search

MasterKale / SimpleWebAuthn

WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers, Node, Deno, and more.
https://simplewebauthn.dev
MIT License
1.62k stars 137 forks source link

Id and RawId are empty when register on FireFox #349

Closed zkwzk closed 1 year ago

zkwzk commented 1 year ago

hello @MasterKale,

Recently we are testing the compatibility of the simplewebauthn on different browsers, we found an issue which will lead to the registration(verifyRegistrationResponse) failed due to the Id and RawId in VerifyRegistrationResponseOpts are empty on FireFox.

We tried on chrome, it works fine, the rawId and Id are there, but for FireFox, the rawId and Id are empty, it seems the FireFox browser issue, but I think we can somehow by pass this issue by disable the check for rawid and id in verifyRegistrationResponse and use the credentialId extracted from the attestationObject

how to reproduce:

  1. enable the ctap2 config on FireFox if you are using Mac, by type in “about:config” and press enter in firefox and search for ctap and enable the security.webauthn.ctap2 option
  2. use any of the webauthn demo website like https://webauthn.io/ on firefox, and try to register, then you will see in the request of the verifyRegistration, the rawId and Id are empty, so it will fail the sanity check in verifyRegistrationResponse image
// Ensure credential specified an ID
  if (!id) {
    throw new Error('Missing credential ID');
  }

  // Ensure ID is base64url-encoded
  if (id !== rawId) {
    throw new Error('Credential ID was not base64url-encoded');
  }
MasterKale commented 1 year ago

Oh, that's a trip. This is almost a WONTFIX for me, but then again I could change if (!id) to if (id === undefined) and achieve the same effect while also supporting Firefox while it's baking its CTAP2 support...let me sleep on this and get back to you.

zkwzk commented 1 year ago

I think you can on hold for this change,

according to this https://bugzilla.mozilla.org/show_bug.cgi?id=1752089, they already enabled the CTAP2 support at the nightly build, so we download the latest nightly build 111.0a1 from https://www.mozilla.org/en-US/firefox/all/#product-desktop-nightly, and test registration on https://webauthn.io/, it shows the rawId and id now, and everything works fine.

image

let's wait and see when will this be in the stable release

MasterKale commented 1 year ago

Thank you for including links to relevant issues in their Bugzilla tracker. For now I'm going to close this out as WONTFIX since it's a browser issue, and it seems they're already fixing it on their end.