OLD | NEW |
---|---|
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 [JavaPackage="org.chromium.webauth.mojom"] | 5 [JavaPackage="org.chromium.webauth.mojom"] |
6 module webauth.mojom; | 6 module webauth.mojom; |
7 | 7 |
8 import "mojo/common/time.mojom"; | |
9 import "url/mojo/url.mojom"; | |
10 | |
8 // This file describes the communication between the WebAuthentication renderer | 11 // This file describes the communication between the WebAuthentication renderer |
9 // implementation and browser-side implementations to create scoped credentials | 12 // implementation and browser-side implementations to create public key |
10 // and use already-created credentials to get assertions. | 13 // credentials and use already-created credentials to get assertions. |
11 // See https://w3c.github.io/webauthn/. | 14 // See https://w3c.github.io/webauthn/. |
12 | 15 |
13 enum AuthenticatorStatus { | 16 enum AuthenticatorStatus { |
14 SUCCESS, | 17 SUCCESS, |
15 CANCELLED, | 18 CANCELLED, |
16 UNKNOWN_ERROR, | 19 UNKNOWN_ERROR, |
17 NOT_ALLOWED_ERROR, | 20 NOT_ALLOWED_ERROR, |
18 NOT_SUPPORTED_ERROR, | 21 NOT_SUPPORTED_ERROR, |
19 SECURITY_ERROR, | 22 SECURITY_ERROR, |
20 NOT_IMPLEMENTED, | 23 NOT_IMPLEMENTED, |
21 }; | 24 }; |
22 | 25 |
23 // The public key and attestation that is returned by an authenticator's | 26 // The public key and attestation that is returned by an authenticator's |
24 // call to makeCredential. | 27 // call to makeCredential. |
25 struct ScopedCredentialInfo { | 28 struct PublicKeyCredentialInfo { |
29 // The base64url encoding of rawId. | |
engedy
2017/07/05 18:51:09
nit: ... of |raw_id|.
kpaulhamus
2017/07/12 21:21:49
Done.
| |
30 string id; | |
31 // An identifier for the credential. | |
32 array<uint8> rawId; | |
dcheng1
2017/06/30 16:23:55
Nit: raw_id
kpaulhamus
2017/07/12 21:21:49
Done.
| |
33 | |
26 // A blob of data containing the JSON serialization of client data passed | 34 // A blob of data containing the JSON serialization of client data passed |
27 // to the authenticator. | 35 // to the authenticator. |
28 array<uint8> client_data; | 36 array<uint8> client_data_json; |
29 // A blob of data returned from the authenticator. | 37 |
30 array<uint8> attestation; | 38 // The response data from the authenticator. |
39 AuthenticatorResponse response; | |
40 | |
41 // TODO(kpaulhamus): add AuthenticatorSelectionCriteria | |
engedy
2017/07/05 18:51:09
nit: I think this goes to MakeCredentialOptions?
kpaulhamus
2017/07/12 21:21:49
Done.
| |
31 }; | 42 }; |
32 | 43 |
33 // Information about the relying party and the user account held by that | 44 // Contains the authenticator's response to the request to either |
34 // relying party. This information is used by the authenticator to create | 45 // create a public key credential, or generate an authentication assertion. |
35 // or retrieve an appropriate scoped credential for this account. | 46 struct AuthenticatorResponse { |
engedy
2017/07/05 18:51:09
If I understand correctly, this needs to be polymo
kpaulhamus
2017/07/12 21:21:49
The call being made (create/get, or as-currently m
engedy
2017/07/13 11:33:54
Got it.
| |
36 // These fields take arbitrary input. | 47 // A blob of data returned by the authenticator after creating a credential. |
37 struct RelyingPartyAccount { | 48 array<uint8> attestation_object; |
38 // Friendly name of the Relying Party, e.g. "Acme Corporation" | 49 // A blob of data returned by the authenticator after generating an assertion. |
39 string relying_party_display_name; | 50 array<uint8> authenticator_data; |
40 // Friendly name associated with the user account, e.g. "John P. Smith" | 51 // Cryptographic signature proving possession of the credential private key. |
41 string display_name; | 52 array<uint8> signature; |
42 // Identifier for the account, corresponding to no more than one credential | |
43 // per authenticator and Relying Party. | |
44 string id; | |
45 // Detailed name for the account, e.g. john.p.smith@example.com | |
46 string? name; | |
47 // User image, if any. | |
48 // TODO(kpaulhamus): make this url.mojom.Url in a followup CL | |
49 string? image_url; | |
50 }; | 53 }; |
51 | 54 |
52 // Parameters that are used to generate an appropriate scoped credential. | 55 // Information about the relying party and the user account held by that |
engedy
2017/07/05 18:51:09
nit: Not sure about the semantics, but how about "
kpaulhamus
2017/07/12 21:21:49
Sure
| |
53 struct ScopedCredentialParameters { | 56 // relying party. This information is used by the authenticator to create |
54 ScopedCredentialType type; | 57 // or retrieve an appropriate public key credential for this account. |
58 // These fields take arbitrary input. | |
59 struct PublicKeyCredentialEntity { | |
60 // A unique identifier for the entity. An ASCII serialization of an origin | |
61 // for a relying party, and an arbitrary string specified by the relying party | |
62 // for user accounts. | |
63 string id; | |
64 | |
65 // Friendly name associated with the entity intended for display. | |
66 // e.g. "Acme Corporation" for a relying party and "john.p.smith@example.com" | |
67 // or "+14255551234" for a user. | |
68 string name; | |
69 | |
70 // Image associated with the entity. | |
71 // For example, this could be a user’s avatar or a relying party's logo. | |
72 url.mojom.Url? icon; | |
73 | |
74 // Contains a friendly name for the user account (e.g., "John P. Smith"). | |
75 string? display_name; | |
76 }; | |
77 | |
78 // Parameters that are used to generate an appropriate public key credential. | |
79 struct PublicKeyCredentialParameters { | |
80 PublicKeyCredentialType type; | |
55 // TODO(kpaulhamus): add AlgorithmIdentifier algorithm; | 81 // TODO(kpaulhamus): add AlgorithmIdentifier algorithm; |
56 }; | 82 }; |
57 | 83 |
58 // Optional parameters that are used during makeCredential. | 84 // Optional parameters that are used during makeCredential. |
engedy
2017/07/05 18:51:09
comment nit: These do not seem to be optional anym
kpaulhamus
2017/07/12 21:21:49
Done.
| |
59 struct ScopedCredentialOptions { | 85 struct MakeCredentialOptions { |
60 //TODO(kpaulhamus): Make this mojo.common.mojom.TimeDelta in followup CL | 86 PublicKeyCredentialEntity relying_party; // Relying party information. |
engedy
2017/07/05 18:51:09
nit: Mention this corresponds to |rp| in the IDL.
engedy
2017/07/05 18:51:09
style nit: Could you please move the comments abov
kpaulhamus
2017/07/12 21:21:49
Done.
kpaulhamus
2017/07/12 21:21:49
Done.
| |
61 double adjusted_timeout; | 87 PublicKeyCredentialEntity user; // Information about the user. |
62 string? relying_party_id; | 88 array<uint8> challenge; // A blob passed from the the relying party server. |
63 array<ScopedCredentialDescriptor> exclude_list; | 89 array<PublicKeyCredentialParameters> crypto_parameters; |
64 // TODO(kpaulhamus): add Extensions | 90 mojo.common.mojom.TimeDelta adjusted_timeout; |
91 array<PublicKeyCredentialDescriptor> exclude_list; | |
engedy
2017/07/05 18:51:09
optional nit: s/exlude_list/excludeCredentials/, f
kpaulhamus
2017/07/12 21:21:49
Done.
| |
65 }; | 92 }; |
66 | 93 |
67 enum ScopedCredentialType { | 94 enum PublicKeyCredentialType { |
68 SCOPEDCRED, | 95 PUBLICKEY, |
engedy
2017/07/05 18:51:10
nit: I'm never sure about converting dashes to ALL
kpaulhamus
2017/07/12 21:21:50
Done.
| |
69 }; | 96 }; |
70 | 97 |
71 // Describes the credentials that the relying party already knows about for | 98 // Describes the credentials that the relying party already knows about for |
72 // the given account. If any of these are known to the authenticator, | 99 // the given account. If any of these are known to the authenticator, |
73 // it should not create a new credential. | 100 // it should not create a new credential. |
74 struct ScopedCredentialDescriptor { | 101 struct PublicKeyCredentialDescriptor { |
75 ScopedCredentialType type; | 102 PublicKeyCredentialType type; |
76 // Blob representing a credential key handle. Up to 255 bytes for | 103 // Blob representing a credential key handle. Up to 255 bytes for |
77 // U2F authenticators. | 104 // U2F authenticators. |
78 array<uint8> id; | 105 array<uint8> id; |
79 array<Transport> transports; | 106 array<Transport> transports; |
80 }; | 107 }; |
81 | 108 |
82 enum Transport { | 109 enum Transport { |
engedy
2017/07/05 18:51:09
nit: AuthenticatorTransport
kpaulhamus
2017/07/12 21:21:49
Done.
| |
83 USB, | 110 USB, |
84 NFC, | 111 NFC, |
85 BLE, | 112 BLE, |
86 }; | 113 }; |
87 | 114 |
88 // Interface to direct authenticators to create or use a scoped credential. | 115 // Interface to direct authenticators to create or use a public key credential. |
89 interface Authenticator { | 116 interface Authenticator { |
90 // Gets the credential info for a new credential created by an authenticator | 117 // Gets the credential info for a new public key credential created by an |
91 // for the given relying party and account. | 118 // authenticator for the given |MakeCredentialOptions| |
92 // |attestation_challenge| is a blob passed from the relying party server. | 119 MakeCredential(MakeCredentialOptions options) |
93 // [ScopedCredentialInfo] will only be set if status == SUCCESS. | 120 => (AuthenticatorStatus status, PublicKeyCredentialInfo? credential); |
dcheng1
2017/06/30 16:23:55
Nit: this comment got lost in the updates.
kpaulhamus
2017/07/12 21:21:49
Thx
| |
94 MakeCredential(RelyingPartyAccount account_information, | |
95 array<ScopedCredentialParameters> crypto_parameters, | |
96 array<uint8> attestation_challenge, | |
97 ScopedCredentialOptions options) | |
98 => (AuthenticatorStatus status, | |
99 ScopedCredentialInfo? scoped_credential); | |
100 }; | 121 }; |
OLD | NEW |