Base64 vs Base64url

[abergs]

We currently take the easy way and just require every ArrayBuffer/byte[] sent from the browser to be Base64url encoded. this might be incorrect per the WebAuthn spec. We need to check.

[aseigler]

I just checked on this. Based on https://www.w3.org/TR/webauthn/#dependencies, I think we are good assuming base64url. Nowhere could I find 'base64' being referenced without 'url' at the end.

[aseigler]

See also: https://www.fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html

https://www.fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-statement-v2.0-rd-20180702.html

https://www.fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-metadata-service-v2.0-rd-20180702.html

[abergs]

True, but there are several values that are not specified to be bsae64url but just "ArrayBuffer" etc. For example RawId vs Id.

[xepa]

I am pretty sure that the FIDO Conformance Tools test this (they sneaky send a base64 encoded something .. with trailing '=') and expect it to fail .. just so u know ;)

[abergs]

@xepa What do you mean when you say "test this"?
If I understand what you are all saying we should be good on this issue and should close it until someone runs into an error?

Maybe before closing we could add a exception in the base64url serialization error that describes that we expect base64url, not base64? We should also make that clear in the docs.

[xepa]

I am running some FIDO Conformance Tools .. for instance on the challenge they would send base64 encoded data (instead of base64url encoded) and expect the test to fail. So it is a good choice to make sure that it actually is base64url encoding, as far as I am aware there are no base64 encodings being used only base64url encodings.

[abergs]

I see @xepa , thank you