craigfrancis/webauthn-tidy

WebAuthn Cleanup

Experimenting with making WebAuthn easier to use:

• Converting Uint8Array/ArrayBuffer values to base64, so that data can be easily sent to/from the server.

• Providing the public key in DER format, similar to PEM, as many systems can use this directly.

• Providing the flags and signCount in an easy to read format.

• Avoiding CBOR decoding (few systems support this).

• Avoiding the attestedCredentialData length issue, where mistakes are easily made.

• Using normal base64 encoding (where possible), rather than the less common base64url (rfc4648).

• Potentially making a version that could be done in HTML only (without JavaScript).

Discussion

---

HTML

If the browser could implement something like this JavaScript to provide a way to use WebAuthn without Javascript:

https://github.com/craigfrancis/webauthn-tidy/blob/main/html/js/webauthn.js?ts=4

Then the HTML and Server side code would be considerably easier:

• Create
• Check

---

API Version 2

While no browsers currently support this, there is a new "getPublicKey()" method.

• Create
• Check

---

API Alternative

If not, then this JS will make an easier to use window.navigator.credentials2:

https://github.com/craigfrancis/webauthn-tidy/blob/main/tidy/js/tidy.js?ts=4

So individual websites will find it easier to implement in their:

• Create HTML and JS
• Check HTML and JS