Issue
Having got Platform Authenticator and Multi-device Authentication working I am trying to expand my FIDO2 knowledge by reading through WebAuthn issues on GitHub To this end I was testing Discoverable Credentials (i.e. specifying allowCredentials as empty [])
I couldn't get the signing to match so reverted to allowing only the credential id I just CREATEd but now I still keep getting prompted to specify a device when I call GET also the signatures don't match. This is the JS code: -
var allowCredentials = [{
type: "public-key",
id: Uint8Array.from(atob(credentialId), x => x.charCodeAt(0)).buffer
}]
var getAssertionOptions = {
timeout: 60000,
challenge: Uint8Array.from(serverChallenge.Token, c => c.charCodeAt(0)).buffer,
allowCredentials: allowCredentials,
userVerification: "required"
};
return navigator.credentials.get({
publicKey: getAssertionOptions
}).then(rawAssertion => {
var assertion = {
id: base64encode(rawAssertion.rawId),
clientDataJSON: utf8Decoder.decode(rawAssertion.response.clientDataJSON),
userHandle: base64encode(rawAssertion.response.userHandle),
signature: base64encode(rawAssertion.response.signature),
authenticatorData: base64encode(rawAssertion.response.authenticatorData)
};
and this is the C# signature check: -
using (ECDsa dsa = ECDsa.Create(ecparams))
{
if (dsa.VerifyData(data, ECDsaSig, HashAlgorithmName.SHA256))
{
Console.WriteLine("The signature is valid.");
}
else
{
Console.WriteLine("The signature is not valid.");
return FAIL_STATUS;
}
}
Now this code "used to work" using my Samsung phone but then (IIRC) I wasn't being reprompted for a device for verification. UPDATE: Sometimes the first time after CREATE the GET will work by returning a correctly signed load. But now I can't reproduce that :-(
Look this clearly sounds like developer/pilot error on my behalf but I just want to see if it rings any bells? I have cleared all cache, rebooted, can't find any "credentials" in and password history, and am at a loss. I thought there may be some signature timeout but I've extended everything I could
Q1. Was I always prompted to select a device even though I said only allow this Samsung credential
NB: If I use the platform authenticator on my phone then the same thumb-print works. EC encryption.
Chrome: Version 103.0.5060.134 (Official Build) (64-bit)
Solution
I'm assuming because you are testing on a Samsung device that you are running Android. Sadly at the moment Android does not support discoverable credentials / resident keys. Your previous flows would work as you are able to invoke the WebAuthn ceremony with credentials populating the allowList.
I tested on a WebAuthn environment of mine and confirmed that I am getting an error that reads "Use of an empty 'allowCredentials' list is not supported on this device" (I'm using Chrome on a Pixel 5 device).
Google has indicated that discoverable credential support is coming to Android soon to help support their passkey implementation.
For now I would recommend that you test your discoverable credential flow on another device with a platform authenticator to see if it works.
As for some of your other errors, I may need more information to help identify the issue.
Hope this helps
Answered By - Cody Salas
Answer Checked By - Marilyn (JavaFixing Volunteer)
