Bug 203200 - [WebAuthn] Support appidExclude enrollment extension
Summary: [WebAuthn] Support appidExclude enrollment extension
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
: 217050 (view as bug list)
Depends on:
Reported: 2019-10-21 12:31 PDT by Casey Piper
Modified: 2020-09-28 12:10 PDT (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Casey Piper 2019-10-21 12:31:46 PDT
For relying parties that previously enrolled security keys via the U2F enrollment protocol, keys are bound to an application identifier, rather than the relying party id to which WebAuthn enrollments are bound.

Since WebAuthn is meant to be backwards compatible with enrollments via U2F, the authentication extension appid can be provided during authentication [1]. Similarly, to prevent reregistration of the same credential when doing a WebAuthn enrollment, an extension [appidExclude] was added to the WebAuthn specification to first check if a key was enrolled via U2F before completing the WebAuthn enrollment [2][3] and report the key already registered if so.

[1] https://bugs.webkit.org/show_bug.cgi?id=143491
[2] https://github.com/w3c/webauthn/pull/1244
[3] https://w3c.github.io/webauthn/#sctn-appid-exclude-extension
Comment 1 Jiewen Tan 2019-10-21 12:36:43 PDT
Will track this in an upcoming level 2 umbrella.
Comment 2 Jiewen Tan 2020-09-28 12:10:49 PDT
*** Bug 217050 has been marked as a duplicate of this bug. ***