Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-90941

Support FIDO2 resident credentials

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Fixed
    • P3: Somewhat important
    • 6.7.0 FF
    • None
    • WebEngine
    • None
    • 605b0b3dc (dev), 205ce7daa (dev)

    Description

      When calling navigator.credentials.get(), a website can pass optional allowCredentials parameter (and this works today with QtWebEngine), but since it's optional it can also choose not to pass it.

      What happens in the latter case is that the website doesn't tell anything about which credentials a user should use, instead it just tells to use resident credentials, credentials stored on the security token itself.

      QtWebEngine does not support this, it will show the following error:

      Resident credentials or empty 'allowCredentials' lists are not supported at this time.

      This can be reproduced on https://webauthn.io with a small quirk:

      1 - Registration

      Enter any username, click on "Advanced settings" and set "Register with Resident Key" as "Required". Now click "Register", enter PIN and it should succeed.

      At the time of creating this issue, this doesn't work because of QTBUG-90938, because PIN popup cannot be shown - so just repeat this in Chromium to proceed with repro steps, this doesn't prevent you from reproducing this actual issue.

      2 - Login

      Enter the same username you used during registration. 

      Now we need to make a small adjustment to webauthn.io because it doesn't expose such option via config:

      Open Dev Tools, find in the sources of webauthn.io one place where `navigator.credentials.get()` is used, add the code below just before that line and press Ctrl+S:

      delete makeAssertionOptions.publicKey.allowCredentials;

      Now you can press "Login", and you will see this error:

       

      Just to clarify, PIN is not needed for the login, only for registration, so QTBUG-90938 is not the cause of this specific issue.

       

      UPDATE:

       

      I experimented some more and discovered that it is possible to register multiple users on the same card, in which case browser is expected to ask which credentials user wants to login with.

      To reproduce, follow the steps above to register two usernames, say "abcd" and "abcde".

      Make sure to register both of them with "Resident credentials" enabled.

      Keep following the repro steps above and delete `allowCredentials` before `navigator.credentials.get()` is called.

      Now, browser doesn't pass any information from the website to the card, so the card doesn't know which of the two users to pick. Chromium will show the following dialog:

       Just like QTBUG-90938, such a dialog needs to either be handled by QtWebEngine itself, or an API needs to be provided for the applications to do so.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            anualiyas Anu Aliyas
            maximbaz Maxim Baz
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes