[Webkit-unassigned] [Bug 213187] New: [WebAuthn] The support of the GetAssertion response without containing a credential case

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 15 01:27:30 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=213187

            Bug ID: 213187
           Summary: [WebAuthn] The support of the GetAssertion response
                    without containing a credential case
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nuno.sung at authentrend.com
                CC: bfulgham at webkit.org, jiewen_tan at apple.com,
                    webkit-bug-importer at group.apple.com,
                    webkit-unassigned at lists.webkit.org

[Environment]
Test Device: MacBook Pro (2013)
OS: macOS 10.15.5
Safari Technology Preview Release 108

[Repro Steps]
1. Test https://webauthntest.azurewebsites.net/#
2. Create a credential without modifying any settings.
3. Make sure only one created credential on the web page.
4. Run Get credential and let "Use allowCredentials" checked.
5. The response from authenticator will omit the credential(0x01) member if the allowList has exactly one Credential.
6. The result is not okay.
7. But if the key has the support of U2F, annother U2F_AUTH request/response will be processed and result is okay.

[Ref.]
1. "May be omitted if the allowList has exactly one Credential." in the description of GetAssertion response table under 
https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#authenticatorGetAssertion

2. 
// When the response from the authenticator does not contain a credential and
// the allow list from the GetAssertion request only contains a single
// credential id, manually set credential id in the returned response.
https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/fido/get_assertion_request_handler.cc#187

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200615/4516c6ba/attachment.htm>

More information about the webkit-unassigned mailing list