feat: add auto complete ui for AM-33773 #571
Conversation
|
george-bafaloukas-forgerock
requested review from
ancheetah,
cerebrl,
george-bafaloukas-forgerock and
ryanbas21
There was a problem hiding this comment.
We need to ensure that because this is a newer browser feature we are backwards compatible with browsers that may not support this feature.
So graceful degradation of conditional ui should occur where the browser doesn't break the user and we can at least continue the flow as needed.
Any details regarding this would be helpful because i'm fairly new to this feature
This is specific to authentication right? Is this testable with virtual authenticators? If we can pre-populate a user with a passkey in AM, i think we should be able to create an e2e for this?
If not, can we add an e2e test that at least can be run manually (doesn't need actual assertions, but it would be helpful for us to document how to do this work in code)
Also, please add a changeset to this PR, it should be a new feature, with a description of the feature being added so we can release correctly.
| credentialRequestOptions.mediation = 'conditional' as CredentialMediationRequirement; | ||
| } else { | ||
| // eslint-disable-next-line no-console | ||
| console.warn('Conditional UI was requested, but is not supported by this browser.'); |
There was a problem hiding this comment.
we need to use logger for this, in case a user does not want console log's to happen. the logger module will call console logs if enabled.
There was a problem hiding this comment.
Done, shout if this is correct/incorrect please.
There was a problem hiding this comment.
Comment resolved.
Removed console.warn
There was a problem hiding this comment.
FRLogger itself handles the console log, so you can remove the duplicate console.warn statement.
| } | ||
|
|
||
| interface WebAuthnAuthenticationMetadata { | ||
| _action?: string; |
There was a problem hiding this comment.
Can we have a better type than a string for this? seems like we can have 'webauthn_authentication', I assume the alternative is 'webauthn_registration'?
There was a problem hiding this comment.
You mention that this change is done, but I still see string as the value for _action. Am I missing something?
There was a problem hiding this comment.
If you check the file changes rather than these comments, you should see the change. For reason beyond me, github has decided to move this comment to Outdated so it can only be observed here.
Hope that makes sense.
| userVerification: UserVerificationType; | ||
| conditionalWebAuthn?: boolean; | ||
| extensions?: Record<string, unknown>; | ||
| _type?: string; |
There was a problem hiding this comment.
What are the possible _type's that we can get? Ideally we'd like to be more strict than string where possible. In the test data I see WebAuthn but what other options are there?
What role does _type play in this data if any as it relates to the sdk?
There was a problem hiding this comment.
Change made to literal string WebAuthn
Note for Kian: This means that the passed _type must be exactly that. If for whatever reason we want to pass in anything, then change it back to string. If we want to change it to discrete values then change it to 'X|Y|Z'
There was a problem hiding this comment.
I see that _type is still string. Did you forget to push these changes?
|
|
||
| // Check if the browser supports conditional mediation | ||
| if (typeof PublicKeyCredential.isConditionalMediationAvailable === 'function') { | ||
| return await PublicKeyCredential.isConditionalMediationAvailable(); |
There was a problem hiding this comment.
This method looks like it can throw so we may need to handle the error in case it does.
[Exceptions](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/isConditionalMediationAvailable_static#exceptions)
The returned [Promise](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise) may be rejected with the following values:
SecurityError [DOMException](https://developer.mozilla.org/en-US/docs/Web/API/DOMException)
The RP domain is not valid.
Otherwise we may leave the auth state in a failure and unrecoverable error.
| _action: 'webauthn_authentication', | ||
| challenge: 'JEisuqkVMhI490jM0/iEgrRz+j94OoGc7gdY4gYicSk=', | ||
| allowCredentials: '', | ||
| _allowCredentials: [], |
There was a problem hiding this comment.
So AM now sends both of these values? we need to take precedence on the array I assume because it can list the possible passkeys?
Is this AM being backwards compatible with the older allowCredentials?
There was a problem hiding this comment.
They are effectively identical as AM supports both for as you mentioned backwards compatibility. If you feel like this answers your question, give me a should and I can resolve this thread.
| * | ||
| * // For conditional UI to work in the browser, add autocomplete="webauthn" | ||
| * // to your username input field: | ||
| * // <input type="text" name="username" autocomplete="webauthn" /> |
There was a problem hiding this comment.
What happens if this isn't provided and the promise is hanging?
There was a problem hiding this comment.
I've got a fix in based on code I've seen elsewhere in the code base. Feel free to correct me if I've mssed up.
There was a problem hiding this comment.
Kian note:
There is a current question in my fix if after timeout we shout throw an exception or just return false. Either way we should make it so the admin can specify a timeout time (have a default just incase).
Throwing errors seems to be what we do in the SDK
There was a problem hiding this comment.
Yes, we throw in cases where the continuation is not possible, but in this case, we can consider this progressive enhancement, yeah? In other words, "conditional UI" isn't necessary for the basic function of WebAuthn, so we don't need to throw.
There was a problem hiding this comment.
@cerebrl it's possible that we haven't really "started" webauthn though. This flow can be activated before a username or password has entered, so the fallback to "webauthn" is unlikely because usually you need to progress to that point.
Right?
| */ | ||
| public static async getAuthenticationCredential( | ||
| options: PublicKeyCredentialRequestOptions, | ||
| useConditionalUI = false, |
There was a problem hiding this comment.
as per the hanging promise comment, we may need to use an abort signal here to allow developers to abort the promise if the passkey option isn't there?
I may be not following this correctly, so please correct me where I'm wrong, but if a developer is using autofill ui, but fails to add the html correctly, can't we end up in a hanging promise state?
There was a problem hiding this comment.
Also abort signal may be the right path, we would have to figure out how to do it.
| try{ | ||
| return withTimeout(PublicKeyCredential.isConditionalMediationAvailable(), ONE_SECOND) | ||
| } catch { | ||
| throw new Error('Error determining conditional mediation support'); |
There was a problem hiding this comment.
Should we throw here, or just return false? If this feature isn't supported, we can just fall back to "normal" behavior, yeah?
There was a problem hiding this comment.
Definitely feels like there is no "right" answer. I think we (Liskov) will discuss this as a team and then go forward with that, if that sounds good to oyu.
There was a problem hiding this comment.
Talking to @george-bafaloukas-forgerock it may be worth keeping the ticket open to test when all other matters have been resolved, then we can fully test and make sure nothing it broken.
| * | ||
| * // For conditional UI to work in the browser, add autocomplete="webauthn" | ||
| * // to your username input field: | ||
| * // <input type="text" name="username" autocomplete="webauthn" /> |
There was a problem hiding this comment.
Yes, we throw in cases where the continuation is not possible, but in this case, we can consider this progressive enhancement, yeah? In other words, "conditional UI" isn't necessary for the basic function of WebAuthn, so we don't need to throw.
| credentialRequestOptions.mediation = 'conditional' as CredentialMediationRequirement; | ||
| } else { | ||
| // eslint-disable-next-line no-console | ||
| console.warn('Conditional UI was requested, but is not supported by this browser.'); |
There was a problem hiding this comment.
FRLogger itself handles the console log, so you can remove the duplicate console.warn statement.
| } | ||
|
|
||
| interface WebAuthnAuthenticationMetadata { | ||
| _action?: string; |
There was a problem hiding this comment.
You mention that this change is done, but I still see string as the value for _action. Am I missing something?
| userVerification: UserVerificationType; | ||
| conditionalWebAuthn?: boolean; | ||
| extensions?: Record<string, unknown>; | ||
| _type?: string; |
There was a problem hiding this comment.
I see that _type is still string. Did you forget to push these changes?
|
Also please add a changeset. @cameronwhitworthforgerock |
|
|
||
| // Add conditional mediation if requested and supported | ||
| if (useConditionalUI) { | ||
| const isConditionalSupported = await this.isConditionalUISupported(); |
There was a problem hiding this comment.
This won't hang as the timeout was added above.
| } | ||
| } | ||
|
|
||
| const credential = await navigator.credentials.get(credentialRequestOptions); |
There was a problem hiding this comment.
This is for under discussion about hanging
There was a problem hiding this comment.
Talking to @george-bafaloukas-forgerock this should already be handled by the browser as it is a variable in credentialRequestOptions
There was a problem hiding this comment.
I've double checked and timeout is passed in.
4 participants
JIRA Ticket
Ticket
Description
Change enables support for autofill conditional UI in Javascript SDK.
Relates to https://pingidentity.atlassian.net/browse/OPENAM-23288