Bug 241126

Summary: Error after calling navigator.credentials.get() twice
Product: WebKit Reporter: Simon Bluhm <simon.bluhm>
Component: WebKit Misc.Assignee: pascoe <pascoe>
Status: NEW ---    
Severity: Major CC: bfulgham, drmoerkerke, mjs, pascoe, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: Safari 15   
Hardware: iPhone / iPad   
OS: iOS 15   
See Also: https://bugs.webkit.org/show_bug.cgi?id=240134

Description Simon Bluhm 2022-05-31 05:46:50 PDT
I recently noticed that users of my web app are no longer able to signin using WebAuthn TouchID / fingerprint on iOS 15.5. The problem seems to be calling navigator.credentials.get() more than once. The first attempt is successful but calling navigator.credentials.get() a second time will result in the following error:

"This request has been cancelled by the user".

The only way to get around this is for the user to reload the website. This is problematic for Single Page Apps, especially if standalone, as the browser UI and refresh button are hidden.

The bug is also reproducible here: https://try-webauthn.appspot.com/
Comment 1 Radar WebKit Bug Importer 2022-05-31 14:39:58 PDT
<rdar://problem/94178936>
Comment 2 pascoe@apple.com 2022-05-31 14:47:17 PDT
It looks like we aren't registering the user gestures as being associated with navigator.credentials calls with this sample site. Looking into why this happens.