fix: resolve discoverable credentials login issue#159
Closed
forkline-bot[bot] wants to merge 1 commit intomasterfrom
Closed
fix: resolve discoverable credentials login issue#159forkline-bot[bot] wants to merge 1 commit intomasterfrom
forkline-bot[bot] wants to merge 1 commit intomasterfrom
Conversation
The root cause was in the AuthenticatorOptions configuration: 1. uv: Some(true) caused is_protected_by_uv() to return true 2. always_uv: Some(true) required UV for all operations 3. soft-fido2-ctap's MakeCredential lacks auto-UV logic that GetAssertion has 4. When browser didn't request UV, operations returned OperationDenied The fix: - uv: None - Don't claim built-in UV capability (passless uses notifications, not biometrics) - client_pin: Some(false) - PIN supported but not set - always_uv: None - Don't require UV for operations This allows discoverable credential flows to work via the request_up callback for user presence, without triggering UV requirement checks in soft-fido2. Resolves: #157
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
uv: Some(true)touv: Noneto not claim built-in UV capabilityalways_uv: Some(true)toalways_uv: Noneto not require UV for operationsclient_pin: Nonetoclient_pin: Some(false)to indicate PIN supported but not setRoot Cause Analysis
The issue was in how soft-fido2-ctap handles MakeCredential vs GetAssertion:
uv: Some(true)causedis_protected_by_uv()to returntruealways_uv: Some(true)required UV for all operationsoptions.uv = truewhenhas_built_in_uv_enabled()is trueOperationDeniedThis inconsistency in soft-fido2-ctap caused discoverable credential login to fail.
The Fix
By setting:
uv: None- Don't claim built-in UV (passless uses notifications, not biometrics)client_pin: Some(false)- PIN supported but not setalways_uv: None- Don't require UV for operationsThis allows the
request_upcallback to handle user presence via desktop notifications without triggering UV requirement checks in soft-fido2.Resolves: #157