Registration example says to add user.id. Why?

[ranierimazili]

Hello,

in the main home there's a registration example with the following:

const registrationOptions = await f2l.attestationOptions();

// make sure to add registrationOptions.user.id
// save the challenge in the session information...
// send registrationOptions to client and pass them in to `navigator.credentials.create()`...
// get response back from client (clientAttestationResponse)

const attestationExpectations = {
    challenge: "33EHav-jZ1v9qwH783aU-j0ARx6r5o-YHh-wd7C6jPbd7Wh6ytbIZosIIACehwf9-s6hXhySHO-HHUjEwZS29w",
    origin: "https://localhost:8443",
    factor: "either"
};
const regResult = await f2l.attestationResult(clientAttestationResponse, attestationExpectations); // will throw on error

// registration complete!
// save publicKey and counter from regResult to user's info for future authentication calls

The first comment on this code is: make sure to add registrationOptions.user.id

The registration information will be used by the RP when calling the credential create method like the code below:

const credential = await navigator.credentials.create({
    publicKey: publicKeyCredentialCreationOptions
});

The object publicKeyCredentialCreationOptions contains some registrationOptions values but seems odd that user.id is an authenticator responsability to create instead of RP. In the documentation of publicKeyCredentialCreationOptions from https://webauthn.guide/ we have the following description for user.

It looks like a note for the RP to not set user.id with a private/sensitive information, because the authenticator may save it.

Does this information really need to be created on the authenticator side?

Thanks

[JamesCullum]

The ID is what identifies the credential at the end. It doesn't really matter which part of the application takes care of it how, but if you don't specify it it's not working according to the specs.