AuthenticatorAssertionRawResponse checks for AppID extension, but it uses the copy supplied by the client as JSON/etc from JS Credential.getClientExtensionResults(), without checking that it is the same data as supplied in AuthenticatorData.
This data should be sourced directly from AuthenticatorData CBOR, rather than relying on the client to supply the matching data, and the relevant properties should be removed from AuthenticatorAssertionRawResponse
AuthenticatorAssertionRawResponsechecks for AppID extension, but it uses the copy supplied by the client as JSON/etc from JSCredential.getClientExtensionResults(), without checking that it is the same data as supplied inAuthenticatorData.This data should be sourced directly from
AuthenticatorDataCBOR, rather than relying on the client to supply the matching data, and the relevant properties should be removed fromAuthenticatorAssertionRawResponse