You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The spec already notes: "...a user handle having an empty value is known to be problematic in practice..."
However, in testing, its been discovered that:
Returning a user in GetAssertion with an empty ID: Windows 10 fails.
Same response, but omitting user: Windows 10 works.
(Japanese blog post about this workaround.)
"OpenSK users reported Windows 10 interoperability issues."
@akshayku has noted: I would prefer RP always sending a non-zero userID or browser erroring out when it receives a zero length userID or browser/platform not setting a zero length userID in makeCredential even if RP sets it empty as clearly RP does not care about userID in this scenario.
Thus, we suggest the webauthn spec states that user.id MUST not be empty, and if an RP wishes a constant value for whatever reason, they pick something innocuous such as a single space char.
The text was updated successfully, but these errors were encountered:
The spec already notes: "...a user handle having an empty value is known to be problematic in practice..."
However, in testing, its been discovered that:
Returning a
user
in GetAssertion with an empty ID: Windows 10 fails.Same response, but omitting
user
: Windows 10 works.(Japanese blog post about this workaround.)
"OpenSK users reported Windows 10 interoperability issues."
@akshayku has noted: I would prefer RP always sending a non-zero userID or browser erroring out when it receives a zero length userID or browser/platform not setting a zero length userID in makeCredential even if RP sets it empty as clearly RP does not care about userID in this scenario.
Thus, we suggest the webauthn spec states that user.id MUST not be empty, and if an RP wishes a constant value for whatever reason, they pick something innocuous such as a single space char.
The text was updated successfully, but these errors were encountered: