Webauthn : iOS 17.x io.vertx.ext.auth.webauthn.impl.attestation.AttestationException: AAGUID is not 00000000-0000-0000-0000-000000000000!

Question

Webauthn : iOS 17.x io.vertx.ext.auth.webauthn.impl.attestation.AttestationException: AAGUID is not 00000000-0000-0000-0000-000000000000!

tcompiegne opened this issue 8 months ago · 3 comments

Questions

Hey team and @pmlopes we noticed some peculiar WebAuthn behaviour when registering a credential with your library.

I've seen that on devices with iOS 17.2+, they fail webauthn credential registration (/webauthn/register) with the error:

io.vertx.ext.auth.webauthn.impl.attestation.AttestationException: AAGUID is not 00000000-0000-0000-0000-000000000000!.

In the payload of the attestation sent by the iOS device the value of fmt in attestationObject is none.

However, the authData in the attesationObject created by and device with iOS 17.x+ seems to have an AAGUID that is NOT 00000000-0000-0000-0000-000000000000.

This means that validation always fails and a credential cannot be registered.

Is someone else noticed this behavior ?

Answer 1 · 2024-01-21T09:42:57.000Z

This is a deviation from the spec and the expectation at validation. Perhaps we can relax the exception to a warning log with the requirement that fmt is set to none.Also according to the spec we can act like it would be expected by the client and replace the given AAGUID with zeros.I still need to check if this would not break the TCK…On 19 Jan 2024, at 18:43, Titouan COMPIEGNE ***@***.***> wrote: Questions Hey team and @pmlopes we noticed some peculiar WebAuthn behaviour when registering a credential with your library. I've seen that on devices with iOS 17.2+, they fail webauthn credential registration (/webauthn/register) with the error: io.vertx.ext.auth.webauthn.impl.attestation.AttestationException: AAGUID is not 00000000-0000-0000-0000-000000000000!. In the payload of the attestation sent by the iOS device the value of fmt in attestationObject is none. However, the authData in the attesationObject created by and device with iOS 17.x+ seems to have an AAGUID that is NOT 00000000-0000-0000-0000-000000000000. This means that validation always fails and a credential cannot be registered. Is someone else noticed this behavior ? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

Answer 2 · 2024-01-24T14:15:29.000Z

Hey @pmlopes,

FYI, to unlock our users, we have created our own NoneAttestation to relax the exception and log it as a warning. We have also decided to force the given AAGUID with zeros for privacy reason in this use case.

Regards