Passkeys - JSON.stringify() fallback for various password managers

[maartenba]

Passkeys - JSON.stringify() fallback for various password managers

Some password managers do not implement PublicKeyCredential.prototype.toJSON correctly, which is required for JSON.stringify() to work when serializing a passkey credential - e.g. https://www.1password.community/discussions/1password/typeerror-illegal-invocation-in-chrome-browser/47399

This PR adds a fallback to work with various password managers.

• Issue: Passkeys - Illegal invocation with 1Password #62916
• Note the helper function to convert to base64 is from @abergs helper functions at https://github.com/passwordless-lib/fido2-net-lib/blob/master/Demo/wwwroot/js/helpers.js (MIT License, suggestions on how to communicate this in the PR are welcome)

[Copilot]

Pull Request Overview

This PR adds a fallback mechanism for JSON serialization of passkey credentials to handle password managers that don't properly implement PublicKeyCredential.prototype.toJSON. The change addresses compatibility issues where JSON.stringify() fails with an "Illegal invocation" error in certain password managers like 1Password.

• Wraps the existing JSON.stringify(credential) call in a try-catch block
• Implements manual JSON serialization as a fallback when the standard approach fails
• Adds a helper function to convert ArrayBuffer/Uint8Array data to base64url format

[abergs]

Since I was pinged, for some long forgotten reason I rewrote the helpers here:
https://github.com/bitwarden/passwordless-client-js/blob/main/src/passwordless.ts#L439-L487 (Apache 2.0)

[javiercn]

@maartenba can you name which password managers are affected by this?

I'm not keen on dumping a bunch of code like this on the template to work around a bug in a password manager implementation. I would rather have the password managers fix their implementation to be compliant.

As an alternative we can offer this as a sample but putting it on the template raises other concerns like maintainability, updates and so on in the longer term.

[maartenba]

@javiercn agree this is the password manager's responsibility, looks like at least 1Password has had this issue for a longer time now with no resolution in sight. If there are docs (or planned docs) I'm happy to suggest a PR there to provide guidance to others who may want to handle this issue in their application.

[javiercn]

@mikekistler @MackinnonBuck thoughts on putting this on docs instead?

[mikekistler]

@javiercn @maartenba I agree that we probably don't want to bloat the templates with workaround logic for bugs in password managers. We are certainly planning docs for the Passkey support and putting some guidance there for this issue seems reasonable.

[maartenba]

Feel free to reuse the JS code here, or if you'd like that as a contribution when working on docs I'd be happy to help.

[MackinnonBuck]

I agree that mentioning this in the docs is the right direction.

[javiercn]

@maartenba @MackinnonBuck @mikekistler I've created #63078 to track the doc additions. I'm going to close the PR for now since we don't plan to take it.

@maartenba thanks in any case for putting this forward and starting the discussion.