-
Notifications
You must be signed in to change notification settings - Fork 0
Authenticator Selection Hints Processing
- Introduction
- System Architecture
- Core Components
- User Interface Integration
- Data Flow and Processing
- Enforcement Logic
- Two-Way Synchronization
- Examples and Usage Patterns
- Error Handling and Validation
- Integration with WebAuthn
The authenticator selection hints system is a sophisticated mechanism that enables users to express preferences for authenticator types through intuitive checkbox interfaces. This system bridges the gap between user-friendly hint selections and the technical WebAuthn specification's authenticatorAttachment requirements, ensuring optimal user experiences while maintaining compatibility across different authenticator types.
The system operates on three primary hint categories: client-device, hybrid, and security-key, each mapping to specific authenticator attachment types that guide browser behavior during credential creation and authentication processes.
The authenticator selection hints system follows a modular architecture with clear separation of concerns:
graph TB
subgraph "User Interface Layer"
UI[HTML Checkboxes]
Events[Event Handlers]
end
subgraph "JavaScript Processing Layer"
Collect[collectSelectedHints]
Apply[applyHintsToCheckboxes]
Derive[deriveAllowedAttachmentsFromHints]
Enforce[ensureAuthenticationHintsAllowed]
end
subgraph "WebAuthn Integration"
Attachments[authenticatorAttachment Values]
Options[WebAuthn Options]
Credentials[Credential Filtering]
end
subgraph "Backend Processing"
Python[Python Backend]
Validation[Validation Logic]
end
UI --> Events
Events --> Collect
Events --> Apply
Collect --> Derive
Apply --> Attachments
Derive --> Attachments
Attachments --> Options
Options --> Credentials
Options --> Python
Python --> Validation
Enforce --> Options
Diagram sources
- hints.js
- constants.js
- auth-advanced.js
The system relies on a central mapping configuration that defines how user-selected hints translate to authenticator attachment values:
graph LR
subgraph "User Hints"
CD[client-device]
H[hybrid]
SK[security-key]
end
subgraph "Attachment Mappings"
CD --> Platform[platform]
H --> Cross[cross-platform]
SK --> Cross
end
subgraph "WebAuthn Values"
Platform --> PlatformVal["'platform'"]
Cross --> CrossVal["'cross-platform'"]
end
Diagram sources
- constants.js
The collectSelectedHints function gathers user selections based on the current scope (registration vs authentication):
| Scope | Checkbox IDs | Hint Values |
|---|---|---|
| Registration |
hint-client-device, hint-hybrid, hint-security-key
|
client-device, hybrid, security-key
|
| Authentication |
hint-client-device-auth, hint-hybrid-auth, hint-security-key-auth
|
client-device, hybrid, security-key
|
Section sources
- hints.js
The deriveAllowedAttachmentsFromHints function transforms hint values into authenticator attachment specifications:
flowchart TD
Input[Hint Array] --> Normalize[Normalize Values]
Normalize --> Filter[Filter Non-Empty]
Filter --> Map[Mapped Values Lookup]
Map --> Dedupe[Deduplicate Attachments]
Dedupe --> Output[Attachment Array]
Map --> SecurityKey{security-key?}
Map --> Hybrid{hybrid?}
Map --> ClientDevice{client-device?}
SecurityKey --> CrossPlatform[cross-platform]
Hybrid --> CrossPlatform
ClientDevice --> Platform[platform]
Diagram sources
- hints.js
Section sources
- hints.js
The system integrates seamlessly with the main application through event listeners that trigger updates when hint selections change:
sequenceDiagram
participant User as User
participant UI as Checkbox UI
participant JS as JavaScript Handler
participant State as Application State
participant JSON as JSON Editor
User->>UI : Click Hint Checkbox
UI->>JS : Trigger Change Event
JS->>JS : collectSelectedHints()
JS->>State : Update Internal State
JS->>JSON : Refresh JSON Representation
JS->>UI : Apply Updated Hints
Diagram sources
- main.js
- json-editor.js
The system utilizes dedicated checkbox elements in both registration and authentication contexts:
| Element ID | Purpose | Scope |
|---|---|---|
hint-client-device |
Platform authenticators | Registration |
hint-hybrid |
Cross-platform hybrid devices | Registration |
hint-security-key |
Security keys | Registration |
hint-client-device-auth |
Platform authenticators | Authentication |
hint-hybrid-auth |
Cross-platform hybrid devices | Authentication |
hint-security-key-auth |
Security keys | Authentication |
Section sources
- tab.html
- tab.html
During credential registration, the system processes hints through multiple stages:
flowchart TD
Start[User Selects Hints] --> Collect[collectSelectedHints]
Collect --> Validate[Validate Selections]
Validate --> Derive[deriveAllowedAttachmentsFromHints]
Derive --> Apply[applyAuthenticatorAttachmentPreference]
Apply --> Filter[Filter Stored Credentials]
Filter --> Create[Create Registration Options]
Create --> Submit[Submit to Server]
Diagram sources
- auth-advanced.js
- hints.js
Authentication processing follows a similar pattern with additional enforcement logic:
flowchart TD
AuthStart[Authentication Request] --> AuthCollect[collectSelectedHints]
AuthCollect --> AuthValidate[ensureAuthenticationHintsAllowed]
AuthValidate --> AuthFilter[Filter Allow Credentials]
AuthFilter --> AuthOptions[Prepare Auth Options]
AuthOptions --> AuthSubmit[Submit Authentication]
Diagram sources
- auth-advanced.js
- hints.js
Section sources
- auth-advanced.js
The ensureAuthenticationHintsAllowed function serves as the primary enforcement mechanism, ensuring that hint selections are compatible with available credentials:
flowchart TD
Input[Public Key Options] --> Check{Valid Public Key?}
Check --> |No| ThrowError[Throw Error if Required]
Check --> |Yes| ExtractHints[Extract Hints Array]
ExtractHints --> Normalize[Normalize Hint Values]
Normalize --> CheckSelection{Require Selection?}
CheckSelection --> |Yes & No Hints| ThrowSelection[Throw Selection Error]
CheckSelection --> |No or Has Hints| DeriveAttachments[Derive Attachments from Hints]
DeriveAttachments --> CheckAllowCredentials{Has Allow Credentials?}
CheckAllowCredentials --> |Yes| FilterCredentials[Filter Incompatible Credentials]
CheckAllowCredentials --> |No| CheckFallback{Has Stored Credentials?}
CheckFallback --> |Yes| CreateFallback[Create Fallback Credentials]
CheckFallback --> |No| ReturnAttachments[Return Resolved Attachments]
FilterCredentials --> ReturnAttachments
CreateFallback --> ReturnAttachments
ThrowError --> End[End]
ThrowSelection --> End
ReturnAttachments --> End
Diagram sources
- hints.js
The system implements sophisticated credential filtering to ensure compatibility:
| Scenario | Action | Result |
|---|---|---|
| Compatible hints + allowCredentials | Keep existing credentials | No modification |
| Compatible hints + empty allowCredentials | Filter stored credentials | Update allowCredentials |
| Incompatible hints + allowCredentials | Remove incompatible credentials | Filter allowCredentials |
| No hints + stored credentials | Create fallback credential | Add single credential |
| No hints + no stored credentials | Remove allowCredentials | Clear allowCredentials |
Section sources
- hints.js
The applyHintsToCheckboxes function synchronizes WebAuthn options with UI state:
sequenceDiagram
participant Options as WebAuthn Options
participant Apply as applyHintsToCheckboxes
participant UI as UI Checkboxes
participant Callback as Registration Callbacks
Options->>Apply : Pass hints array
Apply->>Apply : Normalize hint values
Apply->>UI : Set checkbox states
Apply->>Callback : Trigger registration callbacks
Callback->>UI : Update dependent UI elements
Diagram sources
- hints.js
The synchronization works bidirectionally, ensuring UI reflects current WebAuthn state:
sequenceDiagram
participant Server as Server Response
participant Parse as Option Parser
participant Apply as applyHintsToCheckboxes
participant UI as UI Checkboxes
Server->>Parse : Return WebAuthn options
Parse->>Apply : Extract hints array
Apply->>UI : Update checkbox states
UI->>UI : Reflect current configuration
Section sources
- hints.js
// Collect hints during registration
const registrationHints = collectSelectedHints('registration');
console.log('Selected hints:', registrationHints);
// Output: ["client-device", "security-key"]
// Collect hints during authentication
const authenticationHints = collectSelectedHints('authentication');
console.log('Selected hints:', authenticationHints);
// Output: ["hybrid"]// Resolve hints to attachment types
const hints = ['client-device', 'security-key'];
const attachments = deriveAllowedAttachmentsFromHints(hints);
console.log('Resolved attachments:', attachments);
// Output: ["platform", "cross-platform"]// Apply hints to WebAuthn options
const publicKey = {
rp: { name: "Example Corp" },
user: { id: "user123", name: "John Doe" },
challenge: challengeBytes,
hints: ['client-device', 'security-key']
};
applyAuthenticatorAttachmentPreference(publicKey, ['platform', 'cross-platform']);
console.log('Updated options:', publicKey);
// Output: authenticatorSelection: { authenticatorAttachment: "platform" }Section sources
- hints.js
The system implements comprehensive validation for hint values:
| Validation Type | Check | Error Condition |
|---|---|---|
| Type Validation | typeof value === 'string' |
Non-string values ignored |
| Empty Validation | value.trim() |
Empty strings filtered out |
| Normalization | trim().toLowerCase() |
Case-insensitive comparison |
| Known Values | KNOWN_HINT_VALUES.has(normalized) |
Unknown hint values rejected |
The system provides robust error handling for various failure scenarios:
flowchart TD
Operation[Hint Processing Operation] --> TryCatch[Try-Catch Block]
TryCatch --> Success{Success?}
Success --> |Yes| Continue[Continue Processing]
Success --> |No| LogError[Log Error Details]
LogError --> UserFeedback[Provide User Feedback]
UserFeedback --> GracefulDegradation[Graceful Degradation]
Diagram sources
- hints.js
Section sources
- hints.js
Hints directly influence credential creation by setting appropriate authenticator attachment preferences:
| Hint Combination | Attachment Preference | Use Case |
|---|---|---|
client-device only |
platform |
Native OS authenticators |
security-key only |
cross-platform |
USB/FIDO2 security keys |
hybrid only |
cross-platform |
Bluetooth/NFC devices |
| Mixed hints | cross-platform |
Flexible authenticator selection |
| No hints | Auto-detect | Browser default behavior |
During authentication, hints help optimize the request by:
- Filtering Allow Credentials: Removing incompatible credentials early
- Setting Authenticator Preferences: Guiding browser behavior
- Providing Fallback Options: Ensuring authentication success
- Validating Compatibility: Preventing authentication failures
Section sources
- auth-advanced.js
- json-editor.js
The authenticator selection hints system represents a sophisticated balance between user experience and technical WebAuthn compliance, enabling seamless integration of user preferences with modern authentication protocols while maintaining robust error handling and validation mechanisms.