RelyingParty.finishAssertion() fails when called with assertion result from Safari v15.4

[slunker]

The call to RelyingParty.finishAssertion() with assertion result that came from Safari v15.4 when authenticating with a Yubico key fails with java.lang.IllegalArgumentException: User handle ByteArray() does not own credential ByteArray(<bytes>)

The problem seems to be that a value of the userHandle field is an empty string in the assertion result json in safari 15.4 instead of null.

This works in other browsers or in previous versions of safari. It also works when authenticating with TouchID. It was tried with these versions of webauthn server: 1.12.2, 1.12.4 and 2.0.0 .

[emlun]

Hi! Yes, that sounds like a bug in Safari. While the PublicKeyCredentialCreationOptions.user.id option no longer allows an empty user handle as an argument, it is still valid for authenticators to return an empty AuthenticatorAssertionResponse.userHandle, and that is distinct from a null value. There seems to already be a ticket for this in Safari's bug tracker: https://bugs.webkit.org/show_bug.cgi?id=239737

See also: w3c/webauthn#1722