Comments (5)
Hi @Flole998,
Can you please send me the authenticator options and response as JSON objects?
I will try to understand this behavior. I wonder if this is due to the upcoming Webauthn v3 which is not supported yet.
from webauthn-framework.
I just did some additional debugging, and the "missing" signature is intended and simply caused by the library doing the client-side part: https://github.com/MasterKale/SimpleWebAuthn/blob/fe90e2765b2bfab2405ef2875c9c98d39d66416e/packages/browser/src/methods/startRegistration.ts#L101
You can see what parameters it passes to the server in the line I linked.
Either they are interpreting the standard in a different way or (what is more likely IMO) this library is requiring more than it should/the condition is wrong. I would assume the condition I linked to above is wrong, and it should be either
array_key_exists('attestationObject', $response) && ( ! array_key_exists('authenticatorData', $response) || ! array_key_exists('signature', $response) )
, meaning "if attestationObject is set and either authenticatorData or signature is missing use the attestationObject, otherwise (if authenticatorData and signature is present) use that, otherwise fail", or probably also a simple array_key_exists('attestationObject', $response)
could work, which means "if attestationObject is set use it, otherwise check for authenticatorData and signature, use if present, fail otherwise".
I will try to setup a debug enviroment so I am not sending you some real-world data if you still need the options/responses.
from webauthn-framework.
Hi @Flole998,
I tried to figure out what is going on and I think I spotted the issue.
The virification was done as per the Webauthn v1 where the Assertion Response (login) contains both authenticatorData
and signature
.
The Attestation Response (creation) was only supposed to contain an attestationObject
.
It changed in v2 where the authenticatorData
can be present in the Attestation Reponse.
From my understanding, the only required key for the Assertion Response is the signature
.
For the Attestation Response, the absence of the signature
or the presence of the attestationObject
should be sufficient.
from webauthn-framework.
Should be fixed in 4.8.5.
Feel free to reopen if this is still an issue.
from webauthn-framework.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
from webauthn-framework.
Related Issues (20)
- Secure Payment Request
- Webauthn\CollectedClientData::createFormJson not working HOT 2
- Paramater `residentKey` will be ignored when Initializing AuthenticatorSelectionCriteria HOT 4
- Can be removed in 4.8.x HOT 2
- MDS-Sentry Support
- Compatibility with php 7.4? HOT 4
- PublicKeyCredentialUserEntity::createFromArray uses wrong base64 decoder HOT 5
- Unable to create the response object when deserializing AttestationResponse HOT 2
- Webauthn 3
- backupEligible breakage in 4.8.0 HOT 1
- Please update docs for 4.8 (deprecations toward 5.0) HOT 8
- TypeError in AuthenticationExtensionsDenormalizer HOT 2
- Incorrect deprecations HOT 2
- How/where to report a security issue? HOT 3
- Supported versions? HOT 5
- Incorrect message for PropertyInfoExtractor HOT 3
- Move state validation back into the value objects HOT 3
- Rename Credential property `rawId` into `id` HOT 1
- WebauthnSerializerFactory cannot serialize PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-framework.