search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
439 stars 137 forks source link

Safari: Resident Key discouraged gives empty userHandle instead of null #327

Closed fcorneli closed 7 months ago

fcorneli commented 8 months ago

I notices something weird when playing with YubiKeys. When registering with option resident key discouraged, and next authenticating via Safari, the authentication response contains:

...
"userHandle":""
...

This makes the server side of course explode with:

com.yubico.webauthn.exception.AssertionFailedException: java.lang.IllegalArgumentException: User handle ByteArray() does not own credential ByteArray(...)

This while Google Chrome and Firefox give as authentication response the following:

...
"userHandle":null
...
emlun commented 8 months ago

This is a known bug in Safari: https://bugs.webkit.org/show_bug.cgi?id=239737

See also: #194

fcorneli commented 8 months ago

@emlun Thanks for the reference. Will java-webauthn-server implement a work-around for this, or should I "fix" the response myself?

fcorneli commented 8 months ago

https://github.com/e-Contract/enterprise-jsf/commit/ec6fdd5d1461dca9df9e10a80baccb64f1084ada

emlun commented 8 months ago

No, java-webauthn-server will not implement a work-around for this.

In general it will depend on impact and what makes pragmatic sense, but in principle we do not intend to implement work-arounds for violations of the spec.