Closed lykahb closed 2 years ago
infinisil
commented
2 years ago This is strictly non-conforming behavior:
The user handle MUST NOT be empty, though it MAY be null.
@lykahb Can you report this to Apple? If it's a bug, they should fix it.
I think this change is fine if you add a code comment how this is a Safari-specific workaround, but not actually conform (giving the above spec sentence as a reference).
lykahb
commented
2 years ago @infinisil Updated the comment, it includes the reference to Safari Webkit bug report now.
I think that the spec is not clear, though: the link is to the user handle entry under "5.4.3. User Account Parameters for Credential Generation (dictionary PublicKeyCredentialUserEntity)". The 5.2.2. Web Authentication Assertion does not explicitly say that the user handle may not be an empty string. It may also be worth opening an issue for the W3C spec to clarify the acceptable user handle values in the assertion.
infinisil
commented
2 years ago @lykahb Nice, thanks for that webkit bug report! Good spot regarding the specification as well, I opened an issue for that, see the above link. Let's also link to the webauthn issue from the code comment.
lykahb
commented
2 years ago Can anyone merge this if the changes look good? This would enable me to switch to using upstream again.
This fixes authentication on Safari #147