Webauthn support for excludeCredentials

[eparkko-lab]

Description:

Brave on iOS does not seem to support Webauthn excludeCredentials. This will impact RelyingParties that wish to prevent a user from registering the same key multiple times.

Steps to Reproduce

1. Using Brave on iOS go to https://webauthntest.azurewebsites.net/ and login
2. Click button for Create Credential
3. Change the default for RP Info to "This Domain"
4. Select the box for "excludeCredentials"
5. Make sure User Info "Bob" is selected.
6. Click Create and tap the security key.
7. The credential is created.
8. Click button for Create Credential again.
9. Assuming all the same values are still selected, click Create and tap the security key.

Actual result:
The credential is created 2 times for Bob.

Expected result:
The credential should not be created the second time. An error should be returned.

Something like this:

Reproduces how often: Easily reproduced

Brave Version:
1.1.0 (19.06.21.17)

Device details:
iPhone Xr (12.3.1)

Additional Information

[srirambv]

@Brandon-T @jumde I am seeing the credentials getting created and no error as per test description. Could you verify if this is expected?

[LaurenWags]

Verified passed with iPad 5th Gen using 1.11.1 (19.08.12.19)

• Verified STR from description
  

Verification PASSED on iPhone 6s+ iOS 12.4 using 1.11.1 (19.08.12.19)

• ensured that going through the original STR via Webauthn support for excludeCredentials #1285 (comment) displayed ERROR: NotAllowedError: Valid credentials found in the exclude list. when attempting to authenticate the second time.

[kjozwiak]

@eparkko-lab mind going through this again to see if it's working on your end with either 1.11.1 (19.08.12.19) or 1.11.1 (19.08.12.20)?

[eparkko-lab]

@kjozwiak Could you invite [email protected] as an external tester in TestFlight to test these versions? I don't currently have access to those versions of Brave.

[jumde]

@eparkko-lab - We are working on it, will have an update for you in a bit. Thank you for filing these issues, super helpful.

[eparkko-lab]

@jumde

Brave Version:
1.11.1 (19.08.13.17)

Device details:
iPhone Xr (12.3.1)

I noticed that if I set excludeCredentials and list a credentialId that is already created while creating another credential that a NotAllowedError is returned now.

In this same scenario, Chrome, Edge and FF all return an InvalidStateError. I didn't confirm with the spec which is the correct behavior.

Steps to reproduce:

Go to below site to submit webauthn request:
https://eparkko-lab.github.io/webauthn-playground/?requestType=create&webauthnRequest=eyJjaGFsbGVuZ2UiOiJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicnAiOnsiaWQiOiJlcGFya2tvLWxhYi5naXRodWIuaW8iLCJuYW1lIjoiZXBhcmtrby1sYWIuZ2l0aHViLmlvIn0sImF1dGhlbnRpY2F0b3JTZWxlY3Rpb24iOnsidXNlclZlcmlmaWNhdGlvbiI6InByZWZlcnJlZCIsImF1dGhlbnRpY2F0b3JBdHRhY2htZW50IjoiY3Jvc3MtcGxhdGZvcm0ifSwidGltZW91dCI6MTUwMDAsImF0dGVzdGF0aW9uIjoiZGlyZWN0IiwicHViS2V5Q3JlZFBhcmFtcyI6W3sidHlwZSI6InB1YmxpYy1rZXkiLCJhbGciOi03fV0sInVzZXIiOnsiaWQiOiJiYmJiYmJiIiwibmFtZSI6IkJvYmJ5QGxvY2FsaG9zdCIsImRpc3BsYXlOYW1lIjoiYmJiYmJiYiJ9fQ%3D%3D&submitRequest=true

In same browser then submit another request which uses excludeCredentials:
https://eparkko-lab.github.io/webauthn-playground/?requestType=create&webauthnRequest=eyJjaGFsbGVuZ2UiOiJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicnAiOnsiaWQiOiJlcGFya2tvLWxhYi5naXRodWIuaW8iLCJuYW1lIjoiZXBhcmtrby1sYWIuZ2l0aHViLmlvIn0sImF1dGhlbnRpY2F0b3JTZWxlY3Rpb24iOnsidXNlclZlcmlmaWNhdGlvbiI6InByZWZlcnJlZCIsImF1dGhlbnRpY2F0b3JBdHRhY2htZW50IjoiY3Jvc3MtcGxhdGZvcm0ifSwidGltZW91dCI6MTUwMDAsImF0dGVzdGF0aW9uIjoiZGlyZWN0IiwicHViS2V5Q3JlZFBhcmFtcyI6W3sidHlwZSI6InB1YmxpYy1rZXkiLCJhbGciOi03fV0sInVzZXIiOnsiaWQiOiJiYmJiYmJiIiwibmFtZSI6IkJvYmJ5QGxvY2FsaG9zdCIsImRpc3BsYXlOYW1lIjoiYmJiYmJiYiJ9LCJleGNsdWRlQ3JlZGVudGlhbHMiOlt7InR5cGUiOiJwdWJsaWMta2V5IiwiaWQiOiIke2xhc3RHZW5lcmF0ZWRJZH0ifV19&submitRequest=true

Notice the NotAllowedError returned by Brave vs InvalidStateError that is returned by other browsers. This could potentially have an impact on RPs.

[jumde]

The spec is not very clear about the error:

excludeCredentials, of type sequence<PublicKeyCredentialDescriptor>, defaulting to None
This member is intended for use by Relying Parties that wish to limit the creation of multiple credentials for the same account on a single authenticator. The client is requested to return an error if the new credential would be created on an authenticator that also contains one of the credentials enumerated in this parameter.

Will update the error: #1413