Skip to content

WebAuthn login fails when validating allowCredentials #18158

Description

@Kehrlann

Describe the bug

When used as a single factor, WebAuthn login works.

Used as a second factor, WebAuthn login fails, because allowCredentials is not null and the sent credentialId does not match the stored allowCredentials. The following error is thrown:

org.springframework.security.authentication.BadCredentialsException: credentialId not listed in allowCredentials is used.
	at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider.authenticate(WebAuthnAuthenticationProvider.java:80) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:183) ~[spring-security-core-7.0.0-RC3.jar:7.0.0-RC3]
	at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter.attemptAuthentication(WebAuthnAuthenticationFilter.java:121) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:249) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:239) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
[...]
Caused by: com.webauthn4j.verifier.exception.NotAllowedCredentialIdException: credentialId not listed in allowCredentials is used.
	at com.webauthn4j.verifier.internal.CredentialIdVerifier.verify(CredentialIdVerifier.java:17) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
	at com.webauthn4j.verifier.AuthenticationDataVerifier.verify(AuthenticationDataVerifier.java:92) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
	at com.webauthn4j.WebAuthnAuthenticationManager.verify(WebAuthnAuthenticationManager.java:254) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
	at com.webauthn4j.WebAuthnAuthenticationManager.verify(WebAuthnAuthenticationManager.java:237) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
	at com.webauthn4j.WebAuthnManager.verify(WebAuthnManager.java:369) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
	at org.springframework.security.web.webauthn.management.Webauthn4JRelyingPartyOperations.authenticate(Webauthn4JRelyingPartyOperations.java:405) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
	at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider.authenticate(WebAuthnAuthenticationProvider.java:72) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
	... 80 common frames omitted

To Reproduce

Use two factor auth, and use webauthn for the second factor. No matter which first factor is used.

Then CredentialRequestOptions.publicKey.allowCredentials is not null ; but during webauthn validation, the credential's binary id doesn't match known allowCredentials

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions