You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While the shift to automatically create random user ids and transport them as a b64Url makes sense, and I'm sure is easier for new systems, the impact to existing systems was not well described. Perhaps the changelog could be updated to describe how to make old v9 and new v10+ browser clients co-exist.
Background
My system already created user ids as random 32 byte Uint8Array values and then converted to b64Url strings. While updating SimpleWebAuthn, I will have a v10+ server and both v9 and v10+ browser clients in the wild that will have SimpleWebAuthn versions encoding/decoding user ids differently, requiring workarounds.
It is a given that v9 clients will have stored the user id by encoding with TextEncoder().encode(), and this will at some point be read by an upgraded v10+ client decoding with bufferToBase64(). Its also possible that v9 clients will read an user stored by a v10+ client given that we do progressive client updates. And browsers that started with v10+ clients will read their own stored values and never those of v9.
Workaround
For me, to update the server to v10+ and have both v9 and v10+ browser clients running in the wild, I chose to always transport base64Url encoded user ids on the wire (as I'd done with v9 browser and server) rather than add a client version check on the server. To maintain compatibility, my v10+ browser clients will do the following:
v9 clients will not be changed
To maintain consisted user id representation sent to navigator.create(), v10+ clients will do something like the following when calling startRegistration() so that the b64ToBuffer() call within startRegistration produces a Uint8Array of b64URL strings (as occured under v9)
To maintain consisted user id representation coming out of navigator.get(), V10+ browser clients will do something like the following after calling startAuthentication() to convert the result of the bufferToB64() within startAuthentication to an actual b64Url string of the original user id.
In the end, not difficult, but it took more spelunking and effort to upgrade than it should have. A better approach in SimpleWebAuthn v10 may have been to leave the browser library with UTF8 encode/decode. That would have preserved compatible with v9 and worked fine the v10+ server's automatic user ids sent as base64url, with a small cost of a few extra bytes to store the b64Url string as encoded UTF8.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Topic
While the shift to automatically create random user ids and transport them as a b64Url makes sense, and I'm sure is easier for new systems, the impact to existing systems was not well described. Perhaps the changelog could be updated to describe how to make old v9 and new v10+ browser clients co-exist.
Background
My system already created user ids as random 32 byte Uint8Array values and then converted to b64Url strings. While updating SimpleWebAuthn, I will have a v10+ server and both v9 and v10+ browser clients in the wild that will have SimpleWebAuthn versions encoding/decoding user ids differently, requiring workarounds.
It is a given that v9 clients will have stored the user id by encoding with TextEncoder().encode(), and this will at some point be read by an upgraded v10+ client decoding with bufferToBase64(). Its also possible that v9 clients will read an user stored by a v10+ client given that we do progressive client updates. And browsers that started with v10+ clients will read their own stored values and never those of v9.
Workaround
For me, to update the server to v10+ and have both v9 and v10+ browser clients running in the wild, I chose to always transport base64Url encoded user ids on the wire (as I'd done with v9 browser and server) rather than add a client version check on the server. To maintain compatibility, my v10+ browser clients will do the following:
In the end, not difficult, but it took more spelunking and effort to upgrade than it should have. A better approach in SimpleWebAuthn v10 may have been to leave the browser library with UTF8 encode/decode. That would have preserved compatible with v9 and worked fine the v10+ server's automatic user ids sent as base64url, with a small cost of a few extra bytes to store the b64Url string as encoded UTF8.
Beta Was this translation helpful? Give feedback.
All reactions