239737 – WebAuthn userHandle must be null, not empty string

RESOLVED FIXED 239737

WebAuthn userHandle must be null, not empty string

https://bugs.webkit.org/show_bug.cgi?id=239737

Summary WebAuthn userHandle must be null, not empty string

Boris Lykah

Reported 2022-04-25 11:55:37 PDT

The WebAuthn implementation returns userHandle: "", which does not conform to this part of the spec: https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialuserentity-id This breaks the checks on my Relying Party server. The same security key returns userHandle null on Firefox and Chromium. So it seems Safari replaces null with an empty string. Steps to reproduce: 1. Open https://webauthn.io 2. Register YubiKey or another cross-platform security key. Registration with TouchID does not reproduce the issue. 3. Authenticate. On Safari 15 just activate the security key. On Safari Technology Preview choose "Account from Security Key". 4. Observe that the network request with the assertion has userHandle: "". It must be null to conform to the spec. This bug may be related to https://bugs.webkit.org/show_bug.cgi?id=191521 [WebAuthN] UserHandle can be null.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-04-25 18:05:32 PDT

<rdar://problem/92305724>

tmj.chu

Comment 2 2022-11-20 23:25:35 PST

Hi everyone, I am still seeing that this bug is still happening with Safari.

henrik.willert

Comment 3 2024-01-10 01:17:04 PST

This nonconformity currently causes the Yubico java-webauthn-server library to to throw an exception for logins in Safari with a security key. https://github.com/Yubico/java-webauthn-server/issues/327 https://github.com/Yubico/java-webauthn-server/issues/194 It's probably the same for other libraries abiding to the spec. We're advising our Safari users to migrate to other browsers, but would strongly prefer a patch in Safari.

pascoe@apple.com

Comment 4 2024-01-11 15:39:57 PST

https://github.com/WebKit/WebKit/pull/22681

EWS

Comment 5 2024-03-04 19:31:14 PST

Committed 275669@main (04d4979c9e1d): <https://commits.webkit.org/275669@main> Reviewed commits have been landed. Closing PR #22681 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari 15

Hardware Mac (Intel)

OS macOS 12

Product WebKit

Component WebCore Misc.

Assignee

pascoe@apple.com

Reported

2022-04-25 11:55 PDT

Modified

2024-03-04 19:31 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks