Open sbweeden opened 3 weeks ago
Hi there,
This has been escalated for further investigation. If you have more information that can help us, please add it below.
Thanks!
Bit of a guess, but I'd probably be focusing attention here: https://github.com/bitwarden/clients/blob/main/libs/common/src/platform/services/fido2/fido2-client.service.ts#L259
Steps To Reproduce
When registering a passkey, part of the response to the WebAuthn API is an array of transports, returned via the getTransports() API.
Today Bitwarden populates this with
["internal"]
This can cause a problem when later using WebAuthn navigator.credentials.get on a different machine/browser that doesn't have the BitWarden extension installed but might otherwise have exercised the credential via the hybrid flow using a mobile phone with a BitWarden credential provider. The pre-req to re-creating this is that the call to navigator.credentials.get on the "other browser" is using an allowCredentials list which contains the BitWarden credential and transports (with no other credentials, or with no other credentials that contain a transport list with "hybrid" included). Browsers may (and some do - e.g. the way Windows Hello works) choose to simplify the WebAuthn UX in this situation and simply not offer hybrid. They will report "No passkeys available" (that's what Windows does) or similar.
Even if BitWarden does not yet have a mobile app credential provider, it is still recommended that this change be made to future-proof the ability to exercise the credential via hybrid in navigator.credentials.get flows that use allowCredentials.
Expected Result
WebAuthn registration response.getTransports() should return
["internal","hybrid"]
Actual Result
WebAuthn registration response.getTransports() returns
["internal"]
Screenshots or Videos
No response
Additional Context
No response
Operating System
Linux
Operating System Version
Irrelevant
Web Browser
Chrome
Browser Version
Irrelevant
Build Version
2024.7.1
Issue Tracking Info