WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
219813
`navigator.credentials.create()` returns immediately with `NotAllowedError` if credential already registered.
https://bugs.webkit.org/show_bug.cgi?id=219813
Summary
`navigator.credentials.create()` returns immediately with `NotAllowedError` i...
Lucas Garron
Reported
2020-12-11 16:19:16 PST
Per the WebAuthn spec (
https://w3c.github.io/webauthn/#sctn-op-make-cred
, step 3), errors returned from `navigator.credentials.get()` correspond to the following - `InvalidStateError`: the user consented to create a new credential, but there are no authenticators that match the `authenticatorSelection` but aren't in `excludeCredentials`. - `NotAllowedError`: the user did not consent to create a new credential The most obvious case for "did not consent to create a new credential" is if the user pressed "cancel". However, it seems Safari also does the same if trying to register a platform authenticator (Touch ID or Face ID) that is already registered. While other browsers allow the user to interact with the prompt, e.g. Safari on macOS 11.0 Big Sur flashes `Do you want to allow "example.com"' to use Touch ID` (with the options "Don't allow" and "OK") but immediately replaces it with `You have already set up Touch ID for this website.` (with only the option "OK"). This makes it impossible to tell if the user intended to create a credential, and for the RP (website) to offer a more useful option based on `InvalidStateError`. I don't know if this is a bug, but I wanted to make sure it was not an accident. The user experience (with the flashing prompt) is not great, so I think there is room for some improvement, either in the browser, or in the website's reaction to the error. It's unclear to me if any of the bugs here cover this issue:
https://bugs.webkit.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&field0-0-0=product&field0-0-1=component&field0-0-2=alias&field0-0-3=short_desc&field0-0-4=status_whiteboard&field0-0-5=content&list_id=6674120&order=changeddate%20DESC%2Cbug_status%2Cpriority%2Cassigned_to%2Cbug_id&query_format=advanced&type0-0-0=substring&type0-0-1=substring&type0-0-2=substring&type0-0-3=substring&type0-0-4=substring&type0-0-5=matches&value0-0-0=webauthn&value0-0-1=webauthn&value0-0-2=webauthn&value0-0-3=webauthn&value0-0-4=webauthn&value0-0-5=%22webauthn%22
Attachments
Patch
(10.02 KB, patch)
2021-10-15 15:38 PDT
,
pascoe@apple.com
no flags
Details
Formatted Diff
Diff
Patch
(13.44 KB, patch)
2021-10-18 10:00 PDT
,
pascoe@apple.com
no flags
Details
Formatted Diff
Diff
Patch
(10.40 KB, patch)
2021-10-19 13:24 PDT
,
pascoe@apple.com
no flags
Details
Formatted Diff
Diff
Patch
(10.67 KB, patch)
2021-10-19 13:59 PDT
,
pascoe@apple.com
no flags
Details
Formatted Diff
Diff
Patch
(10.67 KB, patch)
2021-10-19 14:20 PDT
,
pascoe@apple.com
no flags
Details
Formatted Diff
Diff
Patch
(10.65 KB, patch)
2021-10-19 17:34 PDT
,
pascoe@apple.com
no flags
Details
Formatted Diff
Diff
Show Obsolete
(5)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2020-12-18 16:20:16 PST
<
rdar://problem/72484635
>
pascoe@apple.com
Comment 2
2021-10-15 15:38:24 PDT
Created
attachment 441440
[details]
Patch
Brent Fulgham
Comment 3
2021-10-15 15:52:28 PDT
Comment on
attachment 441440
[details]
Patch r=me
pascoe@apple.com
Comment 4
2021-10-18 10:00:43 PDT
Created
attachment 441621
[details]
Patch
EWS
Comment 5
2021-10-18 17:07:36 PDT
Committed
r284413
(
243182@main
): <
https://commits.webkit.org/243182@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 441621
[details]
.
WebKit Commit Bot
Comment 6
2021-10-18 20:14:01 PDT
Re-opened since this is blocked by
bug 231936
Brady Eidson
Comment 7
2021-10-18 20:17:58 PDT
Reverted in
https://trac.webkit.org/changeset/284429/webkit
pascoe@apple.com
Comment 8
2021-10-19 13:24:01 PDT
Created
attachment 441781
[details]
Patch
pascoe@apple.com
Comment 9
2021-10-19 13:59:02 PDT
Created
attachment 441790
[details]
Patch
Chris Dumez
Comment 10
2021-10-19 14:04:36 PDT
Comment on
attachment 441790
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=441790&action=review
> Source/WebKit/ChangeLog:11 > + A fixme to add this was inadvertently removed in
https://bugs.webkit.org/attachment.cgi?id=393180&action=prettypatch
nit: extra space before URL
> Source/WebKit/ChangeLog:13 > + Reviewed by NOBODY (OOPS!).
This is supposed to come *before* the description, not after.
pascoe@apple.com
Comment 11
2021-10-19 14:20:07 PDT
Created
attachment 441798
[details]
Patch
Brent Fulgham
Comment 12
2021-10-19 14:26:05 PDT
Comment on
attachment 441798
[details]
Patch r=me (and Chris)
Brent Fulgham
Comment 13
2021-10-19 16:40:39 PDT
Waiting for iOS-wk2 to finish before adding cq+
pascoe@apple.com
Comment 14
2021-10-19 17:34:41 PDT
Created
attachment 441826
[details]
Patch
EWS
Comment 15
2021-10-20 08:01:48 PDT
Committed
r284532
(
243274@main
): <
https://commits.webkit.org/243274@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 441826
[details]
.
Darin Adler
Comment 16
2021-10-20 12:03:37 PDT
Comment on
attachment 441826
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=441826&action=review
> Source/WebKit/ChangeLog:2 > +2021-10-19 John Pascoe <
j_pascoe@apple.com
> > + [WebAuthn] Obtain consent to create new credential when platform authenticator in excludedCredentials
Trivial formatting mistake: there should be a blank line here.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug