Bug 202427

Summary: [WebAuthn] Support googleLegacyAppidSupport extension
Product: WebKit Reporter: Alexei Czeskis <aczeskis>
Component: PlatformAssignee: Jiewen Tan <jiewen_tan>
Status: RESOLVED FIXED    
Severity: Normal CC: alex.gaynor, bfulgham, cdumez, commit-queue, esprehn+autocc, ews-watchlist, jiewen_tan, kondapallykalyan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 181943    
Attachments:
Description Flags
Patch
none
Patch none

Description Alexei Czeskis 2019-10-01 12:55:41 PDT
***Background***
Google launched support for U2F Security Keys long before FIDO2/WebAuthn existed.  As a result all Security Keys registered to Google Accounts are "bound" to the appID https://www.gstatic.com/securitykey/origins.json.

The add-account-flow in Android is burned in by OEMs and cannot be updated — as a result, many Android devices only know how to speak U2F to authenticators.  If Google were to begin registering Security Keys over WebAuthn — specifically, using an RP ID rather than an appID — Google users with Security Keys would not be able to sign into their accounts on the aforementioned Android devices.  While Google intends to move fully to WebAuthn, the transition will take some time.


***Tweaks for create()***
The following describes the necessary behavior for any WebAuthn Client (that does not also provide a U2F API or that wants to deprecate its U2F APIs) so that users may register security keys with Google accounts.

Google will eventually deprecate this behavior, therefore this behavior SHALL be controlled by a (new) WebAuthn registration extension "googleLegacyAppidSupport", which will take in a single boolean value.  When set to true, the "legacy behavior" defined below will be enabled; when set to false, the behavior will be disabled.  When not specified, the value of this extension is false. 

When receiving a WebAuthn create() request with an RP ID of google.com and the googleLegacyAppidSupport value set to true, the WebAuthn Client MUST: 1) only use the U2F transport protocol, 2) communicate only with roaming authenticators (that support U2F), and 3) use a hard-coded appID of https://www.gstatic.com/securitykey/origins.json


***Tweaks for get()***
We have previously filed bugs that describe the necessary WebAuth Client behavior changes here:
https://bugs.webkit.org/show_bug.cgi?id=196046
Comment 1 Radar WebKit Bug Importer 2019-10-01 13:19:55 PDT
<rdar://problem/55887473>
Comment 2 Jiewen Tan 2019-10-01 14:04:20 PDT
Created attachment 379948 [details]
Patch
Comment 3 Brent Fulgham 2019-10-02 11:51:41 PDT
This seems to have some API failures:

TestWebKitAPI.U2fCommandConstructorTest.TestConvertCtapMakeCredentialToU2fRegister
    Child process terminated with signal 4: Illegal instruction
Comment 4 Jiewen Tan 2019-10-03 01:49:21 PDT
Created attachment 380089 [details]
Patch
Comment 5 Brent Fulgham 2019-10-03 09:22:42 PDT
Comment on attachment 380089 [details]
Patch

Nice teamwork with Google, here :-)
Comment 6 Jiewen Tan 2019-10-03 09:54:44 PDT
Comment on attachment 380089 [details]
Patch

Thanks, Brent.
Comment 7 WebKit Commit Bot 2019-10-03 10:39:40 PDT
Comment on attachment 380089 [details]
Patch

Clearing flags on attachment: 380089

Committed r250659: <https://trac.webkit.org/changeset/250659>
Comment 8 WebKit Commit Bot 2019-10-03 10:39:41 PDT
All reviewed patches have been landed.  Closing bug.