Bug 213187

Summary: [WebAuthn] The support of the GetAssertion response without containing a credential case
Product: WebKit Reporter: nuno.sung <nuno.sung>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: bfulgham, jiewen_tan, loginllama, webkit-bug-importer, webkit-unassigned
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Mac   
OS: macOS 10.15   
Bug Depends on:    
Bug Blocks: 181943    

Description nuno.sung 2020-06-15 01:27:30 PDT 
[Environment]
Test Device: MacBook Pro (2013)
OS: macOS 10.15.5
Safari Technology Preview Release 108

[Repro Steps]
1. Test https://webauthntest.azurewebsites.net/#
2. Create a credential without modifying any settings.
3. Make sure only one created credential on the web page.
4. Run Get credential and let "Use allowCredentials" checked.
5. The response from authenticator will omit the credential(0x01) member if the allowList has exactly one Credential.
6. The result is not okay.
7. But if the key has the support of U2F, annother U2F_AUTH request/response will be processed and result is okay.

[Ref.]
1. "May be omitted if the allowList has exactly one Credential." in the description of GetAssertion response table under 
https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html#authenticatorGetAssertion

2. 
// When the response from the authenticator does not contain a credential and
// the allow list from the GetAssertion request only contains a single
// credential id, manually set credential id in the returned response.
https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/fido/get_assertion_request_handler.cc#187
Comment 1 Alexey Proskuryakov 2020-07-10 13:10:46 PDT 
Since there is no Radar linked, temporarily removing the InRadar keyword to have this bug re-import.
Comment 2 Radar WebKit Bug Importer 2020-07-10 13:10:58 PDT 
<rdar://problem/65359329>
Comment 3 Jiewen Tan 2020-07-28 00:54:04 PDT 
(In reply to nuno.sung from comment #0)
> [Environment]
> Test Device: MacBook Pro (2013)
> OS: macOS 10.15.5
> Safari Technology Preview Release 108
> 
> [Repro Steps]
> 1. Test https://webauthntest.azurewebsites.net/#
> 2. Create a credential without modifying any settings.
> 3. Make sure only one created credential on the web page.
> 4. Run Get credential and let "Use allowCredentials" checked.
> 5. The response from authenticator will omit the credential(0x01) member if
> the allowList has exactly one Credential.
> 6. The result is not okay.
> 7. But if the key has the support of U2F, annother U2F_AUTH request/response
> will be processed and result is okay.
> 
> [Ref.]
> 1. "May be omitted if the allowList has exactly one Credential." in the
> description of GetAssertion response table under 
> https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-
> v2.1-rd-20191217.html#authenticatorGetAssertion
> 
> 2. 
> // When the response from the authenticator does not contain a credential and
> // the allow list from the GetAssertion request only contains a single
> // credential id, manually set credential id in the returned response.
> https://chromium.googlesource.com/chromium/src/+/refs/heads/master/device/
> fido/get_assertion_request_handler.cc#187

May I ask what model of authenticator you are using?
Comment 5 nuno.sung 2020-08-21 06:09:19 PDT 
New Fido2.x spec will remove this 
https://github.com/fido-alliance/fido-2-specs/pull/956
Comment 6 login Llama 2020-08-25 19:46:25 PDT 
CTAP2.1 removes the optimization.  The WG doesn't know of any authenticators that actually do the optimization in CTAP2.0 or 2.0_Pre.  However they are not all knowing. Platforms should expect to deal with it in CTAP2.0/2.1_Pre.