[WebAuthn] macOS Firefox 122 does not return transports after security key registration
Categories
(Core :: DOM: Web Authentication, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox126 | --- | fixed |
People
(Reporter: matthew, Assigned: jschanck)
Details
Attachments
(2 files)
Steps to reproduce:
Complete the following steps on macOS 14.3 with a USB security key (I used a YubiKey 5 Nano) to reproduce:
- Open Firefox's Web Developer Tools
- Go to https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algES256=true&algRS256=true&discoverableCredential=discouraged®Hints=&authUserVerification=preferred
- Enter a username
- Click "Register" to call
navigator.credentials.create()
- Select "Security key" from the macOS system prompt
- Tap security key (and enter PIN and re-tap if needed)
- Observe that
response.transports
is an empty array (e.g.[]
)
Actual results:
Confirm in the Console that Firefox did not return any transports in the WebAuthn response:
{
"id": "za-ggpzPAZe6iXUd7A2wzw",
"rawId": "za-ggpzPAZe6iXUd7A2wzw",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUdKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvBFAAAAAwAAAAAAAAAAAAAAAAAAAAAAEM2voIKczwGXuol1HewNsM-lAQIDJiABIVggLiR3UBjzCpQM3HvHkdTOuCxxLATCOO_hKd7iEtC3fYIiWCAZT1BF-l1AiuupvGBDcMlIWe9nYJf0uwMAeJZUAV8F3w",
"clientDataJSON": "eyJjaGFsbGVuZ2UiOiIxSWl6ZVAyZW5jalR2eHpaY2pYOEhXeDVxSGs1V2VnckdrMzd6SzZIa05iVEttY2h2U055N2dvNFh5UjVaQ3duS25OeERJN2sycDNqUGtGN3dxWnd6USIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aG4uaW8iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0",
"transports": [],
"publicKeyAlgorithm": -7,
"publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELiR3UBjzCpQM3HvHkdTOuCxxLATCOO_hKd7iEtC3fYIZT1BF-l1AiuupvGBDcMlIWe9nYJf0uwMAeJZUAV8F3w",
"authenticatorData": "dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvBFAAAAAwAAAAAAAAAAAAAAAAAAAAAAEM2voIKczwGXuol1HewNsM-lAQIDJiABIVggLiR3UBjzCpQM3HvHkdTOuCxxLATCOO_hKd7iEtC3fYIiWCAZT1BF-l1AiuupvGBDcMlIWe9nYJf0uwMAeJZUAV8F3w"
},
"type": "public-key",
"clientExtensionResults": {}
}
Expected results:
Firefox should return whatever list of transports it can get from the security key. At the very least "usb" should be in the list of transports.
It's worth noting that, in this same scenario, macOS Chrome 121 doesn't have any problems returning transports; this doesn't seem to be a problem of the OS not returning transports to the browser.
Comment 1•5 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Reporter | ||
Comment 2•5 months ago
|
||
I want to note that, as a baseline, Safari 17.3 returns ["usb"]
here.
Updated•5 months ago
|
Comment 3•5 months ago
|
||
bug 1859367 notes a problem with a value for Apple's internal transport, but it looks like we handle USB. Maybe the constants are matching up.
Assignee | ||
Comment 4•5 months ago
|
||
:dveditz that bug (and the code) are about the transports
field of a PublicKeyCredentialDescriptor
in the request, and this report is about the value returned by AuthenticatorAttestationResponse::getTransports()
.
We can infer that the transports field in the response should be ["internal"]
when we use the platform authenticator (and we do that here). However, as far as I can tell, the response that we get from macOS doesn't provide the transport that was used, and we cannot infer ["usb"]
from the fact that we used a cross-platform authenticator.
![]() |
||
Updated•4 months ago
|
Assignee | ||
Comment 5•3 months ago
|
||
Updated•3 months ago
|
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/227203461d3f add "usb" to getTransports() response for macOS security key registration. r=dveditz
Reporter | ||
Comment 7•3 months ago
|
||
@jschanck looking at https://phabricator.services.mozilla.com/D205142 and its associated diff, that won't return "usb"
as a transport if the user completes hybrid registration via the platform, will it? I looked at https://hg.mozilla.org/integration/autoland/file/227203461d3f9100a49f79f9ad92e4dcebfdeb78/dom/webauthn/MacOSWebAuthnService.mm#l301 to try and understand if the appending of transports would account for potential ["internal", "hybrid"]
coming back from the platform's "iPhone, iPad, or Android Device" option and thought maybe it wouldn't. There could be a separate section of the codebase that handles that, though. I figured I'd ask all the same.
Assignee | ||
Comment 8•3 months ago
|
||
No, the patch won't have us add "usb"
in the hybrid case.
In the hybrid case we get an instance of ASAuthorizationPlatformPublicKeyCredentialRegistration
, and we set transports = ["internal"]
here. On macOS < 13.5 we don't get any signal to distinguish between internal and hybrid. On more recent versions of macOS, I suppose we could add "hybrid"
to the transports list here.
Comment 9•3 months ago
|
||
bugherder |
Description
•