wip: Conditional UI + autofill specification.

nsatragno · nsatragno · commit 2e58c0fe5f32 · 2021-10-26T17:31:28.000-04:00
diff --git a/index.bs b/index.bs
@@ -164,6 +164,11 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
             text: opaque origin; url: concept-origin-opaque
             text: tuple origin; url: concept-origin-tuple
             text: document.domain; url:dom-document-domain
+        urlPrefix: input.html
+            text: input; url: the-input-element
+        urlPrefix: form-control-infrastructure
+            text: autocomplete; url: attr-fe-autocomplete
+            text: autofill hint set; url: autofill-hint-set
 
 spec: url; urlPrefix: https://url.spec.whatwg.org
     type: dfn
@@ -304,6 +309,7 @@ spec: BCP47; urlPrefix: https://tools.ietf.org/html/bcp47
 <pre class="link-defaults">
 spec:credential-management; type:dfn; text:credentials
 spec:html; type:dfn; for:environment settings object; text:global object
+spec:html; type:dfn; for:input; text:autocomplete
 spec:infra; type:dfn; for:/; text:set
 spec:infra; type:dfn; text:list
 spec:infra; type:dfn; for:struct; text:item
@@ -1954,6 +1960,106 @@ This
 {{CredentialsContainer/get()|navigator.credentials.get()}} operation can be aborted by leveraging the {{AbortController}};
 see [[dom#abortcontroller-api-integration]] for detailed instructions.
 
+#### <dfn for="PublicKeyCredential" algorithm="Issuing a request to an authenticator">Issuing a request to an authenticator</dfn> #### {#sctn-issuing-request-to-authenticator}
+
+This algorithm accepts two arguments:
+
+<dl dfn-type="argument" dfn-for="Issuing a request to an authenticator">
+    :   <dfn>authenticator</dfn>
+    ::  A [=client platform=]-specific handle identifying an [=authenticator=] presently available on this [=client platform=].
+
+    :   <dfn>options</dfn>
+    ::  This argument is a {{CredentialRequestOptions}} object whose
+        <code>|options|.{{CredentialRequestOptions/publicKey}}</code> member contains a {{PublicKeyCredentialRequestOptions}}
+        object specifying the desired attributes of the [=public key credential=] to discover.
+</dl>
+
+The steps for [=issuing a request to an |authenticator|=] are as follows:
+
+    1. If <code>|options|.{{PublicKeyCredentialRequestOptions/userVerification}}</code> is set to
+        {{UserVerificationRequirement/required}} and the |authenticator| is not capable of performing [=user verification=],
+        [=iteration/continue=].
+
+    1. Let |userVerification| be the <dfn>effective user verification requirement for assertion</dfn>, a Boolean value, as
+        follows. If <code>|options|.{{PublicKeyCredentialRequestOptions/userVerification}}</code>
+
+            <dl class="switch">
+
+                :   is set to {{UserVerificationRequirement/required}}
+                ::  Let |userVerification| be [TRUE].
+
+                :   is set to {{UserVerificationRequirement/preferred}}
+                ::  If the |authenticator|
+
+                    <dl class="switch">
+                        :   is capable of [=user verification=]
+                        ::  Let |userVerification| be [TRUE].
+
+                        :   is not capable of [=user verification=]
+                        ::  Let |userVerification| be [FALSE].
+                    </dl>
+
+                :   is set to {{UserVerificationRequirement/discouraged}}
+                ::  Let |userVerification| be [FALSE].
+
+            </dl>
+
+    1. <span id="allowCredentialDescriptorListCreation"></span>
+        If <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>
+        <dl class="switch">
+            :   [=list/is not empty=]
+            ::  1. Let |allowCredentialDescriptorList| be a new [=list=].
+
+                1. Execute a [=client platform=]-specific procedure to determine which, if any, [=public key credentials=] described by
+                    <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> are [=bound credential|bound=] to this
+                    |authenticator|, by matching with |rpId|,
+                    <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/id}}</code>,
+                    and
+                    <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/type}}</code>.
+                    Set |allowCredentialDescriptorList| to this filtered list.
+
+                1. If |allowCredentialDescriptorList| [=list/is empty=], [=continue=].
+
+                1. Let |distinctTransports| be a new [=ordered set=].
+
+                1. If |allowCredentialDescriptorList| has exactly one value, set
+                    <code>|savedCredentialIds|[|authenticator|]</code> to <code>|allowCredentialDescriptorList|[0].id</code>'s
+                    value (see [here](#authenticatorGetAssertion-return-values) in [[#sctn-op-get-assertion]] for more information).
+
+                1. [=list/For each=] credential descriptor |C| in |allowCredentialDescriptorList|,
+                    [=set/append=] each value, if any, of <code>|C|.{{transports}}</code> to |distinctTransports|.
+
+                    Note: This will aggregate only distinct values of {{transports}} (for this [=authenticator=]) in
+                        |distinctTransports| due to the properties of [=ordered sets=].
+
+                1. If |distinctTransports|
+                    <dl class="switch">
+                        :   [=list/is not empty=]
+                        ::  The client selects one |transport| value from |distinctTransports|, possibly incorporating local
+                            configuration knowledge of the appropriate transport to use with |authenticator| in making its
+                            selection.
+
+                            Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on
+                            |authenticator|, with |rpId|, |clientDataHash|, |allowCredentialDescriptorList|,
+                            |userVerification|, and |authenticatorExtensions| as parameters.
+
+                        :   [=list/is empty=]
+                        ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|,
+                            invoke the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|,
+                            |clientDataHash|, |allowCredentialDescriptorList|, |userVerification|, and
+                            |authenticatorExtensions| as parameters.
+                    </dl>
+
+            :   [=list/is empty=]
+            ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke the
+                [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|,
+                |userVerification| and |authenticatorExtensions| as parameters.
+
+                Note: In this case, the [=[RP]=] did not supply a list of acceptable credential descriptors. Thus, the
+                    authenticator is being asked to exercise any credential it may possess that is [=scoped=] to
+                    the [=[RP]=], as identified by |rpId|.
+        </dl>
+
 #### PublicKeyCredential's <code><dfn for="PublicKeyCredential" method>\[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)</dfn></code> Method #### {#sctn-discover-from-external-source}
 
 <div link-for-hint="PublicKeyCredential/[[DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors)">
@@ -2098,6 +2204,20 @@ When this method is invoked, the user agent MUST execute the following algorithm
     [=authenticators=] can be <a href="https://en.wikipedia.org/w/index.php?title=Hot_plug">hot-plugged</a> into (e.g., via USB)
     or discovered (e.g., via NFC or Bluetooth) by the [=client=] by various mechanisms, or permanently built into the [=client=].
 
+1. Let |silentlyDiscoveredCredentials| be an empty set.
+
+1. If |conditionalFlow| is [TRUE]:
+
+    1. [=set/For each=] |authenticator| in |authenticators|:
+
+        1. If |authenticator| is not a [=platform authenticator=], then [=continue=].
+
+        1. Invoke the [=silent credential discovery=] operation on |authenticator| with |rpId| as parameter.
+
+        1. For every |credential| returned:
+
+            1. Add |credential| to |silentlyDiscoveredCredentials|.
+
 1. Start |lifetimeTimer|.
 
 1. [=While=] |lifetimeTimer| has not expired, perform the following actions depending upon |lifetimeTimer|,
@@ -2113,6 +2233,23 @@ When this method is invoked, the user agent MUST execute the following algorithm
         ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
             and [=set/remove=] |authenticator| from |issuedRequests|. Return a {{DOMException}} whose name is "{{NotAllowedError}}".
 
+        :   If |conditionalFlow| is [TRUE] and the user interacts with an [=input=] form control with a `"webauthn"`
+            [=autocomplete=] [=autofill hint set=],
+        ::  1. Prompt the user to optionally select a [=public key credential source=] from |silentlyDiscoveredCredentials|.
+
+            1. If the user selects a |credential|,
+
+                1. Let |optionsCopy| be a temporary copy of |options|.
+
+                1. Let |authenticator| be the authenticator containing |credential|.
+
+                1. Set <code>|optionsCopy|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> to be a list with a
+                   single [=public key credential=] |credential|.
+
+                1. Execute the [=issuing a request to an authenticator=] algorithm with |authenticator| and |optionsCopy|.
+
+                1. [=set/Append=] |authenticator| to |issuedRequests|.
+
         :   If the {{CredentialRequestOptions/signal}} member is present and the [=AbortSignal/aborted flag=] is set to
             [TRUE],
         ::  [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
@@ -2127,89 +2264,11 @@ When this method is invoked, the user agent MUST execute the following algorithm
         :   If an |authenticator| becomes available on this [=client device=],
         ::  Note:  This includes the case where an |authenticator| was available upon |lifetimeTimer| initiation.
 
-            1. If <code>|options|.{{PublicKeyCredentialRequestOptions/userVerification}}</code> is set to
-                {{UserVerificationRequirement/required}} and the |authenticator| is not capable of performing [=user verification=],
-                [=iteration/continue=].
-
-            1. Let |userVerification| be the <dfn>effective user verification requirement for assertion</dfn>, a Boolean value, as
-                follows. If <code>|options|.{{PublicKeyCredentialRequestOptions/userVerification}}</code>
-
-                    <dl class="switch">
-
-                        :   is set to {{UserVerificationRequirement/required}}
-                        ::  Let |userVerification| be [TRUE].
-
-                        :   is set to {{UserVerificationRequirement/preferred}}
-                        ::  If the |authenticator|
-
-                            <dl class="switch">
-                                :   is capable of [=user verification=]
-                                ::  Let |userVerification| be [TRUE].
-
-                                :   is not capable of [=user verification=]
-                                ::  Let |userVerification| be [FALSE].
-                            </dl>
-
-                        :   is set to {{UserVerificationRequirement/discouraged}}
-                        ::  Let |userVerification| be [FALSE].
-
-                    </dl>
-
-            1. <span id="allowCredentialDescriptorListCreation"></span>
-                If <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>
-                <dl class="switch">
-                    :   [=list/is not empty=]
-                    ::  1. Let |allowCredentialDescriptorList| be a new [=list=].
-
-                        1. Execute a [=client platform=]-specific procedure to determine which, if any, [=public key credentials=] described by
-                            <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> are [=bound credential|bound=] to this
-                            |authenticator|, by matching with |rpId|,
-                            <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/id}}</code>,
-                            and
-                            <code>|options|.{{PublicKeyCredentialRequestOptions/allowCredentials}}.{{PublicKeyCredentialDescriptor/type}}</code>.
-                            Set |allowCredentialDescriptorList| to this filtered list.
-
-                        1. If |allowCredentialDescriptorList| [=list/is empty=], [=continue=].
-
-                        1. Let |distinctTransports| be a new [=ordered set=].
-
-                        1. If |allowCredentialDescriptorList| has exactly one value, set
-                            <code>|savedCredentialIds|[|authenticator|]</code> to <code>|allowCredentialDescriptorList|[0].id</code>'s
-                            value (see [here](#authenticatorGetAssertion-return-values) in [[#sctn-op-get-assertion]] for more information).
-
-                        1. [=list/For each=] credential descriptor |C| in |allowCredentialDescriptorList|,
-                            [=set/append=] each value, if any, of <code>|C|.{{transports}}</code> to |distinctTransports|.
-
-                            Note: This will aggregate only distinct values of {{transports}} (for this [=authenticator=]) in
-                                |distinctTransports| due to the properties of [=ordered sets=].
-
-                        1. If |distinctTransports|
-                            <dl class="switch">
-                                :   [=list/is not empty=]
-                                ::  The client selects one |transport| value from |distinctTransports|, possibly incorporating local
-                                    configuration knowledge of the appropriate transport to use with |authenticator| in making its
-                                    selection.
-
-                                    Then, using |transport|, invoke the [=authenticatorGetAssertion=] operation on
-                                    |authenticator|, with |rpId|, |clientDataHash|, |allowCredentialDescriptorList|,
-                                    |userVerification|, and |authenticatorExtensions| as parameters.
-
-                                :   [=list/is empty=]
-                                ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|,
-                                    invoke the [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|,
-                                    |clientDataHash|, |allowCredentialDescriptorList|, |userVerification|, and
-                                    |authenticatorExtensions| as parameters.
-                            </dl>
+            1. If the |authenticator| is a [=platform authenticator=] and |conditionalFlow| is [TRUE], then [=continue=].
 
-                    :   [=list/is empty=]
-                    ::  Using local configuration knowledge of the appropriate transport to use with |authenticator|, invoke the
-                        [=authenticatorGetAssertion=] operation on |authenticator| with |rpId|, |clientDataHash|,
-                        |userVerification| and |authenticatorExtensions| as parameters.
+            Note: A request will be issued to this authenticator upon user selection of a {{PublicKeyCredentialSource}}.
 
-                        Note: In this case, the [=[RP]=] did not supply a list of acceptable credential descriptors. Thus, the
-                            authenticator is being asked to exercise any credential it may possess that is [=scoped=] to
-                            the [=[RP]=], as identified by |rpId|.
-                </dl>
+            1. Execute the [=issuing a request to an authenticator=] algorithm with |authenticator| and |options|.
 
             1. [=set/Append=] |authenticator| to |issuedRequests|.
 
