WebAuthn credentials.get bug after discoverable credentials test

Question

Having got Platform Authenticator and Multi-device Authentication working I am trying to expand my FIDO2 knowledge by reading through WebAuthn issues on GitHub To this end I was testing Discoverable Credentials (ie specifying allowCredentials as empty [])

I couldn't get the signing to match so reverted to allowing only the credential id I just CREATEd but now I still keep getting prompted to specify a device when I call GET also the signatures don't match. This is the JS code: -

var allowCredentials = [{
    type: "public-key",
    id: Uint8Array.from(atob(credentialId), x => x.charCodeAt(0)).buffer
}]

var getAssertionOptions = {
    timeout: 60000,
    challenge: Uint8Array.from(serverChallenge.Token, c => c.charCodeAt(0)).buffer,
    allowCredentials: allowCredentials,
    userVerification: "required"
};

return navigator.credentials.get({
    publicKey: getAssertionOptions
}).then(rawAssertion => {
    var assertion = {
        id: base64encode(rawAssertion.rawId),
        clientDataJSON: utf8Decoder.decode(rawAssertion.response.clientDataJSON),
        userHandle: base64encode(rawAssertion.response.userHandle),
        signature: base64encode(rawAssertion.response.signature),
        authenticatorData: base64encode(rawAssertion.response.authenticatorData)
    };

and this is the C# signature check: -

                using (ECDsa dsa = ECDsa.Create(ecparams))
                {
                    if (dsa.VerifyData(data, ECDsaSig, HashAlgorithmName.SHA256))
                    {
                        Console.WriteLine("The signature is valid.");
                    }
                    else
                    {
                        Console.WriteLine("The signature is not valid.");
                        return FAIL_STATUS;
                    }
                }

Now this code "used to work" using my Samsung phone but then (IIRC) I wasn't being reprompted for a device for verification. UPDATE: Sometimes the first time after CREATE the GET will work by returning a correctly signed load. But now I can't reproduce that:-(

Look this clearly sounds like developer/pilot error on my behalf but I just want to see if it rings any bells? I have cleared all cache, rebooted, can't find any "credentials" in and password history, and am at a loss. I thought there may be some signature timeout but I've extended everything I could

Q1. Was I always prompted to select a device even though I said only allow this Samsung credential

NB: If I use the platform authenticator on my phone then the same thumb-print works. EC encryption.

Chrome: Version 103.0.5060.134 (Official Build) (64-bit)

Answer 1

I'm assuming because you are testing on a Samsung device that you are running Android. Sadly at the moment Android does not support discoverable credentials / resident keys . Your previous flows would work as you are able to invoke the WebAuthn ceremony with credentials populating the allowList.

I tested on a WebAuthn environment of mine and confirmed that I am getting an error that reads "Use of an empty 'allowCredentials' list is not supported on this device" (I'm using Chrome on a Pixel 5 device).

Google has indicated that discoverable credential support is coming to Android soon to help support their passkey implementation.

For now I would recommend that you test your discoverable credential flow on another device with a platform authenticator to see if it works.

As for some of your other errors, I may need more information to help identify the issue.

Hope this helps