lashinijay
commented
1 year ago Analysis of the issue
In the master branch this is reproducible with newer devices as well (Thinkpad X1 Carbon Gen 8). As for the analysis carried out, after the major version upgrade of Yubico WebAuthn version from 1.12.1 to 2.4.0[1] this issue was appeared in newer devices too. However according to the WebAuthn support[2] the userhandle should be unique to user and should be shared if there are multiple devices registered for the same user. In our current implementation we are generating a new userhandle[3] for each device registration even though there is an existing userhandle for the user.
This behavior will be fixed with[4]. After correcting device registration flow, login with multiple devices will be fixed in master branch as well.
[1] - https://github.com/wso2-extensions/identity-local-auth-fido/pull/99 [2] - https://github.com/Yubico/java-webauthn-server/issues/313#issuecomment-1674641248 [3] - https://github.com/wso2-extensions/identity-local-auth-fido/blob/master/components/org.wso2.carbon.identity.application.authenticator.fido2/src/main/java/org/wso2/carbon/identity/application/authenticator/fido2/core/WebAuthnService.java#L931 [4] - https://github.com/wso2-extensions/identity-local-auth-fido/pull/109
Describe the issue: When a single user register multiple FIDO devices, the user can successfully authenticated only via one device(most of the time first device that was registered). In products upto(including) IS-6.1 this was only reproducible older mackbooks (MacBook Pro 2015 and 2020) . However in the master branch this is reproducible with any device.
How to reproduce:
Expected behavior: User should be able to login(authenticate) with all the devices that are configured.
Environment information (Please complete the following information; remove any unnecessary fields) :
Optional Fields
Related issues: