Bug 232501

Summary: Authenticator is not falling back to clientPIN after internal verification fails and is blocked.
Product: WebKit Reporter: login Llama <loginllama>
Component: WebCore Misc.Assignee: pascoe <pascoe>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, darin, ews-watchlist, jiewen_tan, katherine_cheney, pascoe, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description login Llama 2021-10-29 11:32:10 PDT 
Thanks for fixing https://bugs.webkit.org/show_bug.cgi?id=213903

I tested that it works on OSX STP 134.

However in testing I discovered that Safari is not detecting that internal UV is blocked and falling back to getPinToken (CTAP2.0) or getPinUvAuthTokenUsingUvWithPermissions (CTAP2.1).

Safari should fall back when it receives the CTAP2.0CTAP2_ERR_PIN_REQUIRED error and/or when the CTAP2.1 uvRetries <= 0.

That is the current behavior of Chrome and Windows.  

I grant you that the CTAP2.0 spec is less clear on this point than one might hope.

CTAP2.1 https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html is clearer on how platforms should fall back to clientPin for CTAP2.0 authenticators than the CTAP2.0 spec was.

Regards
Comment 1 Radar WebKit Bug Importer 2021-11-01 20:46:34 PDT 
<rdar://problem/84913636>
Comment 2 login Llama 2021-11-02 09:04:03 PDT 
For Fido members this is the relevant issue on clarifying the platform actions section of the CTAP 2.1 specification on pin fallback. 
https://github.com/fido-alliance/fido-2-specs/issues/1303
Comment 3 pascoe@apple.com 2021-12-20 15:05:03 PST 
Created attachment 447649 [details]
Patch
Comment 4 pascoe@apple.com 2021-12-20 15:07:29 PST 
Created attachment 447650 [details]
Patch
Comment 5 pascoe@apple.com 2021-12-20 15:09:37 PST 
Created attachment 447651 [details]
Patch
Comment 6 EWS 2021-12-21 08:10:24 PST 
Committed r287315 (245467@main): <https://commits.webkit.org/245467@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 447651 [details].
Comment 7 login Llama 2021-12-23 06:56:47 PST 
I don't see this change in STP 137 yet.  

Let me know when I can retest.

Thanks
Comment 8 login Llama 2022-02-09 14:46:50 PST 
Change tested and working in STP 140

Thanks