The WebAuthn implementation returns userHandle: "", which does not conform to this part of the spec: https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id This breaks the checks on my Relying Party server. The same security key returns userHandle null on Firefox and Chromium. So it seems Safari replaces null with an empty string. Steps to reproduce: 1. Open https://webauthn.io 2. Register YubiKey or another cross-platform security key. Registration with TouchID does not reproduce the issue. 3. Authenticate. On Safari 15 just activate the security key. On Safari Technology Preview choose "Account from Security Key". 4. Observe that the network request with the assertion has userHandle: "". It must be null to conform to the spec. This bug may be related to https://bugs.webkit.org/show_bug.cgi?id=191521 [WebAuthN] UserHandle can be null.
<rdar://problem/92305724>
Hi everyone, I am still seeing that this bug is still happening with Safari.
This nonconformity currently causes the Yubico java-webauthn-server library to to throw an exception for logins in Safari with a security key. https://github.com/Yubico/java-webauthn-server/issues/327 https://github.com/Yubico/java-webauthn-server/issues/194 It's probably the same for other libraries abiding to the spec. We're advising our Safari users to migrate to other browsers, but would strongly prefer a patch in Safari.
https://github.com/WebKit/WebKit/pull/22681
Committed 275669@main (04d4979c9e1d): <https://commits.webkit.org/275669@main> Reviewed commits have been landed. Closing PR #22681 and removing active labels.