[Webkit-unassigned] [Bug 232950] New: WebAuthn navigator.credentials.create() fails with "NowAllowedError" after Touch ID interaction

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 10 10:08:00 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=232950

            Bug ID: 232950
           Summary: WebAuthn navigator.credentials.create() fails with
                    "NowAllowedError" after Touch ID interaction
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Apple Silicon)
                OS: macOS 12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: matthew at millerti.me

Created attachment 443827

  --> https://bugs.webkit.org/attachment.cgi?id=443827&action=review

Screencast of failing Touch ID registration

WebAuthn platform authenticator registration in macOS 12.0, Safari 15.0, on a new MacBook Pro with an M1 Pro appears to be broken. Triggering `navigator.credentials.create()` on a button click prompts me to allow use of Touch ID as expected, and when I click OK I'm prompted to interact with Touch ID as expected. Tapping my Touch ID sensor, though, shows a "The operation cannot be completed" modal, and a `NotAllowedError` exception is thrown.

I tested this scenario on https://example.simplewebauthn.dev. This exact same code works fine on my 2019 Intel i7 MBP - I am able to register Touch ID as expected.

These are the registration options I passed to `navigator.credentials.create()` (I used my @simplewebauthn/browser library to convert some of these values to buffers as needed before making the actual WebAuthn API request):

```
{
  "challenge": "LHfdXxwvT9lCyG0w0zZ_x6FYNydqnyOsIreqO_ZIIU8",
  "rp": {
    "name": "SimpleWebAuthn Example",
    "id": "example.simplewebauthn.dev"
  },
  "user": {
    "id": "internalUserId",
    "name": "user at example.simplewebauthn.dev",
    "displayName": "user at example.simplewebauthn.dev"
  },
  "pubKeyCredParams": [
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    }
  ],
  "timeout": 60000,
  "attestation": "direct",
  "excludeCredentials": [],
  "authenticatorSelection": {
    "userVerification": "preferred",
    "requireResidentKey": false
  }
}
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211110/85af1280/attachment-0001.htm>

More information about the webkit-unassigned mailing list