1554397 - Firefox for Android failed to handle WebAuthn resident-key

Status: RESOLVED FIXED

(Core :: DOM: Web Authentication, defect, P2)

Description

[Yoshikazu Nojima]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Steps to reproduce:

1. Navigate to https://login.without.pw/angular/signup with Firefox for Android Nightly

2. Fill form

3. Add authenticator with "+" button

4. Press "Yes" button to issue a resident-key

5. Press "Register" button, then you are redirected to "https://login.without.pw/angular/login".

6. Press "Fast Login" to try with resident-key. (allowCredentials will be empty with this button).

Actual results:

DOMException with the message "The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission." is raised.

Expected results:

navigator.credentials.get should return a credential.

I confirmed it works with Windows 10 19H1 + Firefox + Windows Hello, Windows 10 + Edge + Windows Hello, and Chrome Canary + Yubikey5(PIN).

Comment 1

[J.C. Jones [:jcj] (he/they)]

Thank you for the report - Confirmed, but I'm not yet sure if this is something I'll be able to fix in Firefox for Android 68. I haven't been able to dig into what state is being incorrectly reported to Google's API.

Comment 2

[J.C. Jones [:jcj] (he/they)]

ADB output:

05-29 12:23:06.618 12356 12356 I Fido    : [AuthenticateChimeraActivity] FIDO2 operation is called from org.mozilla.fennec_aurora
05-29 12:23:06.618 12356 12356 E Fido    : [AuthenticateChimeraActivity] Request doesn't have a valid list of allowed credentials.
05-29 12:23:06.633 12588 12588 D GeckoBrowserApp: onActivityResult: 4, -1, Intent { (has extras) }
05-29 12:23:06.633 12588 12588 W WebAuthnUtils: FIDO2_KEY_ERROR_EXTRA and right
05-29 12:23:06.633 12588 12588 E WebAuthnUtils: errorCode.name: NOT_ALLOWED_ERR
05-29 12:23:06.633 12588 12588 E WebAuthnUtils: errorMessage: Request doesn't have a valid list of allowed credentials.

Comment 3

[J.C. Jones [:jcj] (he/they)]

I won't have time to fix this in 68, I'm afraid. This will have to get fixed in one of the first releases of Firefox for Android built upon the Fenix architecture. (Initially, the Fenix previews).

Comment 4

[Makoto Kato [:m_kato] (fever, slow response)]

GMS supports requireResidentKey via AuthenticatorSelectionCriteria.Builder.setRequireResidentKey

Comment 5

[Makoto Kato [:m_kato] (fever, slow response)]

Are you still working on this?

Comment 6

[John Schanck [:jschanck]]

:m_kato, no one is working on this at the moment. We'd welcome a patch.

Once Bug 1813282 lands we can use the more specific AuthenticatorSelectionCriteria.Builder.setResidentKeyRequirement.

Comment 7

[Makoto Kato [:m_kato] (fever, slow response)]

(In reply to John Schanck [:jschanck] from comment #6)

:m_kato, no one is working on this at the moment. We'd welcome a patch.

Once Bug 1813282 lands we can use the more specific AuthenticatorSelectionCriteria.Builder.setResidentKeyRequirement.

Thanks.

Comment 8

[Makoto Kato [:m_kato] (fever, slow response)]

Attachment: Bug 1554397 - Implement residentKey support on GeckoView. r=jschanck!

GMS's FIDO2 19.0.x supports residentKey values. So let's implement it
for Android's native token manager.

But when implementing it, GMS's FIDO2 will synchronize key via Google's
account Passkey. So this is experimental by preferences.

Comment 9

[Pulsebot]

Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/c6d78d1ad8b2
Implement residentKey support on GeckoView. r=jschanck,geckoview-reviewers,owlish

Comment 10

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/c6d78d1ad8b2