RESOLVED WONTFIX 213187
[WebAuthn] The support of the GetAssertion response without containing a credential case 
https://bugs.webkit.org/show_bug.cgi?id=213187
Summary [WebAuthn] The support of the GetAssertion response without containing a cred...
nuno.sung
Reported 2020-06-15 01:27:30 PDT
[Environment] Test Device: MacBook Pro (2013) OS: macOS 10.15.5 Safari Technology Preview Release 108 [Repro Steps] 1. Test https://webauthntest.azurewebsites.net/# 2. Create a credential without modifying any settings. 3. Make sure only one created credential on the web page. 4. Run Get credential and let "Use allowCredentials" checked. 5. The response from authenticator will omit the credential(0x01) member if the allowList has exactly one Credential. 6. The result is not okay. 7. But if the key has the support of U2F, annother U2F_AUTH request/response will be processed and result is okay. [Ref.] 1. "May be omitted if the allowList has exactly one Credential." in the description of GetAssertion response table under https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#authenticatorGetAssertion 2. // When the response from the authenticator does not contain a credential and // the allow list from the GetAssertion request only contains a single // credential id, manually set credential id in the returned response. https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/fido/get_assertion_request_handler.cc#187
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2020-07-10 13:10:46 PDT
Since there is no Radar linked, temporarily removing the InRadar keyword to have this bug re-import.
Radar WebKit Bug Importer
Comment 2 2020-07-10 13:10:58 PDT
<rdar://problem/65359329>
Jiewen Tan
Comment 3 2020-07-28 00:54:04 PDT
(In reply to nuno.sung from comment #0) > [Environment] > Test Device: MacBook Pro (2013) > OS: macOS 10.15.5 > Safari Technology Preview Release 108 > > [Repro Steps] > 1. Test https://webauthntest.azurewebsites.net/# > 2. Create a credential without modifying any settings. > 3. Make sure only one created credential on the web page. > 4. Run Get credential and let "Use allowCredentials" checked. > 5. The response from authenticator will omit the credential(0x01) member if > the allowList has exactly one Credential. > 6. The result is not okay. > 7. But if the key has the support of U2F, annother U2F_AUTH request/response > will be processed and result is okay. > > [Ref.] > 1. "May be omitted if the allowList has exactly one Credential." in the > description of GetAssertion response table under > https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol- > v2.1-rd-20191217.html#authenticatorGetAssertion > > 2. > // When the response from the authenticator does not contain a credential and > // the allow list from the GetAssertion request only contains a single > // credential id, manually set credential id in the returned response. > https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/ > fido/get_assertion_request_handler.cc#187 May I ask what model of authenticator you are using?
nuno.sung
Comment 5 2020-08-21 06:09:19 PDT
New Fido2.x spec will remove this https://github.com/fido-alliance/fido-2-specs/pull/956
login Llama
Comment 6 2020-08-25 19:46:25 PDT
CTAP2.1 removes the optimization. The WG doesn't know of any authenticators that actually do the optimization in CTAP2.0 or 2.0_Pre. However they are not all knowing. Platforms should expect to deal with it in CTAP2.0/2.1_Pre.
Note You need to log in before you can comment on or make changes to this bug.