Bug 219813

Summary: `navigator.credentials.create()` returns immediately with `NotAllowedError` if credential already registered.
Product: WebKit Reporter: Lucas Garron <lgarron>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, bfulgham, cdumez, commit-queue, darin, jiewen_tan, pascoe, tim.cappalli, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 231936    
Bug Blocks: 181943    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Description Lucas Garron 2020-12-11 16:19:16 PST 
Per the WebAuthn spec (https://w3c.github.io/webauthn/#sctn-op-make-cred , step 3), errors returned from `navigator.credentials.get()` correspond to the following

- `InvalidStateError`: the user consented to create a new credential, but there are no authenticators that match the `authenticatorSelection` but aren't in `excludeCredentials`.
- `NotAllowedError`: the user did not consent to create a new credential

The most obvious case for "did not consent to create a new credential" is if the user pressed "cancel". However, it seems Safari also does the same if trying to register a platform authenticator (Touch ID or Face ID) that is already registered.

While other browsers allow the user to interact with the prompt, e.g. Safari on macOS 11.0 Big Sur flashes `Do you want to allow "example.com"' to use Touch ID` (with the options "Don't allow" and "OK") but immediately replaces it with `You have already set up Touch ID for this website.` (with only the option "OK").

This makes it impossible to tell if the user intended to create a credential, and for the RP (website) to offer a more useful option based on `InvalidStateError`.

I don't know if this is a bug, but I wanted to make sure it was not an accident.
The user experience (with the flashing prompt) is not great, so I think there is room for some improvement, either in the browser, or in the website's reaction to the error. It's unclear to me if any of the bugs here cover this issue: https://bugs.webkit.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0-3=short_desc&field0-0-4=status_whiteboard&field0-0-5=content&list_id=6674120&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_format=advanced&type0-0-0=substring&type0-0-1=substring&type0-0-2=substring&type0-0-3=substring&type0-0-4=substring&type0-0-5=matches&value0-0-0=webauthn&value0-0-1=webauthn&value0-0-2=webauthn&value0-0-3=webauthn&value0-0-4=webauthn&value0-0-5=%22webauthn%22
Comment 1 Radar WebKit Bug Importer 2020-12-18 16:20:16 PST 
<rdar://problem/72484635>
Comment 2 pascoe@apple.com 2021-10-15 15:38:24 PDT 
Created attachment 441440 [details]
Patch
Comment 3 Brent Fulgham 2021-10-15 15:52:28 PDT 
Comment on attachment 441440 [details]
Patch

r=me
Comment 4 pascoe@apple.com 2021-10-18 10:00:43 PDT 
Created attachment 441621 [details]
Patch
Comment 5 EWS 2021-10-18 17:07:36 PDT 
Committed r284413 (243182@main): <https://commits.webkit.org/243182@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 441621 [details].
Comment 6 WebKit Commit Bot 2021-10-18 20:14:01 PDT 
Re-opened since this is blocked by bug 231936
Comment 7 Brady Eidson 2021-10-18 20:17:58 PDT 
Reverted in https://trac.webkit.org/changeset/284429/webkit
Comment 8 pascoe@apple.com 2021-10-19 13:24:01 PDT 
Created attachment 441781 [details]
Patch
Comment 9 pascoe@apple.com 2021-10-19 13:59:02 PDT 
Created attachment 441790 [details]
Patch
Comment 10 Chris Dumez 2021-10-19 14:04:36 PDT 
Comment on attachment 441790 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=441790&action=review

> Source/WebKit/ChangeLog:11
> +        A fixme to add this was inadvertently removed in  https://bugs.webkit.org/attachment.cgi?id=393180&action=prettypatch

nit: extra space before URL

> Source/WebKit/ChangeLog:13
> +        Reviewed by NOBODY (OOPS!).

This is supposed to come *before* the description, not after.
Comment 11 pascoe@apple.com 2021-10-19 14:20:07 PDT 
Created attachment 441798 [details]
Patch
Comment 12 Brent Fulgham 2021-10-19 14:26:05 PDT 
Comment on attachment 441798 [details]
Patch

r=me (and Chris)
Comment 13 Brent Fulgham 2021-10-19 16:40:39 PDT 
Waiting for iOS-wk2 to finish before adding cq+
Comment 14 pascoe@apple.com 2021-10-19 17:34:41 PDT 
Created attachment 441826 [details]
Patch
Comment 15 EWS 2021-10-20 08:01:48 PDT 
Committed r284532 (243274@main): <https://commits.webkit.org/243274@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 441826 [details].
Comment 16 Darin Adler 2021-10-20 12:03:37 PDT 
Comment on attachment 441826 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=441826&action=review

> Source/WebKit/ChangeLog:2
> +2021-10-19  John Pascoe  <j_pascoe@apple.com>
> +        [WebAuthn] Obtain consent to create new credential when platform authenticator in excludedCredentials

Trivial formatting mistake: there should be a blank line here.