-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return more nuanced errors #2096
Comments
I've created an Explainer here to help communicate more of the intent behind the proposed new error codes: https://github.com/w3c/webauthn/wiki/Explainer:-New-Error-Codes-(2024-Edition) |
Without judgement of the proposed errors, some spec formalia: currently, most WebAuthn errors are instances of
So if we're going to continue using Fortunately, As summarized in #2047 (thanks!), the errors we already use are
I don't think any of these are good matches for So maybe we need to use |
As a note, we added OptOutError very recently for a specific use-case we had in Secure Payment Confirmation that didn't seem to be covered by existing DOMException types. That is, the WHATWG is open to adding new DOMException names, so please don't feel constricted by that! |
Can we also add fine-grained errors in place of the
Finer grained error will help troubleshooting why a certain authenticator isn't working on RP side. |
Two things re: extensions:
|
I want to +1 this, given that we observe users often face unclear or overloaded errors, which limit their ability to troubleshoot and understand next steps. This is based on feedback we constantly receive about WebAuthn registrations. Errors like To support users better on our side, we reviewed common WebAuthn errors and mapped likely causes with recommended actions to help users navigate these issues effectively. Providing context-specific messages, as seen with other RPs, helps users receive actionable guidance to complete or troubleshoot registration. Having this supported in the spec would be ideal. |
These suggestions were pulled out of a comment I made in #2062 (comment). This new issue pulls out the five new errors I'm proposing we add to WebAuthn to help restart conversation with a smaller amount of context to have to catch up on.
Proposed Change
Earlier this week I met with some colleagues internally and brainstormed some new error messages that would be nice to have as an RP that wants more visibility into why users are having issues signing in, and to potentially offer inline remediation advice:
UserCancelledError
For
UserCancelledError
, it would be great to pull this out ofNotAllowedError
as a new default error that gets returned after the user specifically cancels out of the modal experience.NotAllowedError
is currently so overloaded it's difficult to understand whether the user experienced a legitimate issue with their browser + OS + authenticator, or simply decided to cancel out.HybridPrerequisitesError
The thinking here is that there are prerequisites that must be met for the browser and/or platform to facilitate successful hybrid registration and auth. If these prerequisites aren't met, and the browser notifies the user of it...
...why not let this propagate through to the RP after the user cancels out? In response to this the RP could e.g. show custom UI to guide the user through setting everything up to try again.
UserHybridCancelError
Currently, browsers typically show the hybrid QR code to users when
allowCredentials
contains no locally usable credentials. An RP that could catch this kind of error after the user cancels out could better understand that the user cancelled out of the auth because they didn't know how to proceed, and guide the user accordingly.Right now there's no way to understand this because an RP would receive a
NotAllowedError
in response to the user cancelling the modal experience.UserVerificationError
Passkeys are typically paired with a requirement to perform UV, both during registration and auth. If the user clicks through the modal experience to create a passkey or try to auth, but has no authenticator available that can perform UV or can't enter the correct PIN or scan the correct biometric, can WebAuthn not let the RP know that that's why the user failed the ceremony? The browser definitely tells the user that this is the case...
U2F token in a
userVerification:required
registration ceremonySecurity key PIN entry issue during auth ceremony
...so why not propagate this through to the RP?
I also pondered breaking this one up, into two separate errors:
UserVerificationSupportError
(e.g. U2F token when UV is required)UserVerificationCollectionError
(e.g. User can't enter correct PIN or scan correct biometric)...but maybe these are less useful/too complex for a single "
UserVerificationError
" 🤔TimeoutError
If the user clicks to start a WebAuthn ceremony but gets distracted and walks away to the point that the ceremony times out, couldn't that signal be sent to the RP? It's not quite a true "error" that happened, which it can currently appear to be due to the currently ambiguous
NotAllowedError
, but would be helpful nonetheless in understanding that nothing actually went wrong during the ceremony.Anyway as I mentioned earlier these were new errors that came out of a brainstorming session. I'd love to hear your thoughts, and welcome any suggestions from other RP's on other types of errors that we could try to incorporate into WebAuthn for sake of better understanding of the user's interaction with WebAuthn.
The text was updated successfully, but these errors were encountered: