NEW 216600
Propagate user gesture through `isUserVerifyingPlatformAuthenticatorAvailable` 
https://bugs.webkit.org/show_bug.cgi?id=216600
Summary Propagate user gesture through `isUserVerifyingPlatformAuthenticatorAvailable`
Eiji Kitamura
Reported 2020-09-15 23:17:45 PDT
When invoking WebAuthn with a local authenticator (Touch ID / Face ID), user gesture is required in WebKit. Thank you for fixing the issue that blocks user gesture on Fetch API. (https://bugs.webkit.org/show_bug.cgi?id=214444) However, it has been still blocked on my code and finally figured that it was caused by `isUserVerifyingPlatformAuthenticatorAvailable`. Please propagate user gesture on `iUVPAA` as well. To reproduce the issue, you can try and modify the code here: https://glitch.com/edit/#!/iuvpaa-issue See code in public/client.js and enable/dislable `iUVPAA`.
Attachments
Add attachment proposed patch, testcase, etc.
Jiewen Tan
Comment 1 2020-09-15 23:24:45 PDT
(In reply to Eiji Kitamura from comment #0) > When invoking WebAuthn with a local authenticator (Touch ID / Face ID), user > gesture is required in WebKit. > Thank you for fixing the issue that blocks user gesture on Fetch API. > (https://bugs.webkit.org/show_bug.cgi?id=214444) > However, it has been still blocked on my code and finally figured that it > was caused by `isUserVerifyingPlatformAuthenticatorAvailable`. > Please propagate user gesture on `iUVPAA` as well. > > To reproduce the issue, you can try and modify the code here: > https://glitch.com/edit/#!/iuvpaa-issue > > See code in public/client.js and enable/dislable `iUVPAA`. Oh, I probably forgot doing this. But you don't necessary need to call the method after user interactions. This method is safe to call even for onload given it doesn't affect your rest API or any server model you have.
Eiji Kitamura
Comment 2 2020-09-15 23:30:06 PDT
Yeah I know, but Google's WebAuthn codelab has this within the same event loop and it would be nice if this was fixed. I'll add a workaround to the codelab meanwhile.
Eiji Kitamura
Comment 3 2020-09-15 23:58:12 PDT
On a second thought, I realized Google's codelab is not a good design. The button shouldn't be pressed if UVPAA is not available from the first place. Anyway, I'll leave this issue here as it might hint some people who bump into the same problem.
Radar WebKit Bug Importer
Comment 4 2020-09-22 23:59:21 PDT
<rdar://problem/69418131>
Anthony Johnston
Comment 5 2021-03-24 16:21:53 PDT
I need to make an async call to indexdb before calling credential get, this also causes an error, even though its within the context of a gesture. Further, iOS 14.4 has a popup which asks the user if the want to use FaceID or not, why is it necessary to have the user gesture before this as well? Remove the requirement for user gesture and allow us to call the api. The popup handles the requirement for user confirmation anyway.
Note You need to log in before you can comment on or make changes to this bug.