Closed
Bug 1479500
Opened 6 years ago
Closed 6 years ago
`navigator.credentials.get` not working with U2F appid extension
Categories
(Core :: DOM: Web Authentication, defect, P1)
Core
DOM: Web Authentication
Tracking
()
RESOLVED
DUPLICATE
of bug 1448408
People
(Reporter: nightofthescorpion, Assigned: jcj)
References
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Steps to reproduce:
At https://u2f.bin.coffee:
1) Create and sign a credential
2) Run the following code, with `encodedKeyHandle` replaced with whatever key handle was just registered.
```
challenge = Array.from(Array(32)).map(() => "a").join("")
challenge = Uint8Array.from(challenge, c => c.charCodeAt(0));
encodedKeyHandle = "ylLx6zmk_I_5EGgjaBu0ZW2K8QYZOueiwQ7V8GDlox59dFmuWGB7PdUqVeFMQQEMZPZRB3Hiizx_9BHaOwtGHw";
replaced = encodedKeyHandle.replace(/\_/g, "/").replace(/\-/g, "+");
id = Uint8Array.from(atob(replaced), c => c.charCodeAt(0));
navigator.credentials.get({
publicKey: {
challenge,
allowCredentials: [
{
type: 'public-key',
id,
}
],
extensions: {
appid: 'https://u2f.bin.coffee'
},
},
}).then(console.log).catch(console.log)
```
Actual results:
Received the following error: `DOMException: "The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission."`
Expected results:
In Chrome, the Yubikey is winked and I can successfully receive an assertion object.
Component: Untriaged → DOM: Device Interfaces
Product: Firefox → Core
|
||
Updated•6 years ago
|
Priority: -- → P3
|
Assignee | |
Comment 1•6 years ago
|
||
I agree I'm getting that error with your code. I've updated https://webauthn.bin.coffee/ to support registering via U2F and using the compatibility extension if you set an AppID in the "Advanced" box at the bottom, and things seem to work there.
I need to do some deeper debugging to figure out why we're getting a security error with your code, and what's different between us and Chromium.
Assignee: nobody → jjones
Severity: normal → major
Status: UNCONFIRMED → ASSIGNED
Component: DOM: Device Interfaces → DOM: Web Authentication
Ever confirmed: true
Priority: P3 → P1
|
|
Assignee | |
Comment 2•6 years ago
|
||
The error is because launching WebAuthn from the console triggers a context visibility change, which cancels the operation. It's basically a duplicate of Bug 1448408. Since the final specification is more relaxed on visibility management, we should resolve that bug as part of L1-REC updates.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•