Allow authenticators that support both CTAP and U2F to try U2F if CTAP fails in authenticatorGetAssertion.
<rdar://problem/50879746>
<rdar://problem/50879747>
Created attachment 370100 [details] Patch
Comment on attachment 370100 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370100&action=review > Source/WebKit/ChangeLog:16 > + to ask a potential U2F credential once a kCtap2ErrInvalidCredential error is returned regarding to the first CTAP request, I should probably relax all conditions to always downgrade to U2F whenever there is no responses to the first CTAP request.
Comment on attachment 370100 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370100&action=review > Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp:93 > + auto error = getResponseCode(data); I should probably relax all conditions to always downgrade to U2F whenever there is no responses to the first CTAP request.
Comment on attachment 370100 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370100&action=review >> Source/WebKit/UIProcess/WebAuthentication/fido/CtapHidAuthenticator.cpp:93 >> + auto error = getResponseCode(data); > > I should probably relax all conditions to always downgrade to U2F whenever there is no responses to the first CTAP request. The reason behinds this decision is that CTAP2_ERR_NO_CREDENTIALS is recommended in the spec: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetAssertion. On contrary, I get CTAP2_ERR_INVALID_CREDENTIAL from some keys. Therefore, we should probably not check any error. Also, bad user agents might somehow prefer U2F over CTAP, and therefore relaying parties might not be aware of it and supply an appid to indicate a U2F credential should be used instead. Therefore, we should omit that check as well.
Created attachment 370163 [details] Patch
Comment on attachment 370163 [details] Patch Looks good. r=me
Created attachment 370165 [details] Patch
(In reply to Brent Fulgham from comment #8) > Comment on attachment 370163 [details] > Patch > > Looks good. r=me Sorry, Brent. I modified a test and uploaded a new patch which obsolete your r+ flag. Could you r+ it again?
Comment on attachment 370165 [details] Patch R=me
(In reply to Brent Fulgham from comment #11) > Comment on attachment 370165 [details] > Patch > > R=me Thanks Brent for r+ this patch.
Comment on attachment 370165 [details] Patch Clearing flags on attachment: 370165 Committed r245500: <https://trac.webkit.org/changeset/245500>
All reviewed patches have been landed. Closing bug.