UserHandle Missing at Auth Finish using Android Passkey on Mac Ventura Safari

[Tommy Chu]

Hello everyone.

I am trying to develop Passwordless Login solution using WebAuthn standards..
Wondering if I could have your expert advise on one issue that has stalled me over few days already?

Reproducible Environment:

• Authenticator: Android Passkey using QR code
• Browser: Mac Ventura OS Safari
• Server Dependency: Yubico: webauthn-server-core : 2.1.0

1. I am able to see that Server is providing UserHandle(as user.id) to Client and client uses this information to finish registration process.

 

2. When Client returns request for Authentication Finish process: UserHandle is returned empty. This only happens when Authenticating through Safari with Passkey using Android device.

3. I am passing User Verification to be `Required`.

Wondering if anyone is facing similar issue with this?

Thanks,

Tommy

[Shane Weeden]

Did your call to navigator.credentials.get include a populated allowCredentials list?

Sent from my iPhone

On 19 Nov 2022, at 10:24 am, 'Tommy Chu' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

Hello everyone.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/fc20b8a8-79e9-4c7d-b71b-b066d4d40155n%40fidoalliance.org.

[John Bradley]

Android doesn’t currently support discoverable credentials/passkey.   Yes you can have it do UV.  However it will not return a user. Id as the credential is treated as non discoverable.  You are seeing the correct behavior.  

There is an Android beta of Play services that adds support for discoverable credentials.  You will get farther with that.  

John B. 

Sent from my iPhone

On Nov 18, 2022, at 4:24 PM, 'Tommy Chu' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

Hello everyone.

--

[Ki-Eun Shin]

I tried that scenario with my MacOS (Ventura 13.1) and Android (with Play service beta).

1. Empty allow list:  Safari and Chrome Canary browsers return the user handle which is expected behavior.

2. With allow list (indicating created credential): Safari browser returns empty user handle. But Chrome canary returns null user handle (( don't know which one is correct behaviour)

With our demo site, handling three cases has no problem even if the user handle is not included (null or empty), since we know the user id when we get the assertion response.

Regards,

2022년 11월 19일 (토) 오전 10:38, John Bradley <ve7...@ve7jtb.com>님이 작성:

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7D957631-86BB-4E28-91B6-FA1A405577CB%40ve7jtb.com.

[Ki-Eun Shin]

I am digging the specification. And, the spec describes tht

userHandleResult

If the authenticator returned a user handle, set the value of userHandleResult to be the bytes of the returned user handle. Otherwise, set the value of userHandleResult to null.

So, if the authenticator does not return an user handle, browsers need to set it as null. So, Chrome Canary's current behaviour is correct.

And, since the credential is already populated from the RP side, the authenticator might return null user handle. So, I'm thinking that current behaviour is correct.

2022년 11월 19일 (토) 오전 10:55, Ki-Eun Shin <shin...@gmail.com>님이 작성:

[Emil Lundberg]

Yes, this is a known bug in Safari: https://bugs.webkit.org/show_bug.cgi?id=239737

Emil Lundberg

Software Engineer | Yubico

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CADfwXXpP2732fKh-fU8_jVO%2BYSDF8oVyuGkmHqx3DRE7ZsBuKA%40mail.gmail.com.