-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Base64 vs Base64url #34
Comments
I just checked on this. Based on https://www.w3.org/TR/webauthn/#dependencies, I think we are good assuming base64url. Nowhere could I find 'base64' being referenced without 'url' at the end. |
True, but there are several values that are not specified to be bsae64url but just "ArrayBuffer" etc. For example RawId vs Id. |
I am pretty sure that the FIDO Conformance Tools test this (they sneaky send a base64 encoded something .. with trailing '=') and expect it to fail .. just so u know ;) |
@xepa What do you mean when you say "test this"? Maybe before closing we could add a exception in the base64url serialization error that describes that we expect base64url, not base64? We should also make that clear in the docs. |
I am running some FIDO Conformance Tools .. for instance on the challenge they would send base64 encoded data (instead of base64url encoded) and expect the test to fail. So it is a good choice to make sure that it actually is base64url encoding, as far as I am aware there are no base64 encodings being used only base64url encodings. |
I see @xepa , thank you |
We currently take the easy way and just require every ArrayBuffer/byte[] sent from the browser to be Base64url encoded. this might be incorrect per the WebAuthn spec. We need to check.
The text was updated successfully, but these errors were encountered: