The JS code expects server responses to adhere to a certain format ; e.g. the call to /webauthn/register/options should return certain fields. The Spring Security implementation is expected to respond with the correct format, but user implementations may be incorrect, missing a field, having an incorrect type, etc.
Currently the JS throws an error, and the message might be surprising, e.g. can't access property "replace", base64url is undefined instead of something akin to the /webauthn/register/options call should have a "user.id" property.
Following the stack trace, a user may be able to find what the problem is, but it is not trivial, as it might be the second or third line in the stack trace that shows the incriminating call site.
The JS code expects server responses to adhere to a certain format ; e.g. the call to
/webauthn/register/options
should return certain fields. The Spring Security implementation is expected to respond with the correct format, but user implementations may be incorrect, missing a field, having an incorrect type, etc.Currently the JS throws an error, and the message might be surprising, e.g.
can't access property "replace", base64url is undefined
instead of something akin tothe /webauthn/register/options call should have a "user.id" property
.Following the stack trace, a user may be able to find what the problem is, but it is not trivial, as it might be the second or third line in the stack trace that shows the incriminating call site.
Responses to validate:
/webauthn/register/options
/webauthn/register
/webauthn/authenticate/options
/login/webauthn