Bug 244164

Summary:	[WebAuthn] Conditional UI for webauthn autocomplete does not set the uv flag
Product:	WebKit	Reporter:	Chad Killingsworth <ckillingsworth>
Component:	WebKit Misc.	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	pascoe
Priority:	P2
Version:	Safari Technology Preview
Hardware:	Mac (Apple Silicon)
OS:	Other

Description Chad Killingsworth 2022-08-20 15:04:00 PDT

On Safari Technology Preview Release 151 (Safari 16.0, WebKit 18615.1.1.2) on macOS 13 beta 5 the conditional UI (https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI) functionality for Passkeys does not set the user verified flag in the authenticationData of the response.

Reproducing Steps:
1. Webpage with <input autocomplete="webauthn"/ >
2. Perform webauthn get with a conditional mediation:
navigator.credentials.get({
  mediation: 'conditional',
  publicKey: {
    challenge: <challengeFromServer>,
    rpId: <rpId>,
    userVerification: "required"
  }
}).then(({id, type, response, authenticatorAttachment}) => {
  console.log(response.authenticatorData);
});
3. Click into the input box - note that the conditional UI appears.
4. Complete the authentication with a registered credential.
5. decode the response.authenticatorData field and note the uv flag is not set.

Example flags:

flags: {
    up: true,
    uv: false,
    be: true,
    bs: true,
    at: false,
    ed: false,
    flagsInt: 25
  }

When invoking the navigator.credentials.get request manually (without conditional mediation) and using the exact same public key request options and the same credentials, the user verified flag is set.

Comment 1 Chad Killingsworth 2022-08-26 08:40:56 PDT

This behavior is fixed in Safari Technical Preview Release 152 (Safari 16.0, WebKit 18615.1.2.3). The uv flag is correctly set.