Describe the bug
The auth/z check on this line in the filter implementation for registering passkey credentials seems to prevent access to the webauthn endpoints even if .anyRequest().permitAll() is used.
Note that I'm using the RC version of Spring Security 6.4.0.
To Reproduce
Add a Security Configuration using the following implementation:
@Configuration
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http
.webAuthn{ it
.rpName("Example")
.rpId("example.localhost")
.allowedOrigins("https://example.localhost")
}
.authorizeRequests { it
.anyRequest()
.permitAll()
}
.csrf { it.disable() }
return http.build()
}
}
Try to POST to /webauthn/register/options
Expected behavior
The request would return a 200 with the Registration Options.
Describe the bug The auth/z check on this line in the filter implementation for registering passkey credentials seems to prevent access to the webauthn endpoints even if
.anyRequest().permitAll()is used.Note that I'm using the RC version of Spring Security 6.4.0.
To Reproduce
Add a Security Configuration using the following implementation:
Expected behavior The request would return a 200 with the Registration Options.