"Unable to create the response object" when adding a 1Password passkey about webauthn-framework HOT 5 CLOSED

Hi @Flole998,

Can you please send me the authenticator options and response as JSON objects?
I will try to understand this behavior. I wonder if this is due to the upcoming Webauthn v3 which is not supported yet.

from webauthn-framework.

I just did some additional debugging, and the "missing" signature is intended and simply caused by the library doing the client-side part: https://github.com/MasterKale/SimpleWebAuthn/blob/fe90e2765b2bfab2405ef2875c9c98d39d66416e/packages/browser/src/methods/startRegistration.ts#L101

You can see what parameters it passes to the server in the line I linked.

Either they are interpreting the standard in a different way or (what is more likely IMO) this library is requiring more than it should/the condition is wrong. I would assume the condition I linked to above is wrong, and it should be either
array_key_exists('attestationObject', $response) && ( ! array_key_exists('authenticatorData', $response) || ! array_key_exists('signature', $response) ), meaning "if attestationObject is set and either authenticatorData or signature is missing use the attestationObject, otherwise (if authenticatorData and signature is present) use that, otherwise fail", or probably also a simple array_key_exists('attestationObject', $response) could work, which means "if attestationObject is set use it, otherwise check for authenticatorData and signature, use if present, fail otherwise".

I will try to setup a debug enviroment so I am not sending you some real-world data if you still need the options/responses.

from webauthn-framework.

Hi @Flole998,

I tried to figure out what is going on and I think I spotted the issue.
The virification was done as per the Webauthn v1 where the Assertion Response (login) contains both authenticatorData and signature.
The Attestation Response (creation) was only supposed to contain an attestationObject.

It changed in v2 where the authenticatorData can be present in the Attestation Reponse.

From my understanding, the only required key for the Assertion Response is the signature.
For the Attestation Response, the absence of the signature or the presence of the attestationObject should be sufficient.

from webauthn-framework.

Should be fixed in 4.8.5.
Feel free to reopen if this is still an issue.

from webauthn-framework.

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

from webauthn-framework.