Bug 225646 - [WebAuthn] excludeCredentials is ignored if using FaceID
Summary: [WebAuthn] excludeCredentials is ignored if using FaceID
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Safari 14
Hardware: iPhone / iPad iOS 14
: P2 Normal
Assignee: pascoe@apple.com
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-05-11 03:13 PDT by Joshua Rüsweg
Modified: 2022-05-26 14:48 PDT (History)
4 users (show)

See Also:

Attachments
Video demonstrating the bug. (6.46 MB, video/mp4)
2021-05-11 03:13 PDT, Joshua Rüsweg 		no flags Details
Patch (1.97 KB, patch)
2022-03-03 13:49 PST, pascoe@apple.com 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joshua Rüsweg 2021-05-11 03:13:14 PDT 
Created attachment 428260 [details]
Video demonstrating the bug.

On iOS 14.5.1 (iPhone 12 Pro) the excludeCredentials parameter (https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials) for WebAuthn is ignored for FaceID. 

If I am adding the FaceID key to the excludeCredentials and I want to add another key, you can select the already registered FaceID for registering again. If you select FaceID, the Webkit-Webauthn-Loader is looping infinitely (see video).

The expected behaviour would be, that iOS does not allow to select FaceID or, imo the much better solution, throwing a InvalidStateError (see https://github.com/w3c/webauthn/issues/1566)

iPadOS 14.4.2 (iPad Pro, 12.9", 3. Generation) does not offer to register FaceID twice, if the FaceID key is provided via the excludeCredentials parameter. With iPadOS 14.5.1 i can reproduce the issue on the same iPad.

I have added a short video, demonstrating the problem, iff the FaceID key is provided within the excludeCredentials parameter.

The bug only affects the FaceID implementation. The security key implementation works fine.
Comment 1 Radar WebKit Bug Importer 2021-05-18 03:14:18 PDT 
<rdar://problem/78147681>
Comment 2 pascoe@apple.com 2022-03-03 13:49:39 PST 
Created attachment 453783 [details]
Patch
Comment 3 Brent Fulgham 2022-03-04 11:47:58 PST 
Comment on attachment 453783 [details]
Patch

r=me
Comment 4 EWS 2022-03-04 12:34:24 PST 
Committed r290840 (248076@main): <https://commits.webkit.org/248076@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 453783 [details].
Comment 5 Brent Fulgham 2022-05-26 14:48:02 PDT 
This fix shipped with Safari 15.5 (all platforms).