Always return credential ID in authentication response #161
Description
When an authenticator responds to a GetAssertion request, it may omit the credential ID if the allow list contained exactly one credential descriptor (since it's unambiguous which credential was used).
However, for client/RP convenience, libwebauthn should always populate the credential ID in the response, even if the authenticator doesn't return it. This means remembering the ID from the request when the allow list has exactly one entry.
Originally noted by @iinuwa in credentialsd:
I believe this optional since authenticators may omit sending the credential ID if it was unambiguously specified in the request. As a convenience, we should always return a credential ID, even if the authenticator doesn't. This means we'll have to remember the ID on the request if the allow-list has exactly one credential descriptor. This should probably be done in libwebauthn.