diff options
Diffstat (limited to 'dom/webidl/WebAuthentication.webidl')
-rw-r--r-- | dom/webidl/WebAuthentication.webidl | 320 |
1 files changed, 320 insertions, 0 deletions
diff --git a/dom/webidl/WebAuthentication.webidl b/dom/webidl/WebAuthentication.webidl new file mode 100644 index 0000000000..ca20b387cd --- /dev/null +++ b/dom/webidl/WebAuthentication.webidl @@ -0,0 +1,320 @@ +/* -*- Mode: IDL; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. + * + * The origin of this IDL file is + * https://w3c.github.io/webauthn/ + */ + +/***** Interfaces to Data *****/ + +[SecureContext, Pref="security.webauth.webauthn", + Exposed=Window] +interface PublicKeyCredential : Credential { + [SameObject, Throws] readonly attribute ArrayBuffer rawId; + [SameObject] readonly attribute AuthenticatorResponse response; + readonly attribute DOMString? authenticatorAttachment; + AuthenticationExtensionsClientOutputs getClientExtensionResults(); + [NewObject] static Promise<boolean> isConditionalMediationAvailable(); + [Throws, Pref="security.webauthn.enable_json_serialization_methods"] object toJSON(); +}; + +typedef DOMString Base64URLString; + +[GenerateConversionToJS] +dictionary RegistrationResponseJSON { + required Base64URLString id; + required Base64URLString rawId; + required AuthenticatorAttestationResponseJSON response; + DOMString authenticatorAttachment; + required AuthenticationExtensionsClientOutputsJSON clientExtensionResults; + required DOMString type; +}; + +[GenerateConversionToJS] +dictionary AuthenticatorAttestationResponseJSON { + required Base64URLString clientDataJSON; + required Base64URLString authenticatorData; + required sequence<DOMString> transports; + // The publicKey field will be missing if pubKeyCredParams was used to + // negotiate a public-key algorithm that the user agent doesn’t + // understand. (See section “Easily accessing credential data” for a + // list of which algorithms user agents must support.) If using such an + // algorithm then the public key must be parsed directly from + // attestationObject or authenticatorData. + Base64URLString publicKey; + required long long publicKeyAlgorithm; + // This value contains copies of some of the fields above. See + // section “Easily accessing credential data”. + required Base64URLString attestationObject; +}; + +[GenerateConversionToJS] +dictionary AuthenticationResponseJSON { + required Base64URLString id; + required Base64URLString rawId; + required AuthenticatorAssertionResponseJSON response; + DOMString authenticatorAttachment; + required AuthenticationExtensionsClientOutputsJSON clientExtensionResults; + required DOMString type; +}; + +[GenerateConversionToJS] +dictionary AuthenticatorAssertionResponseJSON { + required Base64URLString clientDataJSON; + required Base64URLString authenticatorData; + required Base64URLString signature; + Base64URLString userHandle; + Base64URLString attestationObject; +}; + +[GenerateConversionToJS] +dictionary AuthenticationExtensionsClientOutputsJSON { +}; + +[SecureContext] +partial interface PublicKeyCredential { + [NewObject] static Promise<boolean> isUserVerifyingPlatformAuthenticatorAvailable(); +}; + +[SecureContext] +partial interface PublicKeyCredential { + [Throws, Pref="security.webauthn.enable_json_serialization_methods"] static PublicKeyCredentialCreationOptions parseCreationOptionsFromJSON(PublicKeyCredentialCreationOptionsJSON options); +}; + +dictionary PublicKeyCredentialCreationOptionsJSON { + required PublicKeyCredentialRpEntity rp; + required PublicKeyCredentialUserEntityJSON user; + required Base64URLString challenge; + required sequence<PublicKeyCredentialParameters> pubKeyCredParams; + unsigned long timeout; + sequence<PublicKeyCredentialDescriptorJSON> excludeCredentials = []; + AuthenticatorSelectionCriteria authenticatorSelection; + sequence<DOMString> hints = []; + DOMString attestation = "none"; + sequence<DOMString> attestationFormats = []; + AuthenticationExtensionsClientInputsJSON extensions; +}; + +dictionary PublicKeyCredentialUserEntityJSON { + required Base64URLString id; + required DOMString name; + required DOMString displayName; +}; + +dictionary PublicKeyCredentialDescriptorJSON { + required Base64URLString id; + required DOMString type; + sequence<DOMString> transports; +}; + +dictionary AuthenticationExtensionsClientInputsJSON { +}; + +[SecureContext] +partial interface PublicKeyCredential { + [Throws, Pref="security.webauthn.enable_json_serialization_methods"] static PublicKeyCredentialRequestOptions parseRequestOptionsFromJSON(PublicKeyCredentialRequestOptionsJSON options); +}; + +dictionary PublicKeyCredentialRequestOptionsJSON { + required Base64URLString challenge; + unsigned long timeout; + DOMString rpId; + sequence<PublicKeyCredentialDescriptorJSON> allowCredentials = []; + DOMString userVerification = "preferred"; + sequence<DOMString> hints = []; + DOMString attestation = "none"; + sequence<DOMString> attestationFormats = []; + AuthenticationExtensionsClientInputsJSON extensions; +}; + +[SecureContext, Pref="security.webauth.webauthn", + Exposed=Window] +interface AuthenticatorResponse { + [SameObject, Throws] readonly attribute ArrayBuffer clientDataJSON; +}; + +[SecureContext, Pref="security.webauth.webauthn", + Exposed=Window] +interface AuthenticatorAttestationResponse : AuthenticatorResponse { + [SameObject, Throws] readonly attribute ArrayBuffer attestationObject; + sequence<DOMString> getTransports(); + [Throws] ArrayBuffer getAuthenticatorData(); + [Throws] ArrayBuffer? getPublicKey(); + [Throws] COSEAlgorithmIdentifier getPublicKeyAlgorithm(); +}; + +[SecureContext, Pref="security.webauth.webauthn", + Exposed=Window] +interface AuthenticatorAssertionResponse : AuthenticatorResponse { + [SameObject, Throws] readonly attribute ArrayBuffer authenticatorData; + [SameObject, Throws] readonly attribute ArrayBuffer signature; + [SameObject, Throws] readonly attribute ArrayBuffer? userHandle; +}; + +dictionary PublicKeyCredentialParameters { + required DOMString type; + required COSEAlgorithmIdentifier alg; +}; + +dictionary PublicKeyCredentialCreationOptions { + required PublicKeyCredentialRpEntity rp; + required PublicKeyCredentialUserEntity user; + + required BufferSource challenge; + required sequence<PublicKeyCredentialParameters> pubKeyCredParams; + + unsigned long timeout; + sequence<PublicKeyCredentialDescriptor> excludeCredentials = []; + // FIXME: bug 1493860: should this "= {}" be here? + AuthenticatorSelectionCriteria authenticatorSelection = {}; + DOMString attestation = "none"; + // FIXME: bug 1493860: should this "= {}" be here? + AuthenticationExtensionsClientInputs extensions = {}; +}; + +dictionary PublicKeyCredentialEntity { + required DOMString name; +}; + +dictionary PublicKeyCredentialRpEntity : PublicKeyCredentialEntity { + DOMString id; +}; + +dictionary PublicKeyCredentialUserEntity : PublicKeyCredentialEntity { + required BufferSource id; + required DOMString displayName; +}; + +dictionary AuthenticatorSelectionCriteria { + DOMString authenticatorAttachment; + DOMString residentKey; + boolean requireResidentKey = false; + DOMString userVerification = "preferred"; +}; + +dictionary PublicKeyCredentialRequestOptions { + required BufferSource challenge; + unsigned long timeout; + USVString rpId; + sequence<PublicKeyCredentialDescriptor> allowCredentials = []; + DOMString userVerification = "preferred"; + // FIXME: bug 1493860: should this "= {}" be here? + AuthenticationExtensionsClientInputs extensions = {}; +}; + +dictionary AuthenticationExtensionsClientInputs { +}; + +dictionary AuthenticationExtensionsClientOutputs { +}; + +typedef record<DOMString, DOMString> AuthenticationExtensionsAuthenticatorInputs; + +[GenerateToJSON] +dictionary CollectedClientData { + required DOMString type; + required DOMString challenge; + required DOMString origin; + TokenBinding tokenBinding; +}; + +dictionary TokenBinding { + required DOMString status; + DOMString id; +}; + +dictionary PublicKeyCredentialDescriptor { + required DOMString type; + required BufferSource id; + // Transports is a string that is matched against the AuthenticatorTransport + // enumeration so that we have forward-compatibility for new transports. + sequence<DOMString> transports; +}; + +typedef long COSEAlgorithmIdentifier; + +typedef sequence<AAGUID> AuthenticatorSelectionList; + +typedef BufferSource AAGUID; + +partial dictionary AuthenticationExtensionsClientInputs { + USVString appid; +}; + +partial dictionary AuthenticationExtensionsClientOutputs { + boolean appid; +}; + +// The spec does not define any partial dictionaries that modify +// AuthenticationExtensionsClientInputsJSON, but this seems to be an error. All changes to +// AuthenticationExtensionsClientInputs must be accompanied by changes to +// AuthenticationExtensionsClientInputsJSON for parseCreationOptionsFromJSON and +// parseRequestOptionsFromJSON to function correctly. +// (see: https://github.com/w3c/webauthn/issues/1968). +partial dictionary AuthenticationExtensionsClientInputsJSON { + USVString appid; +}; + +// We also deviate from the spec by mirroring changes to AuthenticationExtensionsClientOutputs in +// AuthenticationExtensionsClientOutputsJSON. +partial dictionary AuthenticationExtensionsClientOutputsJSON { + boolean appid; +}; + +partial dictionary AuthenticationExtensionsClientInputs { + boolean credProps; +}; + +partial dictionary AuthenticationExtensionsClientInputsJSON { + boolean credProps; +}; + +dictionary CredentialPropertiesOutput { + boolean rk; +}; + +partial dictionary AuthenticationExtensionsClientOutputs { + CredentialPropertiesOutput credProps; +}; + +partial dictionary AuthenticationExtensionsClientOutputsJSON { + CredentialPropertiesOutput credProps; +}; + +/* + * CTAP2 Extensions + * <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-defined-extensions> + */ + +// hmac-secret +// <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-hmac-secret-extension> +// note: we don't support hmac-secret in get(), so we only define the create() +// inputs and outputs here. + +partial dictionary AuthenticationExtensionsClientInputs { + boolean hmacCreateSecret; +}; + +partial dictionary AuthenticationExtensionsClientOutputs { + boolean hmacCreateSecret; +}; + +partial dictionary AuthenticationExtensionsClientInputsJSON { + boolean hmacCreateSecret; +}; + +partial dictionary AuthenticationExtensionsClientOutputsJSON { + boolean hmacCreateSecret; +}; + +// hmac-secret +// <https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#sctn-minpinlength-extension> +partial dictionary AuthenticationExtensionsClientInputs { + boolean minPinLength; +}; + +partial dictionary AuthenticationExtensionsClientInputsJSON { + boolean minPinLength; +}; |