[Environment] Test Device: MacBook Pro (2013) OS: macOS 10.15.5 Safari Technology Preview Release 108 [Repro Steps] 1. Test https://webauthntest.azurewebsites.net/# 2. Create a credential without modifying any settings. 3. Make sure only one created credential on the web page. 4. Run Get credential and let "Use allowCredentials" checked. 5. The response from authenticator will omit the credential(0x01) member if the allowList has exactly one Credential. 6. The result is not okay. 7. But if the key has the support of U2F, annother U2F_AUTH request/response will be processed and result is okay. [Ref.] 1. "May be omitted if the allowList has exactly one Credential." in the description of GetAssertion response table under https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#authenticatorGetAssertion 2. // When the response from the authenticator does not contain a credential and // the allow list from the GetAssertion request only contains a single // credential id, manually set credential id in the returned response. https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/fido/get_assertion_request_handler.cc#187
Since there is no Radar linked, temporarily removing the InRadar keyword to have this bug re-import.
<rdar://problem/65359329>
(In reply to nuno.sung from comment #0) > [Environment] > Test Device: MacBook Pro (2013) > OS: macOS 10.15.5 > Safari Technology Preview Release 108 > > [Repro Steps] > 1. Test https://webauthntest.azurewebsites.net/# > 2. Create a credential without modifying any settings. > 3. Make sure only one created credential on the web page. > 4. Run Get credential and let "Use allowCredentials" checked. > 5. The response from authenticator will omit the credential(0x01) member if > the allowList has exactly one Credential. > 6. The result is not okay. > 7. But if the key has the support of U2F, annother U2F_AUTH request/response > will be processed and result is okay. > > [Ref.] > 1. "May be omitted if the allowList has exactly one Credential." in the > description of GetAssertion response table under > https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol- > v2.1-rd-20191217.html#authenticatorGetAssertion > > 2. > // When the response from the authenticator does not contain a credential and > // the allow list from the GetAssertion request only contains a single > // credential id, manually set credential id in the returned response. > https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/ > fido/get_assertion_request_handler.cc#187 May I ask what model of authenticator you are using?
Maybe you can try this https://www.amazon.com/AuthenTrend-ATKey-Pro-Fingerprint-Authentication-Integration/dp/B084RFS5RP
New Fido2.x spec will remove this https://github.com/fido-alliance/fido-2-specs/pull/956
CTAP2.1 removes the optimization. The WG doesn't know of any authenticators that actually do the optimization in CTAP2.0 or 2.0_Pre. However they are not all knowing. Platforms should expect to deal with it in CTAP2.0/2.1_Pre.