Bug 208357

Summary: [WebAuthn] "Found no credentials on this device" displayed when using roaming authenticator with Safari
Product: WebKit Reporter: sweeden
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 181943    

Description sweeden 2020-02-27 17:09:26 PST 
I used Firefox (v74) on Mac to register a FIDO credential with WebAuthn using a couple of different popular USB authenticators (Yubikey 5 and an eWBM GoldenGate). I understand Firefox is probably using CTAP1, and if I use attestation I noticed that a fido-u2f attestation format is returned. Regardless, a public key credential is provided and saved against the user account.

Later, using either generally available Safari 13.0.5 or Safari Tech Preview Release 101, when I try to use this credential in an allowCredentials list to perform an assertion flow, Safari reports in a dialog: "Found no credentials on this device" and I am unable to complete assertion. Both the original FF browser, and Chrome on the same Mac are able to use the credential to complete assertion.
Comment 1 sweeden 2020-02-27 17:20:36 PST 
It appears I can actually complete authentication - that part is false in my original statement - however the error message displayed in the dialog is still something that should be addressed.
Comment 2 sweeden 2020-02-27 18:51:30 PST 
Actually it doesn't matter what browser is used when the credential was registered - even on Safari itself. This msg "Found no credentials on this device" is displayed all the time. Seems like an odd message to display just because a roaming authenticator was used.
Comment 3 Radar WebKit Bug Importer 2020-02-29 13:06:37 PST 
<rdar://problem/59921962>
Comment 4 Jiewen Tan 2020-03-16 20:30:52 PDT 
It doesn't reproduce for me on ToT WebKit. Could you try the latest STP again? It will be better if you could specify the exact website you are using and upload a video.