Closed andrewkozlik closed 4 years ago
The tests TestResidentKey::test_resident_key_auth and TestResidentKey::test_user_info_returned send an authenticatorGetAssertion request with the "rk" option set to true. According to https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetAssertion the "rk" option is not valid for this command, because it's not listed in the options parameters table. According to step 5 the correct response to the request is therefore CTAP2_ERR_INVALID_OPTION.
TestResidentKey::test_resident_key_auth
TestResidentKey::test_user_info_returned
The correct way to request usage of device-resident credentials is to send an empty allowList.
The tests
TestResidentKey::test_resident_key_authandTestResidentKey::test_user_info_returnedsend an authenticatorGetAssertion request with the "rk" option set to true. According to https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html#authenticatorGetAssertion the "rk" option is not valid for this command, because it's not listed in the options parameters table. According to step 5 the correct response to the request is therefore CTAP2_ERR_INVALID_OPTION.The correct way to request usage of device-resident credentials is to send an empty allowList.