search

google / webauthndemo

An example Node.js Relying Party implementation of the WebAuthn specification
https://try-webauthn.appspot.com
Apache License 2.0
563 stars 123 forks source link

used publicKeyCredentialCreationOptions user.id/userHandle violates the spec #75

Closed bodik closed 5 years ago

bodik commented 5 years ago

FYI publicKeyCredentialCreationOptions implementation in

https://github.com/google/webauthndemo/blob/6e5d6b17545aa71958792b7d3b36a36bb3e5fd97/src/main/java/com/google/webauthn/gaedemo/endpoints/Fido2RequestHandler.java#L62

violates the specs at https://w3c.github.io/webauthn/#user-handle 

The user handle MUST NOT contain personally identifying information about the user, such as a username or e-mail address
cpiper commented 5 years ago

Thanks, in change https://github.com/google/webauthndemo/commit/a805e9eaa3a8c818a4d62dddf12ed1c1b7acb048 I have modified the logic to generate random data to fill the user id field. Since there is no support for an empty allowCredentials list on the server, this should be fine at this point.