Bug 239737

Summary:	WebAuthn userHandle must be null, not empty string
Product:	WebKit	Reporter:	Boris Lykah <lykahb>
Component:	WebCore Misc.	Assignee:	pascoe <pascoe>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	henrik.willert, pascoe, tmj.chu, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	Safari 15
Hardware:	Mac (Intel)
OS:	macOS 12

Boris Lykah

Reported 2022-04-25 11:55:37 PDT

The WebAuthn implementation returns userHandle: "", which does not conform to this part of the spec: https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id This breaks the checks on my Relying Party server. The same security key returns userHandle null on Firefox and Chromium. So it seems Safari replaces null with an empty string. Steps to reproduce: 1. Open https://webauthn.io 2. Register YubiKey or another cross-platform security key. Registration with TouchID does not reproduce the issue. 3. Authenticate. On Safari 15 just activate the security key. On Safari Technology Preview choose "Account from Security Key". 4. Observe that the network request with the assertion has userHandle: "". It must be null to conform to the spec. This bug may be related to https://bugs.webkit.org/show_bug.cgi?id=191521 [WebAuthN] UserHandle can be null.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-04-25 18:05:32 PDT

<rdar://problem/92305724>

tmj.chu

Comment 2 2022-11-20 23:25:35 PST

Hi everyone, I am still seeing that this bug is still happening with Safari.

henrik.willert

Comment 3 2024-01-10 01:17:04 PST

This nonconformity currently causes the Yubico java-webauthn-server library to to throw an exception for logins in Safari with a security key. https://github.com/Yubico/java-webauthn-server/issues/327 https://github.com/Yubico/java-webauthn-server/issues/194 It's probably the same for other libraries abiding to the spec. We're advising our Safari users to migrate to other browsers, but would strongly prefer a patch in Safari.

pascoe@apple.com

Comment 4 2024-01-11 15:39:57 PST

https://github.com/WebKit/WebKit/pull/22681

EWS

Comment 5 2024-03-04 19:31:14 PST

Committed 275669@main (04d4979c9e1d): <https://commits.webkit.org/275669@main> Reviewed commits have been landed. Closing PR #22681 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.