[Webkit-unassigned] [Bug 244164] New: [WebAuthn] Conditional UI for webauthn autocomplete does not set the uv flag

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 20 15:04:00 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=244164

            Bug ID: 244164
           Summary: [WebAuthn] Conditional UI for webauthn autocomplete
                    does not set the uv flag
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Mac (Apple Silicon)
                OS: Other
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ckillingsworth at jackhenry.com

On Safari Technology Preview Release 151 (Safari 16.0, WebKit 18615.1.1.2) on macOS 13 beta 5 the conditional UI (https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI) functionality for Passkeys does not set the user verified flag in the authenticationData of the response.

Reproducing Steps:
1. Webpage with <input autocomplete="webauthn"/ >
2. Perform webauthn get with a conditional mediation:
navigator.credentials.get({
  mediation: 'conditional',
  publicKey: {
    challenge: <challengeFromServer>,
    rpId: <rpId>,
    userVerification: "required"
  }
}).then(({id, type, response, authenticatorAttachment}) => {
  console.log(response.authenticatorData);
});
3. Click into the input box - note that the conditional UI appears.
4. Complete the authentication with a registered credential.
5. decode the response.authenticatorData field and note the uv flag is not set.

Example flags:

flags: {
    up: true,
    uv: false,
    be: true,
    bs: true,
    at: false,
    ed: false,
    flagsInt: 25
  }

When invoking the navigator.credentials.get request manually (without conditional mediation) and using the exact same public key request options and the same credentials, the user verified flag is set.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220820/48fbc407/attachment.htm>

More information about the webkit-unassigned mailing list