RESOLVED FIXED224042
[Webauthn] navigator.credentials.create, with direct attestation, throws 'NotAllowedError.' error on MacOS11 M1 Chip 
https://bugs.webkit.org/show_bug.cgi?id=224042
Summary [Webauthn] navigator.credentials.create, with direct attestation, throws 'Not...
SG
Reported 2021-04-01 02:15:23 PDT
navigator.credentials.create throws 'NotAllowedError: This request has been cancelled by the user.' error when "direct" attestation is requested on MacOS Big Sur, Safari 14 browser Request navigator.credentials.create({publicKey: { "rp": { "id": "", "name": "" }, "user": { "name": "", "displayName": "", "id": }, "challenge": "pubKeyCredParams": [ { "type": "public-key", "alg": -7 } ], "authenticatorSelection": { "authenticatorAttachment": "platform" }, "attestation": "direct" }}) Response NotAllowedError: This request has been cancelled by the user.
Attachments
error popup on webauthn.me (933.13 KB, image/png)
2021-07-20 07:31 PDT, Cyril Labbe 		no flags
Details
mac os & chipset reference (330.73 KB, image/png)
2021-07-20 07:31 PDT, Cyril Labbe 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-04-08 02:16:21 PDT
<rdar://problem/76390431>
Cyril Labbe
Comment 2 2021-07-20 07:31:29 PDT
Created attachment 433873 [details] error popup on webauthn.me
Cyril Labbe
Comment 3 2021-07-20 07:31:54 PDT
Created attachment 433874 [details] mac os & chipset reference
Cyril Labbe
Comment 4 2021-07-20 07:33:26 PDT
issue also reported on the fido-dev google group https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/BHYtIkLTZbM happens when attestation is "direct" or "indirect", not when "none" happens on MacBook Pro M1 (no issue on intel MacBook) the attestation ceremony proceed normally regarding the user (allows the domain to perform webauthn then use touchid), but ends up on an error popup
pascoe@apple.com
Comment 5 2021-11-11 09:19:49 PST
*** Bug 232950 has been marked as a duplicate of this bug. ***
Dirkjan Bussink
Comment 6 2021-12-16 02:19:15 PST
I'm also hitting this issue on trying to register with TouchID with Okta. It reproduces as well on https://webauthn.me/debugger when registering with the attestation set to "direct" or "indirect". It works when it's set to "none".
login Llama
Comment 7 2022-02-09 15:13:58 PST
With attestation Direct On Intel Safari 15.4 I get a not allowed error when Syncing platform authenticator is disabled. When Syncing platform authenticator is enabled it works as expected. On M1 Safari 15.2 and STP 140 I get "The operation cannot be completed" if Syncing platform authenticator is enabled or disabled. The expected behavior is that the browser should return an attestation of type none if the authenticator doesn't support attestation. There is a WebAuthn issue to track this https://github.com/w3c/webauthn/issues/1697 It is possible that WebAuthn Level 3 will need to be updated to be more explicit on this so that platforms are consistent.
pascoe@apple.com
Comment 8 2022-02-09 15:26:04 PST
Hi, thank you for this report. We have identified the cause of this bug and a fix will be included in a future release. You can test attestation on M1 now by installing both the public beta of macOS 12.3 and Safari Technical Preview 139.
Dirkjan Bussink
Comment 9 2022-03-17 12:24:45 PDT
I don't think this issue is fixed. I just tried on an M1 with 12.3 and the problem still exists and I can't register with any attestation configured.
Dirkjan Bussink
Comment 10 2022-03-22 12:20:40 PDT
Also tested on a non M1 Mac with 12.3 and it errors out now also there, so I think it's been a regression on all platforms? I see now a "NotAllowedError: This request has been cancelled by the user." when trying to register on https://webauthn.me/debugger
login Llama
Comment 11 2022-03-22 14:59:27 PDT
An M1 with STP 141 on OSX 12.3 gives me "The operation cannot be completed" if attestation is direct for the platform authenticator.
Hidehito Gomi
Comment 12 2022-03-29 18:31:48 PDT
I don't think this is fixed. There seems to be a regression on non-M1 (Intel) chip. I tested on an Intel Core i7 Macbook Pro (macOS Monterey 12.3) with Safari 15.4 and Safari Technology Preview 141, using TouchID. navigator.credentials.create in each case threw 'NotAllowedError: This request has been cancelled by the user.' error when "direct" or "indirect" attestation for "platform" authenticator was requested.
pascoe@apple.com
Comment 13 2022-03-31 10:29:51 PDT
The fix for this issue is available in today's macOS Monterey‌‌‌ 12.3‌‌.1 update.
Dirkjan Bussink
Comment 14 2022-04-16 09:06:59 PDT
Can confirm that this is now fixed in 12.3.1 on both an M1 Mac and an Intel Mac.
Note You need to log in before you can comment on or make changes to this bug.