Clarification added to WEBAUTHN_CLIENT_DATA

[cyberphone]

No description provided.

[bobknowscode]

Is this the CollectedClientData referenced by https://w3c.github.io/webauthn/#dictdef-collectedclientdata ? Is this just the [challenge] itself?

If type/orgin/cross origin are included; then will a client ever need to verify the information there? Or should all that just get passed to the authenticator?

Thank you

[cyberphone]

If I understood it correctly, collectedClientData holds data collected by the browser, where origin and crossOrigin are derived from the browser's environment, while the others come from the WebAuthn API (user defined). The point I'm trying to do is that this JSON data is created by the trusted browser WebAuthn driver and is therefore not parsed or interpreted by the "by design" fairly limited authenticators. The purpose is being able to return a bunch of vital objects signed by the authenticator to the RP. For non WebAuthn use cases, the value of this JSON object is limited and as I wrote, actually could be any binary data. There are such applications:
https://fido-web-pay.github.io/specification/crypto.html#4.2

[cyberphone]

The correctness of the clarification has been extensively tested: https://github.com/cyberphone/ctap2-sign

I have unfortunately not been able to get it to work with Android although it is quite similar: https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/api/common/PublicKeyCredentialRequestOptions.Builder#setChallenge(byte[])