WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
224350
Asserting WebAuthn credentials via allowCredentials fails
https://bugs.webkit.org/show_bug.cgi?id=224350
Summary
Asserting WebAuthn credentials via allowCredentials fails
Martin Kreichgauer
Reported
2021-04-08 17:11:00 PDT
Created
attachment 425562
[details]
Screencast of behavior with USB security key attached In Safari 14.0.3, when I create a WebAuthn credential with the platform authenticator, e.g. on webauthntest.azurewebsites.net, Safari fails to assert that credential when the get() call passes the credential identifier in the allowCredentials parameter *as long as a USB security key happens to be connected to the machine*. Asserting the credential via an empty allowCredentials parameter works (shows the account selector). If no USB security key is connected, asserting with empty or non-empty allow list both work. This is likely another flavor of the bug already reported in
https://bugs.webkit.org/show_bug.cgi?id=219814
.
Attachments
Screencast of behavior with USB security key attached
(7.47 MB, video/quicktime)
2021-04-08 17:11 PDT
,
Martin Kreichgauer
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2021-04-15 17:11:22 PDT
<
rdar://problem/76731282
>
David Waite
Comment 2
2021-10-05 17:00:35 PDT
FWIW, via: Safari 15.1 (17612.2.6.1.1) on Monterey beta, Syncing Platform Authenticator and Web Authentication Modern disabled, Yubikey 5c (with passcode). Was not able to replicate. Was able to: - add a platform credential, use it - add the security key as a credential, still use both - uncheck allow credentials, worked fine as well - removed yubikey and tested successfully, reinserted and tested successfully
pascoe@apple.com
Comment 3
2021-10-07 12:41:28 PDT
I've also been unable to replicate on Safari 15 and STP (Release 133 (Safari 15.4, WebKit 17613.1.2.2). Steps I tried on webauthntest.azurewebsites.net 1. Register platform authenticator 2. Perform get() call with and without allowCredentials (both work) 3. Plug in security key (Yubikey 5c nano) 4. Perform get() call with and without allowCredentials (both work) 5. Plug in a second security key (AT.Key Pro) 6. Perform get() call with and without allowCredentials (both work)
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug