Bug 251817

Summary: WebAuthn conditional UI works, but consistently raises "NotAllowedError: Operation Failed" on every other page reload
Product: WebKit Reporter: matthew
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: pascoe, ryan
Priority: P2    
Version: Safari 16   
Hardware: iPhone / iPad   
OS: iOS 16   
Attachments:
Description Flags
The page seems to work fine to the end user
none
Console output from Reload 1
none
Console output from Reload 2 none

matthew
Reported 2023-02-06 14:51:59 PST
I have the following basic HTML document that initializes WebAuthn's conditional UI: ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Document</title> </head> <body> <form action=""> <input type="text" autocomplete="username webauthn" /> <button>Submit</button> </form> <script> navigator.credentials .get({ publicKey: { challenge: new Uint8Array([1, 2, 3, 4]), allowCredentials: [], }, mediation: 'conditional', }) .then(console.log) .catch(console.error); </script> </body> </html> ``` When I load the page in Safari, conditional UI seems to work fine every time - I get prompted to log in with a saved passkey when the input receives focus. However when I inspect the page from my macOS device, I see weird alternating behavior: ## Reload 1 - A warning that, "User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events." ## Reload 2 - A warning saying, "User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events." - An error from the `.catch()` handler on the `.get()` Promise saying, "NotAllowedError: Operation failed." These two error states reliably alternate with each other in this order, no matter how many times I reload the page: - Reload 1 - Reload 2 - Reload 1 - Reload 2 - etc... To reiterate, the page seems to function fine to the end user, but the is making it impossible to truly understand whether Conditional UI is working or not.
Attachments
The page seems to work fine to the end user (155.07 KB, image/png)
2023-02-06 14:52 PST, matthew 		no flags
Details
Console output from Reload 1 (44.41 KB, image/png)
2023-02-06 14:52 PST, matthew 		no flags
Details
Console output from Reload 2 (47.52 KB, image/png)
2023-02-06 14:52 PST, matthew 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
matthew
Comment 1 2023-02-06 14:52:22 PST
Created attachment 464873 [details] The page seems to work fine to the end user
matthew
Comment 2 2023-02-06 14:52:44 PST
Created attachment 464874 [details] Console output from Reload 1
matthew
Comment 3 2023-02-06 14:52:52 PST
Created attachment 464875 [details] Console output from Reload 2
matthew
Comment 4 2023-02-06 15:04:50 PST
It turns out the "User gesture is not detected" warning stops appearing if I tap the reload icon on Safari on the iPhone. I was often Cmd+R'ing the page from the remote Web Inspector displayed on my macOS device. So to clarify, this issue is specifically about the "NotAllowedError: Operation failed" being thrown consistently on every other page load despite nothing changing in the code.
matthew
Comment 5 2023-02-06 15:21:17 PST
Experimenting a bit more, if I actually go through with the conditional UI prompt on each page load the subsequent page reload works fine - no error, conditional UI promise resolves with a response from `.get()`. But if I reload the page multiple times then I start to see this alternating pattern of "error -> no error -> error -> no error..." And when I don't see the `NotAllowedError` in the console on page load, conditional UI resolves as expected after selecting a passkey. When I reload the page and see `NotAllowedError`, an attempt to complete conditional UI neither resolves nor rejects the promise (I guess because the `NotAllowedError` already rejected the promise?)
pascoe@apple.com
Comment 6 2023-02-07 14:59:50 PST
*** This bug has been marked as a duplicate of bug 250589 ***
Note You need to log in before you can comment on or make changes to this bug.