[webauthn] Require non-null userHandle when allowCredentials is empty? (#1892) from Emil Lundberg via GitHub on 2023-05-17 (public-webauthn@w3.org from May 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 17 May 2023 10:37:26 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1713607862-1684319844-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Require non-null userHandle when allowCredentials is empty? ==
## Proposed Change

Add language to [§6.3.3. The _authenticatorGetAssertion_ Operation](https://w3c.github.io/webauthn/#sctn-op-get-assertion) to require the authenticator to return a non-null `userHandle` when `allowCredentials` is empty.


## Background

This was originally reported by @ionelMihai in https://github.com/Yubico/java-webauthn-server/issues/94#issuecomment-1551084810:

>We have a case where a user is using Mac Studio (Ventura 13.3.1 ), and for the authentication where options.allowCredentials is empty his request is failing because it looks like Mac Studio is not setting the userHandle on the response either. So the validation [as implemented in Yubico/java-webauthn-server] is failing.

As far as I can tell, this authenticator implementation is against the _spirit_ of the spec but I don't think it's against the _letter_ of the spec. [Step 15 of authenticatorGetAssertion](https://w3c.github.io/webauthn/#authenticatorGetAssertion-return-values) just reads:

>15. Return to the user agent:
>- [...]
>- _selectedCredential_.[userHandle](https://w3c.github.io/webauthn/#public-key-credential-source-userhandle)
>>Note: the returned [userHandle](https://w3c.github.io/webauthn/#public-key-credential-source-userhandle) value may be null, see: [userHandleResult](https://w3c.github.io/webauthn/#assertioncreationdata-userhandleresult).

I didn't find any actual requirement to return a non-null `userHandle` when `allowCredentials` is empty, only that the authenticator is allowed to return null if it needs to.

As [noted when the user handle was introduced](https://github.com/w3c/webauthn/pull/558#issuecomment-330317134), the purpose of the user handle is to enable the RP to have control of how it structures its database. This purpose is undermined if some authenticators don't return a `userHandle` when `allowCredentials` is empty - the authenticator cannot know which RPs need the user handle and which don't.

Therefore I believe it was intended to be a requirement that `userHandle` is non-null when `allowCredentials` is empty, in which case we should make the requirement explicit. Right now this seems to be only an implicitly understood convention. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1892 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 17 May 2023 10:37:27 UTC