AuthenticatorSelectionCriteria#authenticatorAttachment option is handled incorrectly
Reported by
ynoj...@ynojima.net,
Aug 2
|
|||||||
Issue descriptionSteps to reproduce the problem: 1. Access https://webauthndemo.appspot.com/ with your Android with fingerprint reader (I tested with Xperia Z5 Compact). The website is a WebAuthn demo provided by Google. 2. Login with your google account. 3. Enable "Advanced options" on the page. 4. Set "Attachment Type" to "N/A" 5. Press "REGISTER NEW CREDENTIAL" button. What is the expected behavior? The authenticator selection screen contains the fingerprint reader in its list. What went wrong? Only Bluetooth and NFC are listed in its options. The fingerprint reader option is missing. Web Authentication spefication defines "authenticatorAttachment" in this way: "If this member is present, eligible authenticators are filtered to only authenticators attached with the specified ยง5.4.5 Authenticator Attachment enumeration (enum AuthenticatorAttachment)." https://www.w3.org/TR/webauthn/#authenticatorSelection If "authenticatorAttachment" option is not specified, all the available authenticators must be listed, but it isn't. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 70.0.3508.0 Channel: canary OS Version: Flash Version: If AuthenticatorSelectionCriteria is not set to PublicKeyCredentialCreationOptions, the fingerprint reader option shows up in the authenticator selection screen. That's how it I confirmed my Android device is capable of verifying a user with fingerprint with WebAuthn. Component of this issue is "Blink>WebAuthentication", but I couldn't select it while filing the issue.
,
Aug 8
Unable to reproduce this issue on pixel 2XL using latest canary 70.0.3415.4/Android 9 with chelamcherla@google.com account. 1. Connected fingerprint reader, navigated to https://webauthndemo.appspot.com/ 2. Enabled "Advanced options" on the page. 3. Set "Attachment Type" to "N/A" 4. Pressed "REGISTER NEW CREDENTIAL" button -- after 2 sec observing err "An error occurred during Make credentials operation..." Attaching screencast for reference. NOTE: Checked issue twice by reolading page and also re-connecting finger print device. @ynojima: Please check screencast and let us know if we miss anything. Please provide screencast on reproducing the issue along with android version you are testing on. This would help in better triaging of the issue. Thanks!
,
Aug 8
Sorry, I missed one instruction regarding enabling Web Authentication feature. Please open "chrome:flags" and make "Web Authentication API" "Enabled".
,
Aug 8
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 9
Looks like this is related to the Android implementation -- Kim, can you please take a look?
,
Aug 14
I took a look but I also was unable to reproduce this error. I get offered the choice to use fingerprint. @ynojima, which version of Google Play Services are you using? @Dongjing, Clank is passing in a null authenticatorAttachment in this scenario, which the Fido2 API turns into AuthenticatorAttachment.ANY and should work as expected. (https://cs.corp.google.com/clank/java/src/com/google/android/apps/chrome/webauth/Fido2Helper.java?q=+package:%5Eclank$+lang:java&dr&l=278) Do you know if maybe this particular aspect of the Fido2 API that we expect is more recent than v19? If so, can you determine what the v19 behavior would be in this instance?
,
Aug 20
Sorry for belated reply. Here is my version info: Google Play Developer Services Version: 12.8.74(040406-204998136)
,
Aug 20
@Dongjing, is this not v19 anymore? Also, can you see my earlier question in comment #6?
,
Aug 20
I could not reproduce this issue on my device either. If the "Attachment Type" is set to N/A, the "Use security key with Fingerprint" option is still present. This issue is not present on the latest Google Play Services on my device. It looks like there were some changes to isDeviceSecure() in Fido2RequestController. I think it should make into v19 cut.
,
Aug 20
@ynojima, one other question. What Android platform are you running? Is this N+, or prior to N?
,
Aug 21
I tried with latest Chrome canary 70.0.3525.3 again, and I found finger print option now shows up. Thank you for your investigation. It seems something changed between 70.0.3508.0 and 70.0.3525.3. My Xperia Z5 Compact runs Android 7.0
,
Aug 22
Hm, curious. I'm really not sure what could have changed. I'm going to close this for now, but feel free to re-open if the behavior resurfaces. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by chelamcherla@chromium.org
, Aug 3Labels: Needs-triage-Mobile