You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The transports saved with the credential during the registration request are not returned in the transports property of same credential within the Verification Options response provided by /webauthn/authenticate/options.
Note that I'm using the RC version of Spring Security 6.4.0.
To Reproduce
Add a Security Configuration using the following implementation:
@Configuration
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http
.webAuthn{ it
.rpName("Example")
.rpId("example.localhost")
.allowedOrigins("https://example.localhost")
}
.authorizeRequests { it
.anyRequest()
.permitAll()
}
.csrf { it.disable() }
return http.build()
}
val userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
@Bean
fun userDetailsService(): UserDetailsService {
return InMemoryUserDetailsManager(userDetails)
}
}
Register a credential like the example in the docs but with an internal transport. Chrome virtual authenticator can be used to do this fairly easily.
Thanks for the report @Jyosua the fix is now merged into main.
@krnbr Thanks for the pointer. The underlying issue was that the transports weren't being passed to webauthn4j which meant they were null. By passing it to webauthn4j, the transports are now returned. Note that this is preferred because we want to ensure that it aligns with what the webauthn4j library has verified vs what is being passed in as (untrusted) input.
Describe the bug
The transports saved with the credential during the registration request are not returned in the transports property of same credential within the Verification Options response provided by
/webauthn/authenticate/options
.Note that I'm using the RC version of Spring Security 6.4.0.
To Reproduce
allowCredentials
, but the transports array will be empty.Expected behavior
The request would return the credential in the
allowCredentials
with the same transport as was registered.The text was updated successfully, but these errors were encountered: