Improve the log in experience with the Credential Management API

Many web sites require users to log in to access their resources. From a user point of view, the log in process can be complicated, and this is more true when you can log in using a login/password or using a social provider (Microsoft, Google, Facebook, etc.). For instance, some users enter their Google credentials in the Username/Password form instead of clicking the Google button, or they don't remember which provider they use.

To help users, major web browsers allow to save credentials, and auto-fill forms. This allows users to quickly log into the web site. This is great but this doesn't work with social providers and you still need to navigate to the log in page. Thanks to the new Credential Management API you can go further. Indeed, the browser knows your credentials, so why not automatically log you in as soon as you access the web site without even navigating to the login page? To be clear, users may see the login page only the first time. Then, he or she can log in without typing their credentials and without navigating to the login page.

Can I use the Credential Management API?

This API is clearly not well supported. Indeed, only Google Chrome and the developer version of Opera (44) support it. However, this doesn't mean you should not consider using it. In fact, using this API doesn't break default login flow. Instead, this API just improves it.

Source: http://caniuse.com/#feat=credential-management

How it works?

For the demo, I'll use ASP.NET Core and TypeScript. The code is very basic, so it's very easy to adapt it to another language/framework.

First, you need to create a log in form:

<form asp-controller="Account" asp-action="Login" method="post">
    <input asp-for="Email" />
    <input asp-for="Password" />
    <button type="submit">Log in</button>
</form>

Then, you must create a controller action. This code comes from the default template of ASP.NET with Individual User Accounts.

[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login(LoginViewModel model)
{
    if (ModelState.IsValid)
    {
        var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, isPersistent: false); // Create the authentication cookie
        if (result.Succeeded)
            return RedirectToLocal(returnUrl);
        else
        {
            ModelState.AddModelError(string.Empty, "Invalid login attempt.");
            return View(model);
        }
    }

    return View(model);
}

Now, when the user logs in, the browser should display a "Save credential" button:

Once the user has saved the password, you'll be able to access its credentials from JavaScript. For security reason, you won't have access to the username or the password directly. If you use TypeScript, you need to add the type declarations:

npm install @types/webappsec-credential-management

The basic code to get a saved credential for the current website is:

async function signIn(unmediated: boolean) {
    // Test if the Credential Manager API exists
    if (navigator.credentials) {
        // Ask for a credential
        // unmediated: if true, the user agent will only attempt to provide a Credential without user interaction
        const cred = await navigator.credentials.get({
            password: true,
            unmediated: unmediated
        });

        if (cred) {
            // Do something with the creds
        }
    }
}

The API allows to manage username/password credentials and federated credentials (log in using an external provider such as Microsoft, Google, Facebook, etc.). You can determine the type using the type property. In this post, we'll only handle username/password credentials so we need to test if the type is password. As we use TypeScript we can create a type guard function so we can avoid casting explicitly the variable cred:

function isPasswordCredential(credential: Credential) : credential is PasswordCredential {
    return credential.type === "password";
}

As said before, you cannot directly access the username or the password of the credential. However, you can use the fetch function. This function can take a PasswordCredential as parameter and send it to the server.

        if (cred) {
            if (isPasswordCredential(cred)) {
                cred.idName = "email"; // the username field is "email" as defined in the log in form (default "username")
                //cred.passwordName = "password";

                const response = await fetch("/Account/AutoLogin", {
                    method: "POST",
                    credentials: cred
                });

                if (response.ok) {
                    window.location.reload(); // reload the page with the authentication cookie
                }
            }
        }

If needed you can add additional data to the request. For instance, you can add the CSRF token:

                const additionalData = new FormData();
                const csrfInput = <HTMLInputElement>document.querySelector("input[name='__RequestVerificationToken']");
                additionalData.append("__RequestVerificationToken", csrfInput.value);
                cred.additionalData = additionalData;

                const response = await fetch("/Account/AutoLogin", {
                    method: "POST",
                    credentials: cred
                });

The AutoLogin action is the same as the Login action except it just returns a status code instead of an HTML content:

[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> AutoLogin(LoginViewModel model)
{
    if (ModelState.IsValid)
    {
        var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, isPersistent: false);
        if (result.Succeeded)
            return Ok();

        return BadRequest("Invalid login attempt.");
    }

    // If we got this far, something failed, redisplay form
    return Ok();
}

Now the log in code is written, you can call the signIn function on page load (if the user is not authenticated).

signIn(true);

The first time or if the user has saved more than one credential, you must show the UI:

signIn(false);

After the user log off, you don't want to be able to log the user in automatically. To instruct the browser to require the mediation after the user logs off, you must call the requireUserMediation function. This does not delete the saved credential. Instead, the navigator.credentials.get won't return any credential without the user accept it explicitly (unmediated: false).

if (navigator.credentials) {
    const logOutElement = document.getElementById("LogOut");
    if (logOutElement) {
        logOutElement.addEventListener("click", e => navigator.credentials.requireUserMediation());
    }
}

Conclusion

This new API is great improvement for the user as it simplifies the log in process. You can now automatically log the user in without he or she notice it. While this new API is not well supported (currently Chrome and Opera), you can already use it to progressively replace the old login form. This post does not cover all the methods of this API. For instance, we do not use the store method which may be required for an SPA application. If you want to go further, here's some additional resources:

Follow me:
Enjoy this blog? Buy Me A Coffee Donate with PayPal

Leave a reply