[Webkit-unassigned] [Bug 239737] New: WebAuthn userHandle can be empty string

Mon Apr 25 11:55:37 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=239737

            Bug ID: 239737
           Summary: WebAuthn userHandle can be empty string
           Product: WebKit
           Version: Safari 15
          Hardware: Mac (Intel)
                OS: macOS 12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lykahb at gmail.com

The WebAuthn implementation returns userHandle: "", which does not conform to this part of the spec: https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id

This breaks the checks on my Relying Party server. The same security key returns userHandle null on Firefox and Chromium. So it seems Safari replaces null with an empty string.

Steps to reproduce:
1. Open https://webauthn.io
2. Register YubiKey or another cross-platform security key. Registration with TouchID does not reproduce the issue.
3. Authenticate. On Safari 15 just activate the security key. On Safari Technology Preview choose "Account from Security Key".
4. Observe that the network request with the assertion has userHandle: "". It must be null to conform to the spec.

This bug may be related to https://bugs.webkit.org/show_bug.cgi?id=191521 [WebAuthN] UserHandle can be null.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220425/1e7257a3/attachment.htm>