Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid requesting an unnecessary attestation statement when creating a webauthn credential #16252

Merged
merged 1 commit into from
Dec 11, 2024
Merged

Avoid requesting an unnecessary attestation statement when creating a webauthn credential #16252

merged 1 commit into from
Dec 11, 2024

Conversation

ynojima
Copy link
Contributor

@ynojima ynojima commented Dec 10, 2024

The attestation option in PublicKeyCredentialCreationOptions is a parameter that controls whether to request attestation statement from the security key. Currently, Spring Security Passkeys requests attestation statement by specifiy direct value to attestation option, but Spring Security Passkeys doesn't implement attestation statement verification[1]. Therefore, the requested attestation statement is not used at all.
Specifying direct to request attestation may trigger browsers to display additional privacy related dialog to users, so it is best to avoid specifying direct unnecessarily.

image

[1] Spring Security Passkeys uses WebAuthnManager.createNonStrictWebAuthnManager() to setup a WebAuthnManager instance configured not to verify attestation statements.

@ynojima
Change attestation in PublicKeyCredentialCreationOptions to none
d2d5af4 
The attestation option in PublicKeyCredentialCreationOptions is a
parameter that controls whether to request attestation from the security key.
However, Spring Security Passkeys currently doesn't implement attestation verification.
Therefore, requesting attestation is unnecessary.
Specifying `direct` to request attestation may trigger browsers to
display additional privacy related dialog to users, so it is best to
avoid specifying `direct` unnecessarily.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 10, 2024
@rwinch rwinch self-assigned this Dec 11, 2024
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 11, 2024
@rwinch rwinch added this to the 6.4.2 milestone Dec 11, 2024
@rwinch rwinch enabled auto-merge (rebase) December 11, 2024 23:06
@rwinch rwinch merged commit d7d5253 into spring-projects:main Dec 11, 2024
6 checks passed
ynojima added a commit to ynojima/spring-security that referenced this pull request Dec 12, 2024
@ynojima
Update document regarding PublicKeyCredentialCreationOptions.attestat…
b973996 
…ion value

Follow up for spring-projects#16252
@ynojima ynojima mentioned this pull request Dec 12, 2024
Merged
@ynojima
Copy link
Contributor Author

ynojima commented Dec 12, 2024

@rwinch Sorry, I missed updating the document. Could you merge this one too? #16264

rwinch pushed a commit that referenced this pull request Dec 12, 2024
@ynojima @rwinch
Update document regarding PublicKeyCredentialCreationOptions.attestat…
ee1ede8 
…ion value

Follow up for #16252
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
6.4.2
Development

Successfully merging this pull request may close these issues.
3 participants
@ynojima @rwinch @spring-projects-issues