Bug 224042

Summary:

[Webauthn] navigator.credentials.create, with direct attestation, throws 'NotAllowedError.' error on MacOS11 M1 Chip

Product:

WebKit

Reporter:

SG <siddharth.gupta26>

Component:

WebKit Misc.

Assignee:

pascoe <pascoe>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cyril.labbe, d.bussink, hgomi, jiewen_tan, loginllama, matthew, pascoe, timcappalli, webkit-bug-importer, webkit-bugzilla

Priority:

Keywords:

InRadar

Version:

Safari 14

Hardware:

Mac (Apple Silicon)

OS:

macOS 11

Attachments:

Description	Flags
error popup on webauthn.me	none
mac os & chipset reference	none

Reported 2021-04-01 02:15:23 PDT

navigator.credentials.create throws 'NotAllowedError: This request has been cancelled by the user.' error when "direct" attestation is requested on MacOS Big Sur, Safari 14 browser Request navigator.credentials.create({publicKey: { "rp": { "id": "", "name": "" }, "user": { "name": "", "displayName": "", "id": }, "challenge": "pubKeyCredParams": [ { "type": "public-key", "alg": -7 } ], "authenticatorSelection": { "authenticatorAttachment": "platform" }, "attestation": "direct" }}) Response NotAllowedError: This request has been cancelled by the user.

Attachments
error popup on webauthn.me (933.13 KB, image/png) 2021-07-20 07:31 PDT, Cyril Labbe	no flags	Details
mac os & chipset reference (330.73 KB, image/png) 2021-07-20 07:31 PDT, Cyril Labbe	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-04-08 02:16:21 PDT

<rdar://problem/76390431>

Cyril Labbe

Comment 2 2021-07-20 07:31:29 PDT

Created attachment 433873 [details] error popup on webauthn.me

Cyril Labbe

Comment 3 2021-07-20 07:31:54 PDT

Created attachment 433874 [details] mac os & chipset reference

Cyril Labbe

Comment 4 2021-07-20 07:33:26 PDT

issue also reported on the fido-dev google group https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/BHYtIkLTZbM happens when attestation is "direct" or "indirect", not when "none" happens on MacBook Pro M1 (no issue on intel MacBook) the attestation ceremony proceed normally regarding the user (allows the domain to perform webauthn then use touchid), but ends up on an error popup

pascoe@apple.com

Comment 5 2021-11-11 09:19:49 PST

*** Bug 232950 has been marked as a duplicate of this bug. ***

Dirkjan Bussink

Comment 6 2021-12-16 02:19:15 PST

I'm also hitting this issue on trying to register with TouchID with Okta. It reproduces as well on https://webauthn.me/debugger when registering with the attestation set to "direct" or "indirect". It works when it's set to "none".

Comment 7 2022-02-09 15:13:58 PST

With attestation Direct On Intel Safari 15.4 I get a not allowed error when Syncing platform authenticator is disabled. When Syncing platform authenticator is enabled it works as expected. On M1 Safari 15.2 and STP 140 I get "The operation cannot be completed" if Syncing platform authenticator is enabled or disabled. The expected behavior is that the browser should return an attestation of type none if the authenticator doesn't support attestation. There is a WebAuthn issue to track this https://github.com/w3c/webauthn/issues/1697 It is possible that WebAuthn Level 3 will need to be updated to be more explicit on this so that platforms are consistent.

pascoe@apple.com

Comment 8 2022-02-09 15:26:04 PST

Hi, thank you for this report. We have identified the cause of this bug and a fix will be included in a future release. You can test attestation on M1 now by installing both the public beta of macOS 12.3 and Safari Technical Preview 139.

Dirkjan Bussink

Comment 9 2022-03-17 12:24:45 PDT

I don't think this issue is fixed. I just tried on an M1 with 12.3 and the problem still exists and I can't register with any attestation configured.

Dirkjan Bussink

Comment 10 2022-03-22 12:20:40 PDT

Also tested on a non M1 Mac with 12.3 and it errors out now also there, so I think it's been a regression on all platforms? I see now a "NotAllowedError: This request has been cancelled by the user." when trying to register on https://webauthn.me/debugger

Comment 11 2022-03-22 14:59:27 PDT

An M1 with STP 141 on OSX 12.3 gives me "The operation cannot be completed" if attestation is direct for the platform authenticator.

Hidehito Gomi

Comment 12 2022-03-29 18:31:48 PDT

I don't think this is fixed. There seems to be a regression on non-M1 (Intel) chip. I tested on an Intel Core i7 Macbook Pro (macOS Monterey 12.3) with Safari 15.4 and Safari Technology Preview 141, using TouchID. navigator.credentials.create in each case threw 'NotAllowedError: This request has been cancelled by the user.' error when "direct" or "indirect" attestation for "platform" authenticator was requested.

pascoe@apple.com

Comment 13 2022-03-31 10:29:51 PDT

The fix for this issue is available in today's macOS Monterey‌‌‌ 12.3‌‌.1 update.

Dirkjan Bussink

Comment 14 2022-04-16 09:06:59 PDT

Can confirm that this is now fixed in 12.3.1 on both an M1 Mac and an Intel Mac.

Note You need to log in before you can comment on or make changes to this bug.