239737 2022-04-25 11:55:37 -0700 WebAuthn userHandle must be null, not empty string 2024-03-04 19:31:15 -0800 1 1 1 Unclassified WebKit WebCore Misc. Safari 15 Mac (Intel) macOS 12 RESOLVED FIXED InRadar P2 Normal --- 1 lykahb pascoe henrik.willert pascoe tmj.chu webkit-bug-importer oldest_to_newest 1864180 0 lykahb 2022-04-25 11:55:37 -0700 The WebAuthn implementation returns userHandle: "", which does not conform to this part of the spec: https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id This breaks the checks on my Relying Party server. The same security key returns userHandle null on Firefox and Chromium. So it seems Safari replaces null with an empty string. Steps to reproduce: 1. Open https://webauthn.io 2. Register YubiKey or another cross-platform security key. Registration with TouchID does not reproduce the issue. 3. Authenticate. On Safari 15 just activate the security key. On Safari Technology Preview choose "Account from Security Key". 4. Observe that the network request with the assertion has userHandle: "". It must be null to conform to the spec. This bug may be related to https://bugs.webkit.org/show_bug.cgi?id=191521 [WebAuthN] UserHandle can be null. 1864320 1 webkit-bug-importer 2022-04-25 18:05:32 -0700 <rdar://problem/92305724> 1913812 2 tmj.chu 2022-11-20 23:25:35 -0800 Hi everyone, I am still seeing that this bug is still happening with Safari. 2004030 3 henrik.willert 2024-01-10 01:17:04 -0800 This nonconformity currently causes the Yubico java-webauthn-server library to to throw an exception for logins in Safari with a security key. https://github.com/Yubico/java-webauthn-server/issues/327 https://github.com/Yubico/java-webauthn-server/issues/194 It's probably the same for other libraries abiding to the spec. We're advising our Safari users to migrate to other browsers, but would strongly prefer a patch in Safari. 2004559 4 pascoe 2024-01-11 15:39:57 -0800 https://github.com/WebKit/WebKit/pull/22681 2018660 5 ews-feeder 2024-03-04 19:31:14 -0800 Committed 275669@main (04d4979c9e1d): <https://commits.webkit.org/275669@main> Reviewed commits have been landed. Closing PR #22681 and removing active labels.