Web Payments Working Group

Meeting minutes

SPC: From browser cache to FIDO/WebAuthn integration

smcgruer_[EST]: This is about how we are going to get from today's Chrome implementation of SPC to a future where SPC is properly part of the underlying (FIDO-related) APIs

[SPC today]

smcgruer_[EST]: Some limitations today - we cache info in the browser, which means first of all that credentials are not shared between browsers running on the same device.

smcgruer_[EST]: Also means we limit use of credentials to a subset of what we want to be used for SPC (e.g., ordinary FIDO credentials in a 1p context)

smcgruer_[EST]: Another limitation today is no support for remote authenticators

smcgruer_[EST]: And finally, we don't want to override some WebAuthn behaviors

[Stephen walks through SPC flow reminder]

Ian: Please include the flow slide in the explainer!~

[Ideal end state]

smcgruer_[EST]: (1) no overrides of underlying APIs (2) reliance on authenticators (CTAP) to answer questions (a) does credential exist? (b) is it available cross-origin if this is a cross-origin request? (3) any [discoverable] FIDO credential should work (4) only cross-origin credentials should work in cross-origin scenarios (5) should work with platform and roaming authenticators.

[What needs to change to get there]

smcgruer_[EST]: Lots to read there

[Very aggressive timeline!]

smcgruer_[EST]: We're already behind. At a high level, we need a few things:
… authenticators need to have the spc extension
… SPC needs to be cleaned up to align with that
… the "payment" extension needs to become an alias for the above
… it will take some time to get authenticator support (e.g., a year)
… in the meantime I would like to hear from you -- should we support a second extension that can be used to allow requests for cross-origin
… if you are a user of SPC ONLY in a 1p context, should we support that before the authenticators make it easier for us?

JeanLuc: What is impact on reliance on discoverable credentials?

smcgruer_[EST]: Discoverable credentials allow us to look up credentials. Today, to my knowledge, right now authenticators don't let you do that look-up without a user interaction with the device.
… they are more used in WebAuthn right now where the platform authenticator says "which of these identities do you want to use?"
… that said, discoverable credentials are likely to be the basis for the BROWSER to query authenticators silently.
… we are close to having this. These APIs (mostly) exist; what we need is the cross-origin bit

smcgruer_[EST]: I believe we have resolved that any returned credential can be used for 1p context
… in the latest Windows insider built they have added APIs for listing discoverable credentials without user interaction.

IJ: Is the silent access API a work item at the CTAP level?

smcgruer_[EST]: In terms of 3p bit, there's a pending pull request at the CTAP level.
… that will make it possible to query authenticators

Ian: What about standard API for roaming authenticators?

smcgruer_[EST]: I think that's supported via Credential Management API; John Bradley could clarify here.

Ian: Back to Stephen's question -- any views on priority of 1p support without SPC-bit set within the next year?

Erhard: Yes, I would say we would be interested support for the feature.

smcgruer_[EST]: What we would do is to introduce 2 more extensions. One would be mark a credential as "SPC" and one would be to set a credential as cross-origin enabled.
… both would be cached in the browser
… one would mean "ok for SPC cross origin"
… one would mean "ok for SPC, but not cross origin"
… and the existing extension would mean "ok for SPC and cross origin" (an alias)

Erhard: That makes sense.

Ian: Backwards compatibility issues?

smcgruer_[EST]: Should have no impact on 3DS integration. This happens a credential creation time (which is not covered in 3DS)

Ian: What should we be looking for at TPAC on this?

<JeanLuc> what is currently missing on SPC to be able to use roaming authenticator?

smcgruer_[EST]: I could imagine talking about the 2 extensions; but not sure what priority of that is yet.
… separately we'll provide an update on where we are with authenticators.
… I would like to see the 3p bit merged in FIDO by then

smcgruer_[EST]: Regarding support for roaming authenticators:

a) We could specify a fallback flow in the spec: "If you have a roaming authenticator, insert now." It's a fair amount of implementation.

b) Or, to do this more properly, we'd need to understand what the Credential Management API can do for us; discussion with WebAuthn folks. They have a long-term conversation about whether roaming authenticators should be able to proactively tell the OS (after first inserted) what credentials are available.
… then you could use this for SPC without having the device already inserted.