Credential manager is not always requested during registration, depending on the residentKey attribute
Categories
(Core :: DOM: Web Authentication, defect)
Tracking
()
People
(Reporter: git+bugzilla, Assigned: git+bugzilla, NeedInfo)
Details
Attachments
(4 files, 1 obsolete file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Steps to reproduce:
- Open https://webauthn.io
- Under Advanced Settings, change "Discoverable Credential" to "Discouraged" or "Preferred"
- Click "Register"
Actual results:
The Credential manager isn't open
Expected results:
The credential manager should have opened to register a key.
https://w3c.github.io/webauthn/#dom-residentkeyrequirement-discouraged:
The Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential.
|
||
Updated•1 month ago
|
|
||
Updated•1 month ago
|
|
||
Comment 2•1 month ago
|
||
Hello,
This issue should have been fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=1907531. Could you please check in beta or nightly?
Bug 1907531 is only a part of the problem. Previously, the credential manager was only requested when residentKey=required, with Rev 19d5b3f77f42, it is alos requested when residentKey=preferred; But there are still 2 issues:
- I must be able to use the credential manager even if
residentKey=discouraged, because:- As stated per the specifications, "[when it is discouraged] The Relying Party prefers creating a server-side credential, but will accept a client-side discoverable credential."
- The credential manager is supposed to completely replace GMS, even for this case. GMS can be used as a fallback.
- GMS can't be used as a fallback when
residentKey!=discouraged
For concrete examples of the 2 issues:
- I can use the credential manager to login on nextcloud, or for the 2FA for gitlab, mastodon, and many more. But I can't register on Firefox Android, I need to register on a computer because the credential manager isn't used by Firefox Android when
residentKey=discouraged. - I have a yubikey and I use ProtonPass as my Credential Manager, I have GMS on my phone. I need to register my yubikey on github => I can't do it on Firefox Android because it needs to use GMS, which isn't used as a fallback when
residentKey=requiredif I have a credential manager.
So, the Credential manager is supposed to completely replace GMS. So the best way to do it, is to try with the credential manager, then with GMS. This is what D247877 does, and the issues are fixed.
Following message in D247877 :
I don't have any option during registration if I use a credential manager. I can only select another credential manager if it has been enabled in the settings. I'm using Android 15 (GrapheneOS). The option may have been removed with a recent version of Android ? I can split the patch in two if it helps
Could you please add a video to the Bugzilla report showing the issue?
|
|
||
Comment 5•1 month ago
|
||
|
|
||
Comment 7•1 month ago
|
||
Hm. That's strange. I can choose to save the credential on my key directly. Maybe there is something specific about GrapheneOS there?
What OS do you use + version ? If it is specific to GrapheneOS, then I'll restore the previous check (UNSUPORTED only), if it is Android 15+, I will add a check on Build.VERSION.SDK_INT too
It looks like this is an issue on GrapheneOS side (https://github.com/GrapheneOS/os-issue-tracker/issues/3347), I'll restore the previous check then :+1:
|
||
Comment 10•28 days ago
|
||
The severity field is not set for this bug.
:jschanck, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Updated•6 days ago
|
|
Assignee | |
Comment 11•6 days ago
|
||
Description
•