Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ban empty user ID / user handle #1536

Closed
equalsJeffH opened this issue Dec 9, 2020 · 0 comments · Fixed by #1537
Closed

ban empty user ID / user handle #1536

equalsJeffH opened this issue Dec 9, 2020 · 0 comments · Fixed by #1537
Assignees
@equalsJeffH
Labels
type:technical

Comments

@equalsJeffH
Copy link
Contributor

The spec already notes: "...a user handle having an empty value is known to be problematic in practice..."

However, in testing, its been discovered that:
Returning a user in GetAssertion with an empty ID: Windows 10 fails.
Same response, but omitting user: Windows 10 works.
(Japanese blog post about this workaround.)
"OpenSK users reported Windows 10 interoperability issues."

@akshayku has noted: I would prefer RP always sending a non-zero userID or browser erroring out when it receives a zero length userID or browser/platform not setting a zero length userID in makeCredential even if RP sets it empty as clearly RP does not care about userID in this scenario.

Thus, we suggest the webauthn spec states that user.id MUST not be empty, and if an RP wishes a constant value for whatever reason, they pick something innocuous such as a single space char.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@equalsJeffH equalsJeffH

Labels
type:technical
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ban empty user.id aka user handle w3c/webauthn
1 participant
@equalsJeffH