dom/webidl/WebAuthentication.webidl
author J.C. Jones <jjones@mozilla.com>
Mon, 09 Jan 2017 13:22:49 -0700
changeset 359610 6f8f397d5cd18f71c8398d1611082300711eaac8
child 361684 ff6b0d4a62ec9e7509204a1ed85ac0b7890172ba
permissions -rw-r--r--
Bug 1309284 - Implement W3C Web Authentication JS API [part 1] r=keeler,qdot This patch implements the W3C Web Authentication API from https://www.w3.org/TR/webauthn/, currently the 28 September 2016 working draft. It utilizes a tentative binding of the U2F NSS Soft Token to provide authentication services while waiting on Bug 1245527 to support USB HID-based U2F tokens. This binding is not in the specification yet, so it should be considered an experiment to help the specification move fowrard. There are also a handful of deviations from the specification's WebIDL, which are annotated with comments in WebAuthentication.webidl. There are no tests in this commit; they are in Part 4 of this commit series. There is a small script online at https://webauthn.bin.coffee/ to exercise this code, but it doesn't do any automated checks. There are also a handful of TODOS: 1) The algorithm to relax the same-origin restriction is in Part 3. 2) The use of AlgorithmIdentifier and having a way to coerce an object to a string is still missing. 3) Timeouts and deadlines aren't there, and are pending reworking how the nsIU2FToken interface works. UPDATED: - Address qdot, keeler review comments (thanks!) - Address more qdot, keeler review comments (thanks!) MozReview-Commit-ID: JITapI38iOh

/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this file,
 * You can obtain one at http://mozilla.org/MPL/2.0/.
 *
 * The origin of this IDL file is
 * https://www.w3.org/TR/webauthn/
 */

/***** Interfaces to Data *****/

[SecureContext]
interface ScopedCredentialInfo {
    readonly attribute ScopedCredential    credential;
    readonly attribute WebAuthnAttestation attestation;
};

dictionary Account {
    required DOMString rpDisplayName;
    required DOMString displayName;
    required DOMString id;
    DOMString          name;
    DOMString          imageURL;
};

typedef (boolean or DOMString) WebAuthnAlgorithmID; // Fix when upstream there's a definition of how to serialize AlgorithmIdentifier

dictionary ScopedCredentialParameters {
    required ScopedCredentialType type;
    required WebAuthnAlgorithmID  algorithm; // NOTE: changed from AllgorithmIdentifier because typedef (object or DOMString) not serializable
};

dictionary ScopedCredentialOptions {
    unsigned long                        timeoutSeconds;
    USVString                            rpId;
    sequence<ScopedCredentialDescriptor> excludeList;
    WebAuthnExtensions                   extensions;
};

[SecureContext]
interface WebAuthnAssertion {
    readonly attribute ScopedCredential credential;
    readonly attribute ArrayBuffer      clientData;
    readonly attribute ArrayBuffer      authenticatorData;
    readonly attribute ArrayBuffer      signature;
};

dictionary AssertionOptions {
    unsigned long                        timeoutSeconds;
    USVString                            rpId;
    sequence<ScopedCredentialDescriptor> allowList;
    WebAuthnExtensions                   extensions;
};

dictionary WebAuthnExtensions {
};

[SecureContext]
interface WebAuthnAttestation {
    readonly    attribute USVString     format;
    readonly    attribute ArrayBuffer   clientData;
    readonly    attribute ArrayBuffer   authenticatorData;
    readonly    attribute any           attestation;
};

// Renamed from "ClientData" to avoid a collision with U2F
dictionary WebAuthnClientData {
    required DOMString           challenge;
    required DOMString           origin;
    required WebAuthnAlgorithmID hashAlg; // NOTE: changed from AllgorithmIdentifier because typedef (object or DOMString) not serializable
    DOMString                    tokenBinding;
    WebAuthnExtensions           extensions;
};

enum ScopedCredentialType {
    "ScopedCred"
};

[SecureContext]
interface ScopedCredential {
    readonly attribute ScopedCredentialType type;
    readonly attribute ArrayBuffer          id;
};

dictionary ScopedCredentialDescriptor {
    required ScopedCredentialType type;
    required BufferSource         id;
    sequence <WebAuthnTransport>  transports;
};

// Renamed from "Transport" to avoid a collision with U2F
enum WebAuthnTransport {
    "usb",
    "nfc",
    "ble"
};

/***** The Main API *****/

[SecureContext]
interface WebAuthentication {
    Promise<ScopedCredentialInfo> makeCredential (
        Account                                 accountInformation,
        sequence<ScopedCredentialParameters>    cryptoParameters,
        BufferSource                            attestationChallenge,
        optional ScopedCredentialOptions        options
    );

    Promise<WebAuthnAssertion> getAssertion (
        BufferSource               assertionChallenge,
        optional AssertionOptions  options
    );
};