203200 2019-10-21 12:31:46 -0700 [WebAuthn] Support appidExclude enrollment extension 2022-06-30 17:26:14 -0700 1 1 1 Unclassified WebKit WebCore Misc. Safari Technology Preview Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=181943 InRadar P2 Normal --- 1 piperc pascoe jiewen_tan nuno.sung pascoe piperc webkit-bug-importer oldest_to_newest 1581947 0 piperc 2019-10-21 12:31:46 -0700 For relying parties that previously enrolled security keys via the U2F enrollment protocol, keys are bound to an application identifier, rather than the relying party id to which WebAuthn enrollments are bound. Since WebAuthn is meant to be backwards compatible with enrollments via U2F, the authentication extension appid can be provided during authentication [1]. Similarly, to prevent reregistration of the same credential when doing a WebAuthn enrollment, an extension [appidExclude] was added to the WebAuthn specification to first check if a key was enrolled via U2F before completing the WebAuthn enrollment [2][3] and report the key already registered if so. [1] https://bugs.webkit.org/show_bug.cgi?id=143491 [2] https://github.com/w3c/webauthn/pull/1244 [3] https://w3c.github.io/webauthn/#sctn-appid-exclude-extension 1581950 1 jiewen_tan 2019-10-21 12:36:43 -0700 Will track this in an upcoming level 2 umbrella. 1692643 2 jiewen_tan 2020-09-28 12:10:49 -0700 *** Bug 217050 has been marked as a duplicate of this bug. *** 1879610 3 webkit-bug-importer 2022-06-30 17:26:14 -0700 <rdar://problem/96257224>