[Webkit-unassigned] [Bug 264097] New: [WebAuthn] Navigator matches excludedCredentials for deleted passkeys in 30 day grace period

Thu Nov 2 10:10:12 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=264097

            Bug ID: 264097
           Summary: [WebAuthn] Navigator matches excludedCredentials for
                    deleted passkeys in 30 day grace period
           Product: WebKit
           Version: Safari 17
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: stephen at stephenwan.net

If a passkey is deleted (and within the 30 day undelete grace period) by the user in the Safari password manager and the user attempts to re-enroll the platform navigator using webauthn, we get:

InvalidStateError: At least one credential matches an entry of the excludeCredentials list in the platform attached authenticator.

This seems pretty confusing because the user has deleted the passkey and it's not usable to authenticate anymore, so it shouldn't be matched against the excludedCredentials list.

The user can workaround this by going into "Recently deleted" in the password manager and permanently deleting the offending credential.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231102/eb58caf0/attachment.htm>