Which POST parameters to /login are passed down to arbitrary authentication PAS plugins?

Question regarding PAS: my GSOC student works on WebAuthn for PAS. We have a custom login page that sends the attached credentials through a POST request to the Plone/login endpoint. The PAS plugin is configured as authenticator plugin. However, we don't see the data from the POST request neither in self.request of your PAS plugin nor in the parameters of the authenticateCredentials call. If we authenticate a user through username/password (standard Plone login process), we see the related form data from Plone login form. Is there anything in PAS filtering or preventing a POST to /login to be passed down to the chain of configured authenticator plugins?

Not sure, but you could step through the logic that uses the plugins in https://github.com/zopefoundation/Products.PluggableAuthService/blob/master/src/Products/PluggableAuthService/PluggableAuthService.py#L532 to find out.

You probably need to also register an extraction plugin.

I think restapi breaks PAS in many ways. for example you can no longer pass back redirects or messages to display the user.

This seems to be a similar problem to what you are having.

Yes, this was a useful hint.
Taking the form data/JSON data from request.body from within the extraction plugin will work.
The data returned from extractCredentials() will show up as credentials parameter in our authenticateCredentials() method.