"payment" WebAuthn extension does not report successful registration #273
Description
Credit and thanks to @akshayku for pointing this out
The "payment" WebAuthn extension defined in the SPC spec does not define any client extension outputs:
Client extension output
None
This means that it is not possible for a relying party to know that the 'thirdPartyPayment' bit was supported and has been successfully stored, and thus that they can use the created credential in a cross-domain SPC call. We should probably do something similar to largeBlob and return a supported bit which will be true (and really, would exist at all?) only if the authenticator supported and set the bit.
(Practically speaking, we would also return true if the browser cached the bit on the authenticators behalf. Maybe we should just make that explicit and have an enum of {kFailed, kSuccess, kBrowserStoredIt}?)
Sidenote: This issue also highlights once again what was discussed but never actioned in SPC: From browser cache to FIDO/WebAuthn integration, which is that we'd really be better off separating the "payment" auth-time extension from the "thirdPartyPayment" create-time extension. Today only the former really exists at the browser level, and the latter only exists at the CTAP/authenticator level, and we glue it all together and pretend the mess doesn't exist. But it does.