RESOLVED WORKSFORME 224350
Asserting WebAuthn credentials via allowCredentials fails
https://bugs.webkit.org/show_bug.cgi?id=224350
Summary Asserting WebAuthn credentials via allowCredentials fails
Martin Kreichgauer
Reported 2021-04-08 17:11:00 PDT
Created attachment 425562 [details] Screencast of behavior with USB security key attached In Safari 14.0.3, when I create a WebAuthn credential with the platform authenticator, e.g. on webauthntest.azurewebsites.net, Safari fails to assert that credential when the get() call passes the credential identifier in the allowCredentials parameter *as long as a USB security key happens to be connected to the machine*. Asserting the credential via an empty allowCredentials parameter works (shows the account selector). If no USB security key is connected, asserting with empty or non-empty allow list both work. This is likely another flavor of the bug already reported in https://bugs.webkit.org/show_bug.cgi?id=219814.
Attachments
Screencast of behavior with USB security key attached (7.47 MB, video/quicktime)
2021-04-08 17:11 PDT, Martin Kreichgauer
no flags
Radar WebKit Bug Importer
Comment 1 2021-04-15 17:11:22 PDT
David Waite
Comment 2 2021-10-05 17:00:35 PDT
FWIW, via: Safari 15.1 (17612.2.6.1.1) on Monterey beta, Syncing Platform Authenticator and Web Authentication Modern disabled, Yubikey 5c (with passcode). Was not able to replicate. Was able to: - add a platform credential, use it - add the security key as a credential, still use both - uncheck allow credentials, worked fine as well - removed yubikey and tested successfully, reinserted and tested successfully
pascoe@apple.com
Comment 3 2021-10-07 12:41:28 PDT
I've also been unable to replicate on Safari 15 and STP (Release 133 (Safari 15.4, WebKit 17613.1.2.2). Steps I tried on webauthntest.azurewebsites.net 1. Register platform authenticator 2. Perform get() call with and without allowCredentials (both work) 3. Plug in security key (Yubikey 5c nano) 4. Perform get() call with and without allowCredentials (both work) 5. Plug in a second security key (AT.Key Pro) 6. Perform get() call with and without allowCredentials (both work)
Note You need to log in before you can comment on or make changes to this bug.