Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebAuthN quarkus.webauthn.user-verification default value is not working as expected #38402

Closed
StephenOTT opened this issue Jan 25, 2024 · 4 comments
Closed

WebAuthN quarkus.webauthn.user-verification default value is not working as expected #38402

StephenOTT opened this issue Jan 25, 2024 · 4 comments
Labels
area/webauthn kind/bug Something isn't working

Comments

@StephenOTT
Copy link

Describe the bug

The web auth n config value: quarkus.webauthn.user-verification has a default of required

https://quarkus.io/guides/security-webauthn#quarkus-security-webauthn_quarkus.webauthn.user-verification

https://github.com/quarkusio/quarkus/blob/main/extensions/security-webauthn/runtime/src/main/java/io/quarkus/security/webauthn/WebAuthnRunTimeConfig.java#L107

But when you DO NOT set the value / leave it as the default, the login process is returning: "userVerification": "discouraged",

If you manually set the property in application.properties: quarkus.webauthn.user-verification=required then the userVerification property is properly set to required.

Expected behavior

Default value is properly set

Actual behavior

Default value does not get set and value falls back to discouraged

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@StephenOTT StephenOTT added the kind/bug Something isn't working label Jan 25, 2024
@sberyozkin
Copy link
Member

@StephenOTT Is it a duplicate of #38348 ?

@StephenOTT
Copy link
Author

@sberyozkin i don't think so. user-verification is related to the requirements on the authenticator: such as forcing the user to input their PIN.

image

@FroMage
Copy link
Member

FroMage commented Jan 26, 2024

Ah, either a code bug, or a doc bug.

@FroMage
Copy link
Member

FroMage commented Jan 26, 2024

Indeed, the default is really DISCOURAGED in the code, I'll adjust the docs.

FroMage added a commit to FroMage/quarkus that referenced this issue Jan 26, 2024
@FroMage
WebAuthn config: document the proper default value
a8d8a3c 
Fixes quarkusio#38402
FroMage added a commit to FroMage/quarkus that referenced this issue Mar 12, 2024
@FroMage
WebAuthn config: document the proper default value
7845577 
Fixes quarkusio#38402
FroMage added a commit to FroMage/quarkus that referenced this issue Mar 19, 2024
@FroMage
WebAuthn config: document the proper default value
e09385b 
Fixes quarkusio#38402
franz1981 pushed a commit to franz1981/quarkus that referenced this issue Mar 27, 2024
@FroMage @franz1981
WebAuthn config: document the proper default value
95198b1 
Fixes quarkusio#38402
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/webauthn kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FroMage @sberyozkin @StephenOTT