[Webkit-unassigned] [Bug 251817] New: WebAuthn conditional UI works, but consistently raises "NotAllowedError: Operation Failed" on every other page reload

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 6 14:51:59 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=251817

            Bug ID: 251817
           Summary: WebAuthn conditional UI works, but consistently raises
                    "NotAllowedError: Operation Failed" on every other
                    page reload
           Product: WebKit
           Version: Safari 16
          Hardware: iPhone / iPad
                OS: iOS 16
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: matthew at millerti.me

I have the following basic HTML document that initializes WebAuthn's conditional UI:

```
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Document</title>
  </head>
  <body>
    <form action="">
      <input type="text" autocomplete="username webauthn" />
      <button>Submit</button>
    </form>
    <script>
      navigator.credentials
        .get({
          publicKey: {
            challenge: new Uint8Array([1, 2, 3, 4]),
            allowCredentials: [],
          },
          mediation: 'conditional',
        })
        .then(console.log)
        .catch(console.error);
    </script>
  </body>
</html>
```

When I load the page in Safari, conditional UI seems to work fine every time - I get prompted to log in with a saved passkey when the input receives focus.

However when I inspect the page from my macOS device, I see weird alternating behavior:

## Reload 1

- A warning that, "User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events." 

## Reload 2

- A warning saying, "User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events." 
- An error from the `.catch()` handler on the `.get()` Promise saying, "NotAllowedError: Operation failed."

These two error states reliably alternate with each other in this order, no matter how many times I reload the page:

- Reload 1
- Reload 2
- Reload 1
- Reload 2
- etc...

To reiterate, the page seems to function fine to the end user, but the  is making it impossible to truly understand whether Conditional UI is working or not.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230206/2060e244/attachment.htm>

More information about the webkit-unassigned mailing list