Re: [webauthn] Fix #720: Don't return user handle in 2nd factor mode

I am reopening this PR. 

The confusion is coming because 2nd factor != server credentials in all the cases. 

CTAP spec needs clarification as there is no user information returned in authenticatorGetAssertion for server credentials and U2F devices as it is not available to the authenticator. For device resident keys, userID MUST be returned (irrespective of whether credentialID list is provided or not). I will open the clarification PR for CTAP spec. 

Regarding this PR, it needs more work. Irrespective of allow credential ID list is present or not, if authenticator is giving userID back, it should be returned back to the RP. 

So the sections in this PR which talks about whether user ID returned from authenticator is null or not is correct. Sections which talks about removing this information when credential ID list is present in not correct. 

GitHub Notification of comment by akshayku
Please view or discuss this issue at using your GitHub account

Received on Friday, 22 December 2017 17:30:27 UTC