这是indexloc提供的服务,不要输入任何密码
Skip to content

Consider separating the SPC powers of Third Party invocation and Payment display #157

New issue
New issue
Open
Open
Consider separating the SPC powers of Third Party invocation and Payment display#157
Labels
privacy-trackerGroup bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
@Goosth

Description

@Goosth
Goosth
opened on Nov 8, 2021

SPC has a number of very attractive powers. Two of those are

  • The ability to show a payment specific display in the browser agent
  • The ability to invoke a payment from a cross-origin domain to allow one party to use another RP's Webauthn credential.

These attributes of SPC are established when the PublicKeyCredential is created, by adding a payment extension. Today these abilities are 'enabled' via a single payment flag, and are not independently settable. Both of these attributes may be however be desirable on their own. For example:

  • An RP may want to use the better payment specific display option, but not at all want another party to invoke/use their credentials for payment.
  • Another RP may not want the credential to be used for payments, but would be open to others using it for a Login (see it as a form of enabling Federated Authentication)

Should we consider separating these two attributes?

  • On the one hand, an RP may just choose to not share their Webauthn credential ID's, thereby preventing the cross-origin functionality. From a least privilege perspective that may not be desirable (it's still technically possible if the credentials are leaked/shared inadvertently).
  • There could be a view that this cross-origin should only be allowed for the payment use-case, so separating them would expose too wide a set of functionality (cross-origin login), which is not desirable.

The suggestion could perhaps be that a WebAuthn credential should be created with a Payment extension. And that in that payment extension it should indicate if cross-origin should be allowed. For example:

  extensions: {
    "payment": {
      allowCrossOrigin: true,
    }
  }

This would allow Payment display to be enabled, with cross-origin being an additional attribute that may be set if the RP is open to this use-case.

The alternative is to allow cross-origin for all use-cases, and have a cross-origin extension that can be enabled in addition to the payments extension.

  extensions: {
    "payment": {
      isPayment: true,
    },
    "crossorigin": {
      isCrossOrigin: true
    }
  }

Metadata

Metadata

Assignees

No one assigned

    Labels

    privacy-trackerGroup bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions