Comments (5)
adrianhopebailie
commented on June 12, 2024
Also, a single user may have multiple credentials (one on each authenticator/end user device). In reality we'd need to support a many-to-many relationship between credentials and instruments.
from secure-payment-confirmation.
erhardbrand
commented on June 12, 2024
Supporting multiple instruments per credential would definitely be beneficial.
This does bring to mind cases where a single instrument has to be removed from an existing credential (e.g. card lost, card expired).
While the current WebAuthn convention is for the RP to simply delete the user<->credentials link server side to remove the entire credential, the ability to remove a single instrument from an existing credential could help prevent re-registration if a single instrument is no longer active.
Unfortunately I cannot think of an elegant way of doing this with the available navigator.credentials.get() and navigator.credentials.create() API's, other than perhaps also requiring a list of instruments to be passed in during credentials.get().
From: https://github.com/rsolomakhin/secure-payment-confirmation#querying-a-credential
Querying a credential
const publicKeyCredentialRequestOptions = {
challenge,
allowCredentials: [{
id: Uint8Array.from(credentialId, c => c.charCodeAt(0)),
type,
transports,
instruments // Array of instruments to use
}],
timeout,
};
const credential = await navigator.credentials.get({
publicKey: publicKeyCredentialRequestOptions
});
from secure-payment-confirmation.
ianbjacobs
commented on June 12, 2024
See related email:
https://lists.w3.org/Archives/Public/public-payments-wg/2021May/0016.html
from secure-payment-confirmation.
ianbjacobs
commented on June 12, 2024
See discussion from 27 May:
https://www.w3.org/2021/05/27-wpwg-minutes#t04
@stephenmcgruer raised an interesting point about "late binding". We will work on a proposal for the requirements document that the API support "late binding" which I currently undersatnd to mean that the RP can decide the concrete funding source at authentication time, and is not required to determine it at enrollment time (though that case must also be supported).
from secure-payment-confirmation.
ianbjacobs
commented on June 12, 2024
The API now allows the RP (or other party) to provide instrument display information at authentication time. I believe this approach renders the current issue moot, so I am going to close it. (We can reopen if I'm wrong.)
from secure-payment-confirmation.
Related Issues (20)
- Term 'monkey-patch' may not be inclusive? HOT 1
- `DOMString` for `payeeName` vs. `USVString` for other fields? HOT 1
- Add locale hint for browser UX
- Proposal: Remove User Activation requirement for authentication HOT 1
- Use lowercase values in enum HOT 11
- Register SPC-related WebAuthn extensions in IANA registry HOT 8
- Broken references in Secure Payment Confirmation
- Example of `locale` member HOT 3
- I18N problem with displayName unresolved? HOT 3
- [PING] Only allow triggering authentication from a foreground tab HOT 4
- Broken references in Secure Payment Confirmation
- Broken references in Secure Payment Confirmation
- Add Support for Cross-Device Authentication HOT 2
- Implementing a time out for fallback UX HOT 1
- How will new passkey providers impact SPC HOT 1
- Document End-User Guide HOT 5
- Update SPC spec to reflect that credential create in cross-origin iframe is now allowed in WebAuthn HOT 1
- Limitations for showing transaction data HOT 5
- Google payment solutions HOT 2
- Proposal: WebAuthn-agnostic device binding for Secure Payment Confirmation HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure-payment-confirmation.