Add support for WebAuthn Signal API #84
Description
As a user, when removing a credential from my account, I would like the app to notify my authenticator about the deletion so that the passkey can be remove from it.
Context:
A user removes a credential from a site, e.g. through the site settings. Before the signal methods, if the user did not go through their credential provider settings to manually remove the same credential, the credential provider would still offer it on sign-in. This would be confusing (after all, the user removed the corresponding entry on the site!) and attempting to use that credential would result in the site returning an error.
With the new signal methods, after a credential is removed, the site can call
await PublicKeyCredential.signalAllAcceptedCredentials({ rpId: "example.com", userId: "M2YPl-KGnA8", // same as user.id at creation time allAcceptedCredentalIds: [ // IDs of all accepted credentials, minus the credential that was removed "vI0qOggiE3OT01ZRWBYz5l4MEgU0c7PmAA", "Bq43BPs" ] });This will result in the browser notifying the credential manager, which can then remove or hide the credential from future sign in attempts.
If the user revokes or deletes a credential, e.g. in an account settings UI on the relying party's website, the relying party can opportunistically report this at that time with signalUnknownCredential. However this will only have effect if the user agent is able to route the report to the same credential provider that created this credential. It may be better to send a signalAllAcceptedCredential report instead, with a complete list of valid credential IDs. [source]
References: