[Webkit-unassigned] [Bug 261301] New: WebAuthn auth always shows hybrid QR code when only "internal" transport in allowCredentials but no credentials recognized by platform

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 7 16:49:04 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=261301

            Bug ID: 261301
           Summary: WebAuthn auth always shows hybrid QR code when only
                    "internal" transport in allowCredentials but no
                    credentials recognized by platform
           Product: WebKit
           Version: Safari 16
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: matthew at millerti.me

## Context

Safari 16 on iOS and macOS (and probably iPadOS too) always shows the hybrid auth QR code in cases where no entries in allowCredentials, with only ["internal"] specified for their transports, are recognized by the local platform authenticator.

As an RP, if we do not communicate to the browser that "hybrid" transport is possible for any provided credentials we would not expect the QR code to appear. For sake of comparison, Chrome on macOS and Android shows a "no passkeys available" message in this same scenario.

## Environment

- Safari 16.6
- macOS 13.5.1
- iOS 16.6

## Reproduction

This basic HTML document can be used to recreate the scenario outlined above:

```html
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <style>
    body {
      max-width: 40em;
      margin: auto;
    }
  </style>
  <title>Safari Bug - Hybrid shown for unrecognized ["internal"] entry in allowCredentials</title>
</head>
<body>
  <h1>
    Safari Bug - Hybrid shown for unrecognized ["internal"] entry in allowCredentials
  </h1>
  <p>
    Demonstrating how Safari shows hybrid auth QR code as an option even though the only entry in
    allowCredentials has just ["internal"] for its transports.
  </p>
  <button id="auth1">Authenticate w/["internal"]</button>
  <script>
    // button#auth1
    document.getElementById('auth1').addEventListener('click', () => {
      navigator.credentials.get({
        publicKey: {
          challenge: new Uint8Array([1,2,3,4]),
          allowCredentials: [
            { id: new Uint8Array([1]), type: 'public-key', transports: ['internal'] },
          ]
        },
      }).then(console.log);
    });
  </script>
</body>
</html>
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230907/d6d205e3/attachment.htm>

More information about the webkit-unassigned mailing list