From d7d525360763282c146bbb4400d070d126187164 Mon Sep 17 00:00:00 2001
From: Yoshikazu Nojima <mail@ynojima.net>
Date: Tue, 10 Dec 2024 23:25:13 +0900
Subject: [PATCH] Change attestation in PublicKeyCredentialCreationOptions to
 none

The attestation option in PublicKeyCredentialCreationOptions is a
parameter that controls whether to request attestation from the security key.
However, Spring Security Passkeys currently doesn't implement attestation verification.
Therefore, requesting attestation is unnecessary.
Specifying `direct` to request attestation may trigger browsers to
display additional privacy related dialog to users, so it is best to
avoid specifying `direct` unnecessarily.
---
 .../webauthn/management/Webauthn4JRelyingPartyOperations.java   | 2 +-
 .../webauthn/api/TestPublicKeyCredentialCreationOptions.java    | 2 +-
 .../security/web/webauthn/jackson/JacksonTests.java             | 2 +-
 .../PublicKeyCredentialCreationOptionsFilterTests.java          | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java b/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
index d8341b8ac4e..4dc7efc5a8d 100644
--- a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
@@ -183,7 +183,7 @@ public PublicKeyCredentialCreationOptions createPublicKeyCredentialCreationOptio
 		List<CredentialRecord> credentialRecords = this.userCredentials.findByUserId(userEntity.getId());
 
 		PublicKeyCredentialCreationOptions options = PublicKeyCredentialCreationOptions.builder()
-			.attestation(AttestationConveyancePreference.DIRECT)
+			.attestation(AttestationConveyancePreference.NONE)
 			.pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256,
 					PublicKeyCredentialParameters.RS256)
 			.authenticatorSelection(authenticatorSelection)
diff --git a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java
index 8e65a6a79de..715b09b6292 100644
--- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java
@@ -40,7 +40,7 @@ public static PublicKeyCredentialCreationOptions.PublicKeyCredentialCreationOpti
 		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
 				ImmutableAuthenticationExtensionsClientInput.credProps);
 		return PublicKeyCredentialCreationOptions.builder()
-			.attestation(AttestationConveyancePreference.DIRECT)
+			.attestation(AttestationConveyancePreference.NONE)
 			.user(userEntity)
 			.pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256,
 					PublicKeyCredentialParameters.RS256)
diff --git a/web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java b/web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
index 88ed4639ffb..bff4498ccf5 100644
--- a/web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
@@ -149,7 +149,7 @@ void readAuthenticationExtensionsClientOutputsWhenFieldAfter() throws Exception
 	void writePublicKeyCredentialCreationOptions() throws Exception {
 		String expected = """
 				{
-				    "attestation": "direct",
+				    "attestation": "none",
 				    "authenticatorSelection": {
 				        "residentKey": "required"
 				    },
diff --git a/web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java b/web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java
index 5caffc365bb..38a108844c6 100644
--- a/web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java
@@ -153,7 +153,7 @@ void doFilterWhenNoCredentials() throws Exception {
 									"residentKey": "required",
 									"userVerification": "preferred"
 								},
-								"attestation": "direct",
+								"attestation": "none",
 								"extensions": {
 									"credProps": true
 								}