Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verification Options do not Return Saved Transports for Credentials #16084

Open
Jyosua opened this issue Nov 13, 2024 · 0 comments
Open

Verification Options do not Return Saved Transports for Credentials #16084

Jyosua opened this issue Nov 13, 2024 · 0 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@Jyosua
Copy link

Jyosua commented Nov 13, 2024
edited
Loading

Describe the bug
The transports saved with the credential during the registration request are not returned in the transports property of same credential within the Verification Options response provided by /webauthn/authenticate/options.

Note that I'm using the RC version of Spring Security 6.4.0.

To Reproduce

  1. Add a Security Configuration using the following implementation:
@Configuration
class SecurityConfig {

    @Bean
    fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
        http
            .webAuthn{ it
                    .rpName("Example")
                    .rpId("example.localhost")
                    .allowedOrigins("https://example.localhost")
            }
            .authorizeRequests { it
                    .anyRequest()
                    .permitAll()
            }
            .csrf { it.disable() }
            
        return http.build()
    }

    val userDetails = User.withDefaultPasswordEncoder()
		.username("user")
		.password("password")
		.roles("USER")
		.build()

    @Bean
    fun userDetailsService(): UserDetailsService {
    	return InMemoryUserDetailsManager(userDetails)
    }
}
  1. Register a credential like the example in the docs but with an internal transport. Chrome virtual authenticator can be used to do this fairly easily.
{
  "publicKey": {
    "credential": {
      "id": "dYF7EGnRFFIXkpXi9XU2wg",
      "rawId": "dYF7EGnRFFIXkpXi9XU2wg",
      "response": {
        "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUy9GqwTRaMpzVDbXq1dyEAXVOxrou08k22ggRC45MKNhdAAAAALraVWanqkAfvZZFYZpVEg0AEHWBexBp0RRSF5KV4vV1NsKlAQIDJiABIVggQjmrekPGzyqtoKK9HPUH-8Z2FLpoqkklFpFPQVICQ3IiWCD6I9Jvmor685fOZOyGXqUd87tXfvJk8rxj9OhuZvUALA",
        "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiSl9RTi10SFJYRWVKYjlNcUNrWmFPLUdOVmlibXpGVGVWMk43Z0ptQUdrQSIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5sb2NhbGhvc3Q6ODQ0MyIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
        "transports": [
          "internal"
        ]
      },
      "type": "public-key",
      "clientExtensionResults": {},
      "authenticatorAttachment": "platform"
    },
    "label": "1password"
  }
}
  1. POST to /webauthn/authenticate/options
  2. The resulting response will have the registered credential in the allowCredentials, but the transports array will be empty.

Expected behavior
The request would return the credential in the allowCredentials with the same transport as was registered.
@Jyosua Jyosua added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 13, 2024
@sjohnr sjohnr added the in: web An issue in web modules (web, webmvc) label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rwinch @sjohnr @Jyosua