Bug 202427 - [WebAuthn] Support googleLegacyAppidSupport extension
Summary: [WebAuthn] Support googleLegacyAppidSupport extension
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Jiewen Tan
Keywords: InRadar
Depends on:
Blocks: 181943
  Show dependency treegraph
Reported: 2019-10-01 12:55 PDT by Alexei Czeskis
Modified: 2019-10-03 10:39 PDT (History)
9 users (show)

See Also:

Patch (24.93 KB, patch)
2019-10-01 14:04 PDT, Jiewen Tan
no flags Details | Formatted Diff | Diff
Patch (29.63 KB, patch)
2019-10-03 01:49 PDT, Jiewen Tan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexei Czeskis 2019-10-01 12:55:41 PDT
Google launched support for U2F Security Keys long before FIDO2/WebAuthn existed.  As a result all Security Keys registered to Google Accounts are "bound" to the appID https://www.gstatic.com/securitykey/origins.json.

The add-account-flow in Android is burned in by OEMs and cannot be updated — as a result, many Android devices only know how to speak U2F to authenticators.  If Google were to begin registering Security Keys over WebAuthn — specifically, using an RP ID rather than an appID — Google users with Security Keys would not be able to sign into their accounts on the aforementioned Android devices.  While Google intends to move fully to WebAuthn, the transition will take some time.

***Tweaks for create()***
The following describes the necessary behavior for any WebAuthn Client (that does not also provide a U2F API or that wants to deprecate its U2F APIs) so that users may register security keys with Google accounts.

Google will eventually deprecate this behavior, therefore this behavior SHALL be controlled by a (new) WebAuthn registration extension "googleLegacyAppidSupport", which will take in a single boolean value.  When set to true, the "legacy behavior" defined below will be enabled; when set to false, the behavior will be disabled.  When not specified, the value of this extension is false. 

When receiving a WebAuthn create() request with an RP ID of google.com and the googleLegacyAppidSupport value set to true, the WebAuthn Client MUST: 1) only use the U2F transport protocol, 2) communicate only with roaming authenticators (that support U2F), and 3) use a hard-coded appID of https://www.gstatic.com/securitykey/origins.json

***Tweaks for get()***
We have previously filed bugs that describe the necessary WebAuth Client behavior changes here:
Comment 1 Radar WebKit Bug Importer 2019-10-01 13:19:55 PDT
Comment 2 Jiewen Tan 2019-10-01 14:04:20 PDT
Created attachment 379948 [details]
Comment 3 Brent Fulgham 2019-10-02 11:51:41 PDT
This seems to have some API failures:

    Child process terminated with signal 4: Illegal instruction
Comment 4 Jiewen Tan 2019-10-03 01:49:21 PDT
Created attachment 380089 [details]
Comment 5 Brent Fulgham 2019-10-03 09:22:42 PDT
Comment on attachment 380089 [details]

Nice teamwork with Google, here :-)
Comment 6 Jiewen Tan 2019-10-03 09:54:44 PDT
Comment on attachment 380089 [details]

Thanks, Brent.
Comment 7 WebKit Commit Bot 2019-10-03 10:39:40 PDT
Comment on attachment 380089 [details]

Clearing flags on attachment: 380089

Committed r250659: <https://trac.webkit.org/changeset/250659>
Comment 8 WebKit Commit Bot 2019-10-03 10:39:41 PDT
All reviewed patches have been landed.  Closing bug.