Bug 213187 - [WebAuthn] The support of the GetAssertion response without containing a credential case
Summary: [WebAuthn] The support of the GetAssertion response without containing a cred...
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: Safari Technology Preview
Hardware: Mac macOS 10.15
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks: 181943
  Show dependency treegraph
 
Reported: 2020-06-15 01:27 PDT by nuno.sung
Modified: 2022-02-12 23:10 PST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description nuno.sung 2020-06-15 01:27:30 PDT 
[Environment]
Test Device: MacBook Pro (2013)
OS: macOS 10.15.5
Safari Technology Preview Release 108

[Repro Steps]
1. Test https://webauthntest.azurewebsites.net/#
2. Create a credential without modifying any settings.
3. Make sure only one created credential on the web page.
4. Run Get credential and let "Use allowCredentials" checked.
5. The response from authenticator will omit the credential(0x01) member if the allowList has exactly one Credential.
6. The result is not okay.
7. But if the key has the support of U2F, annother U2F_AUTH request/response will be processed and result is okay.

[Ref.]
1. "May be omitted if the allowList has exactly one Credential." in the description of GetAssertion response table under 
https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#authenticatorGetAssertion

2. 
// When the response from the authenticator does not contain a credential and
// the allow list from the GetAssertion request only contains a single
// credential id, manually set credential id in the returned response.
https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/fido/get_assertion_request_handler.cc#187
Comment 1 Alexey Proskuryakov 2020-07-10 13:10:46 PDT 
Since there is no Radar linked, temporarily removing the InRadar keyword to have this bug re-import.
Comment 2 Radar WebKit Bug Importer 2020-07-10 13:10:58 PDT 
<rdar://problem/65359329>
Comment 3 Jiewen Tan 2020-07-28 00:54:04 PDT 
(In reply to nuno.sung from comment #0)
> [Environment]
> Test Device: MacBook Pro (2013)
> OS: macOS 10.15.5
> Safari Technology Preview Release 108
> 
> [Repro Steps]
> 1. Test https://webauthntest.azurewebsites.net/#
> 2. Create a credential without modifying any settings.
> 3. Make sure only one created credential on the web page.
> 4. Run Get credential and let "Use allowCredentials" checked.
> 5. The response from authenticator will omit the credential(0x01) member if
> the allowList has exactly one Credential.
> 6. The result is not okay.
> 7. But if the key has the support of U2F, annother U2F_AUTH request/response
> will be processed and result is okay.
> 
> [Ref.]
> 1. "May be omitted if the allowList has exactly one Credential." in the
> description of GetAssertion response table under 
> https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-
> v2.1-rd-20191217.html#authenticatorGetAssertion
> 
> 2. 
> // When the response from the authenticator does not contain a credential and
> // the allow list from the GetAssertion request only contains a single
> // credential id, manually set credential id in the returned response.
> https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/
> fido/get_assertion_request_handler.cc#187

May I ask what model of authenticator you are using?
Comment 5 nuno.sung 2020-08-21 06:09:19 PDT 
New Fido2.x spec will remove this 
https://github.com/fido-alliance/fido-2-specs/pull/956
Comment 6 login Llama 2020-08-25 19:46:25 PDT 
CTAP2.1 removes the optimization.  The WG doesn't know of any authenticators that actually do the optimization in CTAP2.0 or 2.0_Pre.  However they are not all knowing. Platforms should expect to deal with it in CTAP2.0/2.1_Pre.