Skip to content

Alternative error codes #2095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MasterKale wants to merge 24 commits into
base: main
Choose a base branch
from
Open

Alternative error codes #2095

Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
7d5d141
Add UserCancelledError
MasterKale Jul 11, 2024
d055e4c
Add HybridPrerequisitesError
MasterKale Jul 11, 2024
aee5232
Add TimeoutError
MasterKale Jul 11, 2024
7c45c45
Add UserHybridCancelledError
MasterKale Jul 12, 2024
35d7b3a
Replace "cancelled" with "cancellation"
MasterKale Jul 12, 2024
4dcbd9b
Add UserVerificationError
MasterKale Jul 12, 2024
0906982
Remove user cancellation from NotAllowedError
MasterKale Jul 12, 2024
6bd9757
Move where TimeoutError is raised
MasterKale Jul 16, 2024
c4140c7
Define new error interfaces
MasterKale Jul 18, 2024
4986178
Update error references to use new interfaces
MasterKale Jul 18, 2024
00baf08
Merge branch '1859-differentiate-errors' into 2062-new-error-codes
MasterKale Jul 23, 2024
17ff8f1
Remove duplicate TimeoutError
MasterKale Jul 30, 2024
d6ada58
Merge branch 'main' into 2062-new-error-codes
MasterKale Aug 28, 2024
09571b2
Remove hybrid errors for now
MasterKale Aug 28, 2024
0887054
Add required IDL for new error codes
MasterKale Aug 28, 2024
7aec744
Replace UserCancellationError with OptOutError
MasterKale Sep 24, 2024
008495a
Merge branch 'main' into 2062-new-error-codes
MasterKale Aug 27, 2025
2c39a85
Merge branch 'main' into 2062-new-error-codes
MasterKale Nov 10, 2025
d038316
Remove UnknownError definitions
MasterKale Nov 10, 2025
e7f510f
Incorporate more OptOutErrors
MasterKale Dec 11, 2025
3772858
Replace UserVerificationError with ConstraintError
MasterKale Dec 11, 2025
17a29f3
Fix a minor grammar mistake
MasterKale Dec 11, 2025
f68ac32
Merge branch 'main' into 2062-new-error-codes
MasterKale Dec 11, 2025
dc1ea48
Update list of get() exceptions w/ConstraintError
MasterKale Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 47 additions & 12 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1921,7 +1921,15 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o

: If the user exercises a user agent user-interface option to cancel the process,
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}.
and [=set/remove=] |authenticator| from |issuedRequests|.

If the user agent is informing the user that
the last used |authenticator| cannot collect [=user verification=] when
<code>|pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>
is set to {{UserVerificationRequirement/required}},
throw a "{{ConstraintError}}" {{DOMException}} indicating that [=user verification=] could not be collected.

Otherwise, throw an "{{OptOutError}}" {{DOMException}}.

: If <code>|options|.{{CredentialCreationOptions/signal}}</code> is present and [=AbortSignal/aborted=],
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=]
Expand Down Expand Up @@ -2189,7 +2197,9 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
</dl>
</li>

1. Throw a "{{NotAllowedError}}" {{DOMException}}.
1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-make-credential-privacy]] for details.

During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and
authorizing an authenticator. When <code>|options|.{{CredentialCreationOptions/mediation}}</code> is set to {{CredentialMediationRequirement/conditional}}, prominent modal UI should <i>not</i> be shown <i>unless</i> credential creation was previously consented to via means determined by the user agent.
Expand Down Expand Up @@ -2226,16 +2236,22 @@ The following {{DOMException}} exceptions can be raised:
:: No entry in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}} had a {{PublicKeyCredentialDescriptor/type}} property of {{PublicKeyCredentialType/public-key}},
or the [=authenticator=] did not support any of the signature algorithms specified in {{PublicKeyCredentialCreationOptions/pubKeyCredParams}}.

: {{OptOutError}}
:: The user did not consent to completing the ceremony.

: {{SecurityError}}
:: The [=effective domain=] was not a [=valid domain=],
or <code>{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> was not equal to or a registrable domain suffix of the [=effective domain=].
In the latter case,
the [=client=] does not support [[#sctn-related-origins|related origin requests]]
or the [$related origins validation procedure$] failed.

: {{TimeoutError}}
:: The ceremony was cancelled by the user agent after exceeding the time limit permitted for the ceremony.
See [[#sctn-timeout-recommended-range]] for more information.

: {{NotAllowedError}}
:: A catch-all error covering a wide range of possible reasons,
including common ones like the user canceling out of the ceremony.
:: A catch-all error covering a wide range of possible reasons.
Some of these causes are documented throughout this spec,
while others are client-specific.

Expand Down Expand Up @@ -2458,7 +2474,15 @@ When this method is invoked, the user agent MUST execute the following algorithm

: If the user exercises a user agent user-interface option to cancel the process,
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
and [=set/remove=] |authenticator| from |issuedRequests|. Throw a "{{NotAllowedError}}" {{DOMException}}.
and [=set/remove=] |authenticator| from |issuedRequests|.

If the user agent is informing the user that
the last used |authenticator| cannot collect [=user verification=] when
<code>|pkOptions|.{{PublicKeyCredentialCreationOptions/authenticatorSelection}}.{{AuthenticatorSelectionCriteria/userVerification}}</code>
is set to {{UserVerificationRequirement/required}},
throw a "{{ConstraintError}}" {{DOMException}} indicating that [=user verification=] could not be collected.

Otherwise, throw an "{{OptOutError}}" {{DOMException}}.

: If <code>|options|.{{CredentialRequestOptions/signal}}</code> is present and [=AbortSignal/aborted=],
:: [=set/For each=] |authenticator| in |issuedRequests| invoke the [=authenticatorCancel=] operation on |authenticator|
Expand Down Expand Up @@ -2510,7 +2534,7 @@ When this method is invoked, the user agent MUST execute the following algorithm
: If <code>|options|.{{CredentialRequestOptions/mediation}}</code> is not {{CredentialMediationRequirement/conditional}},
|issuedRequests| is empty, <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code> is not empty,
and no |authenticator| will become available for any [=public key credentials=] therein,
:: Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw a "{{NotAllowedError}}" {{DOMException}}.
:: Indicate to the user that no eligible credential could be found. When the user acknowledges the dialog, throw an "{{OptOutError}}" {{DOMException}}.

Note: One way a [=client platform=] can determine that no |authenticator| will become available is by examining the <code>{{PublicKeyCredentialDescriptor/transports}}</code> members of the present <code>{{PublicKeyCredentialDescriptor}}</code> [=list/items=] of <code>|pkOptions|.{{PublicKeyCredentialRequestOptions/allowCredentials}}</code>, if any. For example, if all <code>{{PublicKeyCredentialDescriptor}}</code> [=list/items=] list only <code>{{AuthenticatorTransport/internal}}</code>, but all [=platform authenticator|platform=] |authenticator|s have been tried, then there is no possibility of satisfying the request. Alternatively, all <code>{{PublicKeyCredentialDescriptor}}</code> [=list/items=] may list <code>{{PublicKeyCredentialDescriptor/transports}}</code> that the [=client platform=] does not support.

Expand Down Expand Up @@ -2637,7 +2661,9 @@ When this method is invoked, the user agent MUST execute the following algorithm
1. Return |pubKeyCred| and terminate this algorithm.
</dl>

1. Throw a "{{NotAllowedError}}" {{DOMException}}.
1. Throw a "{{TimeoutError}}" {{DOMException}}. In order to prevent information leak that could identify the
user without [=user consent|consent=], this step MUST NOT be executed before |lifetimeTimer| has expired. See
[[#sctn-assertion-privacy]] for details.

</div>

Expand Down Expand Up @@ -2783,16 +2809,25 @@ The following {{DOMException}} exceptions can be raised:
:: The ceremony was cancelled by an {{AbortController}}.
See [[#sctn-abortoperation]] and [[#sctn-sample-aborting]].

: {{ConstraintError}}
:: {{AuthenticatorSelectionCriteria/userVerification}} was set to {{UserVerificationRequirement/required}} and no available authenticator could perform [=user verification=].

: {{OptOutError}}
:: The user did not consent to completing the ceremony.

: {{SecurityError}}
:: The [=effective domain=] was not a [=valid domain=],
or <code>{{PublicKeyCredentialCreationOptions/rp}}.{{PublicKeyCredentialRpEntity/id}}</code> was not equal to or a registrable domain suffix of the [=effective domain=].
In the latter case,
the [=client=] does not support [[#sctn-related-origins|related origin requests]]
or the [$related origins validation procedure$] failed.

: {{TimeoutError}}
:: The ceremony was cancelled by the user agent after exceeding the time limit permitted for the ceremony.
See [[#sctn-timeout-recommended-range]] for more information.

: {{NotAllowedError}}
:: A catch-all error covering a wide range of possible reasons,
including common ones like the user canceling out of the ceremony.
:: A catch-all error covering a wide range of possible reasons.
Some of these causes are documented throughout this spec,
while others are client-specific.
</dl>
Expand Down Expand Up @@ -5190,7 +5225,7 @@ When this operation is invoked, the [=authenticator=] MUST perform the following
:: return an error code equivalent to "{{InvalidStateError}}" and terminate the operation.

: does not consent to create a new credential
:: return an error code equivalent to "{{NotAllowedError}}" and terminate the operation.
:: return an error code equivalent to "{{OptOutError}}" and terminate the operation.
</dl>

Note: The purpose of this [=authorization gesture=] is not to proceed with creating a credential,
Expand Down Expand Up @@ -5223,7 +5258,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
If |requireUserPresence| is [TRUE], the [=authorization gesture=] MUST include a [=test of user presence=].

If the user does not [=user consent|consent=] or if [=user verification=] fails, return an error code equivalent to
"{{NotAllowedError}}" and terminate the operation.
"{{OptOutError}}" and terminate the operation.
</li>

1. Once the [=authorization gesture=] has been completed and [=user consent=] has been obtained, generate a new credential object:
Expand Down Expand Up @@ -5338,7 +5373,7 @@ a numbered step. If outdented, it (today) is rendered as a bullet in the midst o
[=test of user presence=].

If the user does not [=user consent|consent=], return an error code equivalent to
"{{NotAllowedError}}" and terminate the operation.
"{{OptOutError}}" and terminate the operation.
</li>

1. Let |processedExtensions| be the result of [=authenticator extension processing=] [=map/for each=] supported [=extension
Expand Down
Loading