SnickerChar
commented
2 months ago Oh, and BTW, in your docs, there's another bit that goes completely over my head. In the Authentication Flow you describe, you already know who the user is, which seems to me like it requires the user to be already authenticated. That seems circular. I know there's a case, and we'll be using it, for doing the authentication flow with an already authenticated user. Particularly with a custom challenge, for doing some interesting crypto signature verification stuff. But even tearing apart the sample repo has me still confused on this one. In my implementation, I leave allowedCredentials as [], and just lookup the passkey in my DB based on the credentialId, so you should be able to just walk up and login with any known passkey, assuming I could register multiples...
Describe the issue
First, thanks for this library. I did it by hand for a demonstration and this just makes webauthn so much easier to use. On our system, we have 3 workflows with passkeys- register a passkey as a new user, login with an existing passkey, and register a new passkey as an authenticated user. I have the first two flows working great, but I'm having trouble on the third flow. In this case, we've issued the user a JWT authentication token, and they make an API call to the server and ends up making a call to generateRegistrationOptions(). We generate a challenge and store it in Redis connected to their internal user ID, and lookup all the existing passkeys they have registered with us from the DB; currently, only 1. The credentialID of those passkeys is added to excludeCredentials along with the transports, as per your examples.
This is returned to the client, but the startRegistration() call is failing with a NotAllowedError: CredentialContainer request is not allowed.
Removing the excluded credentials on the server side doesn't change anything. Removing the passkey from the OS allows me to re-register, although some refreshes are usually needed.
Reproduction Steps
Expected behavior
startRegistration() should offer to create a new passkey
Code Samples + WebAuthn Options and Responses
Here's a sample registration JSON from generateRegistrationOptions(); excludeCredentials is populated on the logged-in version but it doesn't make a difference, only the presense of a passkey in the OS.
{"challenge":"DL46LBPuhMmtVAd-LeYW-BLhSNFagZLQo97Ph8q6Nrk","rp":{"name":"Snickerdoodle Labs","id":"localhost"},"user":{"id":"HWynNy3Cc45A6tbXr9Evar8Y7tVtrOvH1XaUeF7Uk1w","name":"TEST","displayName":""},"pubKeyCredParams":[{"alg":-8,"type":"public-key"},{"alg":-7,"type":"public-key"},{"alg":-257,"type":"public-key"}],"timeout":60000,"attestation":"none","excludeCredentials":[],"authenticatorSelection":{"residentKey":"preferred","userVerification":"preferred","authenticatorAttachment":"platform","requireResidentKey":false},"extensions":{"credProps":true}}
Dependencies
SimpleWebAuthn Libraries
@simplewebauthn/browser@10.0.0 @simplewebauthn/server@10.0.1
Additional context
One thing I can't figure out is that when registering a passkey, I get no options. It only asks me to put in my PIN, and never asks where I'd like to save the passkey. I'm just using the default AuthenticatorSelection options from the example, so:
residentKey: "preferred", userVerification: "preferred", authenticatorAttachment: "platform",
But I'd like to store the passkey on my Yubikey and am never given an option. I think this may be why it's not allowing the creation of a second passkey, even with a different username. Obviously, there's something about the authenticator selection options I'm not grasping.