Lookup user credentials from user handle expects user handle
Key details
Basics
Logistics
Basics
Logistics
Description
The LookupRegisteredCredentialsFromUserHandle action expects there to be a userHandle in the assertion response (from authentication) because it is making assumptions about it being a usernameless authentication. However, for a passwordless authentication, the authenticator is not required to supply a userHandle (the IdP already knows it, because it knows the username/user.id). And it appears on some platforms, that is what is happening (no userHandle). The logic should be improved here to account for the passwordless flow (or should simply not run for this flow).
Of note this is not an issue by default, the idp.authn.webauthn.signalEventOnNoCredentialsRegisteredForUserHandle property has to be set to true and the passwordless flow used—when set, it catches the lack of credentials as a signal back to the MFA flow.
The
LookupRegisteredCredentialsFromUserHandleaction expects there to be a userHandle in the assertion response (from authentication) because it is making assumptions about it being a usernameless authentication. However, for a passwordless authentication, the authenticator is not required to supply a userHandle (the IdP already knows it, because it knows the username/user.id). And it appears on some platforms, that is what is happening (no userHandle). The logic should be improved here to account for the passwordless flow (or should simply not run for this flow).Of note this is not an issue by default, the
idp.authn.webauthn.signalEventOnNoCredentialsRegisteredForUserHandleproperty has to be set to true and the passwordless flow used—when set, it catches the lack of credentials as a signal back to the MFA flow.As reported by @Equbay Kiflay.