WebAuthn serialization (Web IDL/JSON)

[AlfioEmanueleFresta]

Use cases

• Authenticators - Using libwebauthn to communicate with an authenticator
• Request validation - Using libwebauthn to validate WebAuthn requests (origin checking) only, then passing the validated JSON request to a WebAuthn IDL-compatible password manager
• Client processing - Using libwebauthn to perform WebAuthn client responsibilities (eg. client extension processing) before routing the request to another CTAP2-compatible virtual device (eg. password manager)

Changes

• 1. Deserialization: Allow WebAuthn operations to be created form WebAuthn JSON, eg. MakeCredentialRequest::parseJson.
  • This should be optional, and it should still be possible to create requests manually.
  • The origin of the request should be exposed, allowing the client to perform origin checking.
  • The parser should separate known extensions from unknown extensions:
    • Known extensions should continue to be mapped to CTAP2 extension input structures;
    • Unknown extensions should be returned as a JSON dictionary, containing the original payload for optional (external) further processing.
• 2. Serialization: Serialize responses back to WebAuthn JSON

TODOs

• Challenge min length validation
• Allow arbitrary size PRF inputs
• Update examples to use JSON requests

Context

• Design third-party password management credentialsd#26

[AlfioEmanueleFresta]

Cc @iinuwa, @msirringhaus, would love your thoughts.