Closed Bug 1820016 Opened 2 years ago Closed 2 years ago

Cannot assert discoverable credential on login.live.com

Categories

(Core :: DOM: Web Authentication, defect, P2)

Product:
Core
Component:
DOM: Web Authentication
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jschanck, Assigned: jschanck)

References

Details

Attachments

(1 file)

bug1820016-firefox.mp4
666.37 KB, video/mp4
Details

As of Firefox 112, we can create WebAuthn discoverable credentials for passwordless logins on account.live.com on all platforms. (We've supported this on Windows for some time, this bug is for all other platforms.)

When I make a credential on Linux, the RPID is set to login.microsoft.com, so presumably there was a redirect before the MakeCredential request. When attempting to log in on login.live.com there is no redirect and the RPID in the GetAssertion request is login.live.com, which doesn't work.

On Chrome I'm redirected to login.microsoft.com for the GetAssertion request (for the credential created from Firefox), and I'm able to log in.

I'm not sure whether this is a server-side bug, or if we're missing some WebAuthn feature that is being used to trigger the redirect.

Blocks: webauthn
Blocks: webauthn-ctap2
No longer blocks: webauthn

Hey John - We have some logic in place to only offer FIDO2 on platforms/clients where there is known support. As Firefox on Linux and Mac did not previously have CTAP2 support, we are likely preventing users from entering the flow.

It is odd, however, that you're seeing an RP ID of login.live.com. Do you happen to have a screen capture that you can email me?

Attached video bug1820016-firefox.mp4

Hi Tim, thanks for looking into this. The video I posted is Firefox 112 on Linux.

My understanding is that login.live.com conditionally shows the "Use a security key" option depending on the value of our non-standard PublicKeyCredential::IsExternalCTAP2SecurityKeySupported method. Prior to 112 we only returned true from there on Windows, so maybe the site is assuming that IsExternalCTAP2SecurityKeySupported implies that Windows Hello will be used.

FWIW we would like to remove the IsExternalCTAP2SecurityKeySupported method in the near future.

Hmm. Something is very wrong. Clicking any of the "sign in with a security key" buttons should actually redirect to "login.microsoft.com", which is the FIDO origin. I'm checking internally and will update here.

John - which service are you starting with (that is redirecting to login.live.com)? Is it Outlook.com or Xbox.com or something else?

Flags: needinfo?(jschanck)

I started at login.live.com. But Outlook.com and Xbox.com both redirect me to login.live.com as well.

Flags: needinfo?(jschanck)

It's working now. Many thanks to the team at Microsoft for fixing this!

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: