Skip to content

Make userHandle response field optional #2560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
melissaahn merged 6 commits into from
Jan 2, 2025
Merged

Make userHandle response field optional #2560

melissaahn merged 6 commits into from
Jan 2, 2025

Conversation

@melissaahn
Copy link
Contributor

@melissaahn melissaahn commented Dec 20, 2024

Summary

The Windows app team found a bug while testing cross-device passkey auth: https://microsoft.visualstudio.com/OS/_workitems/edit/55529057

In the logs, I see that the first attempt fails due to the userHandle attribute being missing in the response from CredMan. We currently have this attribute set as required, since the server side had mentioned that this attribute was required for them, but looking at the official WebAuthN spec, userHandle is only required if allowCredentials is NOT provided. If it is (like in the first attempt) then userHandle is optional: https://w3c.github.io/webauthn/#iface-authenticatorassertionresponse

I've confirmed with Authenticator that they always do send userHandle, and our current thinking is that some middle layer (since this is cross-device auth) might be removing that value from the final response. I'm not sure why this might be the case, but this is perfectly fine according to the WebAuthN spec. Therefore, we will follow the spec as well and will not block the response on userHandle.

@melissaahn melissaahn marked this pull request as ready for review December 20, 2024 22:27
@melissaahn melissaahn requested a review from a team as a code owner December 20, 2024 22:27
@melissaahn
Copy link
Contributor Author

melissaahn commented Jan 2, 2025

I'm going to disable the assemble consumers part for the purpose of merging. Everything passed except for the MSAL stage, which seems to be failing due to a Native Auth unit test.

@melissaahn melissaahn added the Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR label Jan 2, 2025
@melissaahn melissaahn merged commit 9954c92 into dev Jan 2, 2025
22 of 24 checks passed
@melissaahn melissaahn deleted the melissaahn/UserHandle branch January 2, 2025 20:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mohitc1 mohitc1 mohitc1 approved these changes

+1 more reviewer

@iamgusain iamgusain iamgusain approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@melissaahn @mohitc1 @iamgusain