Closed Bug 1878397 Opened 5 months ago Closed 3 months ago

[WebAuthn] macOS Firefox 122 does not return transports after security key registration

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Version:
Firefox 122
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox126 --- fixed

People

(Reporter: matthew, Assigned: jschanck)

Details

Attachments

(2 files)

Screenshot from Firefox browser console showing empty transports array from getTransports()
100.31 KB, image/png
Details
Bug 1878397 - add "usb" to getTransports() response for macOS security key registration. r=dveditz
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

Complete the following steps on macOS 14.3 with a USB security key (I used a YubiKey 5 Nano) to reproduce:

  1. Open Firefox's Web Developer Tools
  2. Go to https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=cross_platform&algES256=true&algRS256=true&discoverableCredential=discouraged&regHints=&authUserVerification=preferred
  3. Enter a username
  4. Click "Register" to call navigator.credentials.create()
  5. Select "Security key" from the macOS system prompt
  6. Tap security key (and enter PIN and re-tap if needed)
  7. Observe that response.transports is an empty array (e.g. [])

Actual results:

Confirm in the Console that Firefox did not return any transports in the WebAuthn response:

{
  "id": "za-ggpzPAZe6iXUd7A2wzw",
  "rawId": "za-ggpzPAZe6iXUd7A2wzw",
  "response": {
    "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViUdKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvBFAAAAAwAAAAAAAAAAAAAAAAAAAAAAEM2voIKczwGXuol1HewNsM-lAQIDJiABIVggLiR3UBjzCpQM3HvHkdTOuCxxLATCOO_hKd7iEtC3fYIiWCAZT1BF-l1AiuupvGBDcMlIWe9nYJf0uwMAeJZUAV8F3w",
    "clientDataJSON": "eyJjaGFsbGVuZ2UiOiIxSWl6ZVAyZW5jalR2eHpaY2pYOEhXeDVxSGs1V2VnckdrMzd6SzZIa05iVEttY2h2U055N2dvNFh5UjVaQ3duS25OeERJN2sycDNqUGtGN3dxWnd6USIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aG4uaW8iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0",
    "transports": [],
    "publicKeyAlgorithm": -7,
    "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELiR3UBjzCpQM3HvHkdTOuCxxLATCOO_hKd7iEtC3fYIZT1BF-l1AiuupvGBDcMlIWe9nYJf0uwMAeJZUAV8F3w",
    "authenticatorData": "dKbqkhPJnC90siSSsyDPQCYqlMGpUKA5fyklC2CEHvBFAAAAAwAAAAAAAAAAAAAAAAAAAAAAEM2voIKczwGXuol1HewNsM-lAQIDJiABIVggLiR3UBjzCpQM3HvHkdTOuCxxLATCOO_hKd7iEtC3fYIiWCAZT1BF-l1AiuupvGBDcMlIWe9nYJf0uwMAeJZUAV8F3w"
  },
  "type": "public-key",
  "clientExtensionResults": {}
}

Expected results:

Firefox should return whatever list of transports it can get from the security key. At the very least "usb" should be in the list of transports.

It's worth noting that, in this same scenario, macOS Chrome 121 doesn't have any problems returning transports; this doesn't seem to be a problem of the OS not returning transports to the browser.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Web Authentication' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Web Authentication
Product: Firefox → Core

I want to note that, as a baseline, Safari 17.3 returns ["usb"] here.

Status: UNCONFIRMED → NEW
Ever confirmed: true

bug 1859367 notes a problem with a value for Apple's internal transport, but it looks like we handle USB. Maybe the constants are matching up.

https://searchfox.org/mozilla-central/rev/34ba7989ae53b9112d543ce39d350b79dc2a16b4/dom/webauthn/MacOSWebAuthnService.mm#78-83

Flags: needinfo?(dkeeler)
See Also: → 1859367

:dveditz that bug (and the code) are about the transports field of a PublicKeyCredentialDescriptor in the request, and this report is about the value returned by AuthenticatorAttestationResponse::getTransports().

We can infer that the transports field in the response should be ["internal"] when we use the platform authenticator (and we do that here). However, as far as I can tell, the response that we get from macOS doesn't provide the transport that was used, and we cannot infer ["usb"] from the fact that we used a cross-platform authenticator.

Severity: -- → S3
Priority: -- → P3
See Also: 1859367
Flags: needinfo?(dkeeler)
Assignee: nobody → jschanck
Status: NEW → ASSIGNED
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/227203461d3f
add "usb" to getTransports() response for macOS security key registration. r=dveditz

@jschanck looking at https://phabricator.services.mozilla.com/D205142 and its associated diff, that won't return "usb" as a transport if the user completes hybrid registration via the platform, will it? I looked at https://hg.mozilla.org/integration/autoland/file/227203461d3f9100a49f79f9ad92e4dcebfdeb78/dom/webauthn/MacOSWebAuthnService.mm#l301 to try and understand if the appending of transports would account for potential ["internal", "hybrid"] coming back from the platform's "iPhone, iPad, or Android Device" option and thought maybe it wouldn't. There could be a separate section of the codebase that handles that, though. I figured I'd ask all the same.

No, the patch won't have us add "usb" in the hybrid case.

In the hybrid case we get an instance of ASAuthorizationPlatformPublicKeyCredentialRegistration, and we set transports = ["internal"] here. On macOS < 13.5 we don't get any signal to distinguish between internal and hybrid. On more recent versions of macOS, I suppose we could add "hybrid" to the transports list here.

https://hg.mozilla.org/mozilla-central/rev/227203461d3f

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: