Bug 225646

Summary: [WebAuthn] excludeCredentials is ignored if using FaceID
Product: WebKit Reporter: Joshua Rüsweg <ruesweg+bugswebkitorg>
Component: WebCore Misc.Assignee: pascoe <pascoe>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, duesterhus, pascoe, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 14   
Hardware: iPhone / iPad   
OS: iOS 14   
Attachments:
Description Flags
Video demonstrating the bug.
none
Patch none

Description Joshua Rüsweg 2021-05-11 03:13:14 PDT 
Created attachment 428260 [details]
Video demonstrating the bug.

On iOS 14.5.1 (iPhone 12 Pro) the excludeCredentials parameter (https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials) for WebAuthn is ignored for FaceID. 

If I am adding the FaceID key to the excludeCredentials and I want to add another key, you can select the already registered FaceID for registering again. If you select FaceID, the Webkit-Webauthn-Loader is looping infinitely (see video).

The expected behaviour would be, that iOS does not allow to select FaceID or, imo the much better solution, throwing a InvalidStateError (see https://github.com/w3c/webauthn/issues/1566)

iPadOS 14.4.2 (iPad Pro, 12.9", 3. Generation) does not offer to register FaceID twice, if the FaceID key is provided via the excludeCredentials parameter. With iPadOS 14.5.1 i can reproduce the issue on the same iPad.

I have added a short video, demonstrating the problem, iff the FaceID key is provided within the excludeCredentials parameter.

The bug only affects the FaceID implementation. The security key implementation works fine.
Comment 1 Radar WebKit Bug Importer 2021-05-18 03:14:18 PDT 
<rdar://problem/78147681>
Comment 2 pascoe@apple.com 2022-03-03 13:49:39 PST 
Created attachment 453783 [details]
Patch
Comment 3 Brent Fulgham 2022-03-04 11:47:58 PST 
Comment on attachment 453783 [details]
Patch

r=me
Comment 4 EWS 2022-03-04 12:34:24 PST 
Committed r290840 (248076@main): <https://commits.webkit.org/248076@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 453783 [details].
Comment 5 Brent Fulgham 2022-05-26 14:48:02 PDT 
This fix shipped with Safari 15.5 (all platforms).