Add "conditional mediation" by equalsJeffH · Pull Request #155 · w3c/webappsec-credential-management (original) (raw)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where does the "MAY prompt" happen?

I'm not sure I understand this.

It seems like it'd fit just before the call to "ask the user to choose a Credential,

We could definitely add a note there for credential types other than PublicKeyCredential.

that doesn't call back to the particular credential types in the list.

WebAuthn loosely specifies its own credential chooser on [[PublicKeyCredential/DiscoverFromExternalSource]], and there's a bunch of conditional mediation logic I'm adding there. The implementation matches the spec in a non obvious way: only one credential type is supported at a time, so CredMan's "ask the user to choose a Credential" does not actually prompt the user ("PublicKeyCredential" is always selected as the default) and the webauthn "picker" is shown instead (and the user being prompted to interact with their authenticator satisfies the mediation requests).

I think the way this PR deals with choosing credentials (and the spec before this PR) is correct, or at least good enough. Hopefully that makes sense?