Skip to content

WebAuthn serialization (Web IDL/JSON) #134

Open
Open
WebAuthn serialization (Web IDL/JSON)#134
Labels
enhancementNew feature or request
@AlfioEmanueleFresta

Description

@AlfioEmanueleFresta
AlfioEmanueleFresta
opened on Jul 21, 2025

Use cases

  • Authenticators - Using libwebauthn to communicate with an authenticator
  • Request validation - Using libwebauthn to validate WebAuthn requests (origin checking) only, then passing the validated JSON request to a WebAuthn IDL-compatible password manager
  • Client processing - Using libwebauthn to perform WebAuthn client responsibilities (eg. client extension processing) before routing the request to another CTAP2-compatible virtual device (eg. password manager)

Changes

  • 1. Deserialization: Allow WebAuthn operations to be created form WebAuthn JSON, eg. MakeCredentialRequest::parseJson.
    • This should be optional, and it should still be possible to create requests manually.
    • The origin of the request should be exposed, allowing the client to perform origin checking.
    • The parser should separate known extensions from unknown extensions:
      • Known extensions should continue to be mapped to CTAP2 extension input structures;
      • Unknown extensions should be returned as a JSON dictionary, containing the original payload for optional (external) further processing.
  • 2. Serialization: Serialize responses back to WebAuthn JSON

TODOs

  • Challenge min length validation
  • Allow arbitrary size PRF inputs
  • Update examples to use JSON requests

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    Passkeys for the Linux desktop

    Status

    Ready

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions