect [=user verification=] when |pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}} is set to {{UserVerificationRequirement/required}}, - throw a "[=get/UserVerificationError=]" {{DOMException}}. + throw a "{{UserVerificationError}}" {{DOMException}}. - Otherwise, throw a "[=get/UserCancellationError=]" {{DOMException}}. + Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}. : If |options|.{{CredentialRequestOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2694,7 +2694,7 @@ When this method is invoked, the user agent MUST execute the following algorithm 1. Return |constructAssertionAlg| and terminate this algorithm. -1. Throw a "[=get/TimeoutError=]" {{DOMException}}. In order to prevent information leak that could identify the +1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See [[#sctn-assertion-privacy]] for details. @@ -2834,7 +2834,7 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The ceremony was cancelled by an {{AbortController}}. See [[#sctn-abortoperation]] and [[#sctn-sample-aborting]]. - : HybridPrerequisitesError + : {{HybridPrerequisitesError}} :: The ceremony was cancelled due to missing prerequisites for use of the {{AuthenticatorTransport/hybrid}} transport. @@ -2842,7 +2842,7 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The [=effective domain=] was not a [=valid domain=], or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not equal to or a registrable domain suffix of the [=effective domain=]. - : TimeoutError + : {{TimeoutError}} :: The ceremony was cancelled by the user agent after exceeding the time limit permitted for the ceremony. See [[#sctn-timeout-recommended-range]] for more information. @@ -2853,16 +2853,16 @@ The steps for [=issuing a credential request to an authenticator=] are as follow :: The [=authenticator=] could not process the supplied options, or encountered an error while generating an [=assertion signature=]. - : UserCancellationError + : {{UserCancellationError}} :: The user has exercised a user agent user-interface option to end the ceremony. - : UserHybridCancellationError + : {{UserHybridCancellationError}} :: The user has exercised a user agent user-interface option to end the ceremony while being prompted to complete a ceremony via the {{AuthenticatorTransport/hybrid}} transport. - : UserVerificationError + : {{UserVerificationError}} :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. : {{NotAllowedError}} From 17ff8f135336db30aec54d3c81ab2f7048ab4e8f Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 30 Jul 2024 16:14:19 -0700 Subject: [PATCH 11/14] Remove duplicate TimeoutError --- index.bs | 4 ---- 1 file changed, 4 deletions(-) diff --git a/index.bs b/index.bs index 6388f0fdb..373567366 100644 --- a/index.bs +++ b/index.bs @@ -3802,10 +3802,6 @@ please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exception interface HybridPrerequisitesError : DOMException { }; -[Exposed=Window, Serializable] -interface TimeoutError : DOMException { -}; - [Exposed=Window, Serializable] interface UserCancellationError : DOMException { }; From 09571b2cecc7572cdb9199c8935e12912a406ef3 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Wed, 28 Aug 2024 10:49:50 -0700 Subject: [PATCH 12/14] Remove hybrid errors for now --- index.bs | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/index.bs b/index.bs index 8d313e329..ab827da0b 100644 --- a/index.bs +++ b/index.bs @@ -1967,14 +1967,6 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. - If the user agent is informing the user of an inability to continue the ceremony - due to missing {{AuthenticatorTransport/hybrid}} prerequisites, - throw a "{{HybridPrerequisitesError}}" {{DOMException}}. - - If the user agent is prompting the user to complete the ceremony using an authenticator - that may be available over the {{AuthenticatorTransport/hybrid}} transport, - throw a "{{UserHybridCancellationError}}" {{DOMException}}. - If the user agent is informing the user that the last used |authenticator| cannot collect [=user verification=] when |pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}} @@ -2284,10 +2276,6 @@ The following {{DOMException}} exceptions can be raised: : {{InvalidStateError}} :: The authenticator used in the ceremony recognized an entry in {{PublicKeyCredentialCreationOptions/excludeCredentials}} after the user [=user consent|consented=] to registering a credential. - - : {{HybridPrerequisitesError}} - :: The ceremony was cancelled due to missing prerequisites for use of - the {{AuthenticatorTransport/hybrid}} transport. : {{NotSupportedError}} :: No entry in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}} had a {{PublicKeyCredentialDescriptor/type}} property of {{PublicKeyCredentialType/public-key}}, @@ -2312,11 +2300,6 @@ The following {{DOMException}} exceptions can be raised: :: The user has exercised a user agent user-interface option to end the ceremony. - : {{UserHybridCancellationError}} - :: The user has exercised a user agent user-interface option - to end the ceremony while being prompted to complete a ceremony - via the {{AuthenticatorTransport/hybrid}} transport. - : {{UserVerificationError}} :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. @@ -2545,14 +2528,6 @@ When this method is invoked, the user agent MUST execute the following algorithm :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| and [=set/remove=] |authenticator| from |issuedRequests|. - If the user agent is informing the user of an inability to continue the ceremony - due to missing {{AuthenticatorTransport/hybrid}} prerequisites, - throw a "{{HybridPrerequisitesError}}" {{DOMException}}. - - If the user agent is prompting the user to complete the ceremony using an authenticator - that may be available over the {{AuthenticatorTransport/hybrid}} transport, - throw a "{{UserHybridCancellationError}}" {{DOMException}}. - If the user agent is informing the user that the last used |authenticator| cannot collect [=user verification=] when |pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}} @@ -2886,10 +2861,6 @@ The following {{DOMException}} exceptions can be raised: :: The ceremony was cancelled by an {{AbortController}}. See [[#sctn-abortoperation]] and [[#sctn-sample-aborting]]. - : {{HybridPrerequisitesError}} - :: The ceremony was cancelled due to missing prerequisites for use of - the {{AuthenticatorTransport/hybrid}} transport. - : {{SecurityError}} :: The [=effective domain=] was not a [=valid domain=], or {{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}} was not equal to or a registrable domain suffix of the [=effective domain=]. @@ -2908,11 +2879,6 @@ The following {{DOMException}} exceptions can be raised: : {{UserCancellationError}} :: The user has exercised a user agent user-interface option to end the ceremony. - - : {{UserHybridCancellationError}} - :: The user has exercised a user agent user-interface option - to end the ceremony while being prompted to complete a ceremony - via the {{AuthenticatorTransport/hybrid}} transport. : {{UserVerificationError}} :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. @@ -3795,18 +3761,10 @@ For descriptions of these exceptions, please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exceptions]]. -[Exposed=Window, Serializable] -interface HybridPrerequisitesError : DOMException { -}; - [Exposed=Window, Serializable] interface UserCancellationError : DOMException { }; -[Exposed=Window, Serializable] -interface UserHybridCancellationError : DOMException { -}; - [Exposed=Window, Serializable] interface UserVerificationError : DOMException { }; From 08870547b98870cd6dc02547eb2d07513c505352 Mon Sep 17 00:00:00 2001 From: Matthew Miller <mmiller@duosecurity.com> Date: Wed, 28 Aug 2024 10:57:05 -0700 Subject: [PATCH 13/14] Add required IDL for new error codes --- index.bs | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/index.bs b/index.bs index ab827da0b..518287259 100644 --- a/index.bs +++ b/index.bs @@ -3763,13 +3763,38 @@ please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exception <xmp class="idl"> [Exposed=Window, Serializable] interface UserCancellationError : DOMException { + constructor(optional DOMString message = ""); }; + + +The new UserCancellationError(|message|) constructor steps are: + +1. Set [=this=]'s {{DOMException/name}} to `"UserCancellationError"`. +1. Set [=this=]'s {{DOMException/message}} to `message`. + +{{UserCancellationError}} objects are [=serializable objects=]. + +Their [=serialization steps=], given |value| and |serialized|, are to run the {{DOMException}} [=serialization steps=] given |value| and |serialized|. + +Their [=deserialization steps=], given |serialized| and |value|, are to run the {{DOMException}} [=deserialization steps=] given |serialized| and |value|. + [Exposed=Window, Serializable] interface UserVerificationError : DOMException { + constructor(optional DOMString message = ""); }; +The new UserVerificationError(|message|) constructor steps are: + +1. Set [=this=]'s {{DOMException/name}} to `"UserVerificationError"`. +1. Set [=this=]'s {{DOMException/message}} to `message`. + +{{UserVerificationError}} objects are [=serializable objects=]. + +Their [=serialization steps=], given |value| and |serialized|, are to run the {{DOMException}} [=serialization steps=] given |value| and |serialized|. + +Their [=deserialization steps=], given |serialized| and |value|, are to run the {{DOMException}} [=deserialization steps=] given |serialized| and |value|. ## WebAuthn Extensions Inputs and Outputs ## {#sctn-extensions-inputs-outputs} From 7aec7443003f884186dd1613e047371efc8f2be6 Mon Sep 17 00:00:00 2001 From: Matthew Miller Date: Tue, 24 Sep 2024 09:46:55 -0700 Subject: [PATCH 14/14] Replace UserCancellationError with OptOutError --- index.bs | 30 ++---------------------------- 1 file changed, 2 insertions(+), 28 deletions(-) diff --git a/index.bs b/index.bs index 518287259..869679c24 100644 --- a/index.bs +++ b/index.bs @@ -1973,7 +1973,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o is set to {{UserVerificationRequirement/required}}, throw a "{{UserVerificationError}}" {{DOMException}}. - Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}. + Otherwise, throw an "{{OptOutError}}" {{DOMException}}. : If |options|.{{CredentialCreationOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] @@ -2296,10 +2296,6 @@ The following {{DOMException}} exceptions can be raised: :: The [=authenticator=] could not process the supplied options, or encountered an error while creating the new credential. - : {{UserCancellationError}} - :: The user has exercised a user agent user-interface option - to end the ceremony. - : {{UserVerificationError}} :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. @@ -2534,7 +2530,7 @@ When this method is invoked, the user agent MUST execute the following algorithm is set to {{UserVerificationRequirement/required}}, throw a "{{UserVerificationError}}" {{DOMException}}. - Otherwise, throw a "{{UserCancellationError}}" {{DOMException}}. + Otherwise, throw an "{{OptOutError}}" {{DOMException}}. : If |options|.{{CredentialRequestOptions/signal}} is present and [=AbortSignal/aborted=], :: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator| @@ -2875,10 +2871,6 @@ The following {{DOMException}} exceptions can be raised: : {{UnknownError}} :: The [=authenticator=] could not process the supplied options, or encountered an error while generating an [=assertion signature=]. - - : {{UserCancellationError}} - :: The user has exercised a user agent user-interface option - to end the ceremony. : {{UserVerificationError}} :: The user was unable to complete [=user verification=] as required by the [=[RP]=]. @@ -3760,24 +3752,6 @@ The subection below defines custom interfaces used throughout WebAuthn. For descriptions of these exceptions, please see [[#sctn-create-request-exceptions]] and [[#sctn-get-request-exceptions]]. - -[Exposed=Window, Serializable] -interface UserCancellationError : DOMException { - constructor(optional DOMString message = ""); -}; - - -The new UserCancellationError(|message|) constructor steps are: - -1. Set [=this=]'s {{DOMException/name}} to `"UserCancellationError"`. -1. Set [=this=]'s {{DOMException/message}} to `message`. - -{{UserCancellationError}} objects are [=serializable objects=]. - -Their [=serialization steps=], given |value| and |serialized|, are to run the {{DOMException}} [=serialization steps=] given |value| and |serialized|. - -Their [=deserialization steps=], given |serialized| and |value|, are to run the {{DOMException}} [=deserialization steps=] given |serialized| and |value|. - [Exposed=Window, Serializable] interface UserVerificationError : DOMException {