Closed slunker closed 2 years ago
Hi! Yes, that sounds like a bug in Safari. While the PublicKeyCredentialCreationOptions.user.id
option no longer allows an empty user handle as an argument, it is still valid for authenticators to return an empty AuthenticatorAssertionResponse.userHandle
, and that is distinct from a null value. There seems to already be a ticket for this in Safari's bug tracker: https://bugs.webkit.org/show_bug.cgi?id=239737
The call to RelyingParty.finishAssertion() with assertion result that came from Safari v15.4 when authenticating with a Yubico key fails with
java.lang.IllegalArgumentException: User handle ByteArray() does not own credential ByteArray(<bytes>)
The problem seems to be that a value of the
userHandle
field is an empty string in the assertion result json in safari 15.4 instead ofnull
.This works in other browsers or in previous versions of safari. It also works when authenticating with TouchID. It was tried with these versions of webauthn server:
1.12.2
,1.12.4
and2.0.0
.