You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Well, I'm not sure if this is a bug or not, but I've a question related to b6c97e2 which allows not having a username for login requests, which I think is only valid if requireResidentKey is true. This appears to be for PassKeys support. On registration, a username is still required, so it's probably still saved somewhere in the DB.
But if we authenticate using no username, this appears to rely on credID to find the credentials, and they Vert.x produces a User and I wonder how it saves this user into the session, if not by username? I don't see anywhere in the code where we extract the username back from the credentials to put it into the User, or the session. Or, perhaps, Vert.x doesn't store the username in the session, but the entire User object?
Also, does this mean that in order to support PassKeys, we must set that option?
Missing authenticator option
On my Linux laptop, using Google Chrome, when I hit a register endpoint, it asks me if I want to authenticate using my security key (yubikey) or my Android phone. When I use yubikey, the rest works. But when I use my Android Phone, I can register, but when I logout and try to login again, my browser only proposes the security key, and not the Android phone anymore.
I suspect that is info that is stored in the credentials, perhaps, that is missing from the login challenge that would otherwise enable the proper authentication method?
No username on login
Well, I'm not sure if this is a bug or not, but I've a question related to b6c97e2 which allows not having a username for login requests, which I think is only valid if
requireResidentKey
is true. This appears to be for PassKeys support. On registration, a username is still required, so it's probably still saved somewhere in the DB.But if we authenticate using no username, this appears to rely on
credID
to find the credentials, and they Vert.x produces aUser
and I wonder how it saves this user into the session, if not by username? I don't see anywhere in the code where we extract the username back from the credentials to put it into theUser
, or the session. Or, perhaps, Vert.x doesn't store the username in the session, but the entireUser
object?Also, does this mean that in order to support PassKeys, we must set that option?
Missing authenticator option
On my Linux laptop, using Google Chrome, when I hit a
register
endpoint, it asks me if I want to authenticate using my security key (yubikey) or my Android phone. When I use yubikey, the rest works. But when I use my Android Phone, I can register, but when I logout and try to login again, my browser only proposes the security key, and not the Android phone anymore.I suspect that is info that is stored in the credentials, perhaps, that is missing from the login challenge that would otherwise enable the proper authentication method?
Where should I start looking?
Upon login, 500 on missing user
If I try to get a login challenge with a username that has no credentials, Vert.x will return a 500 status (https://github.com/vert-x3/vertx-web/blob/master/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/WebAuthnHandlerImpl.java#L253), is it by design, or should it be a 4xx status?
The text was updated successfully, but these errors were encountered: