credential ID returned by authenticatorGetAssertion() is optional if allowList has exactly one member

[equalsJeffH]

The authenticatorGetAssertion operation says:

On successful completion, the authenticator returns to the user agent:
* The identifier of the credential used to generate the signature.
* The authenticator data used to generate the signature.
* The assertion signature.

However, the CTAP spec says in 4.2 authenticatorGetAssertion:

On success, the authenticator must return the following structure in its response:

Member name  Data type   Required?  Definition
credential   Credential  Optional   Credential whose private key was used to 
                                     generate the assertion. May be
                                     omitted if the whitelist has exactly 
                                     one Credential.
[...]

..which would seem to be an optimization for CTAP where it does not have to return as many bytes (in what may be a common case).

Update WebAuthn to reflect this?

[equalsJeffH]

Hm, if the authnr's returning of Credential ID is optional in the case where the webauthn client invokes authenticatorGetAssertion() with exactly one credential descriptor in allowCredentials[], then in this case the client needs to maintain state -- the Cred ID -- until the call to authenticatorGetAssertion() returns and then set {{PublicKeyCredential/[[identifier]]}} to the saved value, yes? And that saved value needs to be in some global-to-the-window object (or roughly equivalent) I'm guessing?

Is this a case of "snapshotting" ?

I took a stab at doing this in 31a8f85

/cc @bzbarsky @jyasskin @jcjones

[bzbarsky]

Please re-cc me if there's a specific question for me.

[equalsJeffH]

@bzbarsky yes, the above questions are for you if you have time to consider them (the other guys are out-of-pocket for a while). thanks.

[bzbarsky]

I guess I just don't understand the questions then. They seem to be about details of authn that I'm not familiar with, not about the general platform integration aspects....

[equalsJeffH]

The questions are about how to save state (a particular value) from before the invocation of an async operation, until the async operation returns, and then combine the saved value with the async op's returned values. abstracted out, it's like this:

if a given sequence |A| has exactly one value, then let |S| be a new ArrayBuffer, created using |global|'s %ArrayBuffer%, and containing the bytes of |A|[0].
[..invoke async op.....op returns..]
Create a new ArrayBuffer, using global|'s %ArrayBuffer%. If |S| exists, set the value of the new ArrayBuffer to be the bytes of |S|. Otherwise, set the value of the new ArrayBuffer to be the bytes of the fooBar returned from the op. [...]

Is the above more or less correctly specified, or not? thanks for your help.

[bzbarsky]

So basically you want to pass some sort of data through the async op? I'm not sure what the best current spec language for that is. @domenic ?

[domenic]

I'm having a hard time understanding the above, and I tried reading 31a8f85, but without context it's not very intelligible to me. At first glance those sentences seem OK-ish, although generally you want to be more explicit about going in-parallel and then posting a task to get back to the main thread. But it seems like you're taking care to not create or manipulate main-thread objects during your off-main-thread async work, so that's good at least.