Closed Bug 1620089 Opened 6 years ago Closed 2 years ago

WebAuthn: Firefox erroneously returns "InvalidStateError" when trying to create a credential with a cose algorithm other than ES256 (-7)

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox75 --- affected

People

(Reporter: nsatragno, Unassigned)

Details

How to repro:

  • Attempt to create a credential with a COSE algorithm other than -7, e.g.
  const credential = navigator.credentials.create({
    publicKey: {
      challenge: Uint8Array.from([1]),
      rp: {
        name: "RP",
      },
      user: {
        id: Uint8Array.from([1]),
        name: "nina",
        displayName: "Nina",
      },
      pubKeyCredParams: [{alg: -8, type: "public-key"}],
    }
  });

What happens:
Promise immediately fails with NotSupportedError

What I expected:
Ideally: after the user taps an authenticator, if the algorithm is not supported, firefox should show an error to the user and then fail with NotAllowedError.

Failing with NotAllowedError immediately might be okay as well.

I believe either are in line with the spec: when an authenticator does not support a given algorithm, it returns an error equivalent to NotSupportedError. Authenticators returning status not equivalent to InvalidStateError are removed from issuedRequests, which eventually manifests on a timeout (NotAllowedError).

This came up while cleaning up WPTs (see https://github.com/web-platform-tests/wpt/pull/22088)

Thanks, Nina! Will tackle this as I restart on WebAuthn.

Assignee: nobody → jjones
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Assignee: jc → nobody
Status: ASSIGNED → NEW
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.