edgedb icon indicating copy to clipboard operation
edgedb copied to clipboard
verified publisher icon edgedb

Generate webauthn authentication options without an email address

Open JesseFarebro opened this issue 1 year ago • 0 comments

EdgeDB Version: 5.0-beta2

I may be misunderstanding how WebAuthentication works but I believe you should be able to request authentication options without having to provide the user's ID. This would result in request options that omit allowCredentials which from my understanding isn't required.

Forcing the user to provide an email prevents workflows like WebAuthn conditional UI and from what I can tell should only be used for things like 2FA or re-authenticating a specific user. I found this page helpful in explaining this: https://web.dev/articles/webauthn-discoverable-credentials#allow-credentials

Ideally, we should be able to omit the username when requesting /webauthn/authenticate/options which would, in turn, omit allowCredentials. I think it's still valuable to have an email-conditional flow to perform functions like re-authentication.

JesseFarebro avatar Apr 14 '24 18:04 JesseFarebro