Default cleanup hook is not wired up correctly
Description
Environment
Activity
Timo TunturiMarch 20, 2025 at 5:03 AM
TBH I was basically wondering what happens to the WebAuthn context if I don'ẗ clean it up. I was under the impression that it’s just gonna get dropped anyway since it isn’t available in a reuse scenario. But yea cleaning after yourself is a good thing to do regardless.
Philip SmartMarch 19, 2025 at 2:23 PM
As Scott said, so just confirming there is nothing secret in the WebAuthnAuthenticationContext, the IdP only knows the public component of the keys.
Scott CantorMarch 19, 2025 at 12:11 PM
Most of the time the biggest concern is reuse of a flow a second time getting mixed up, which is not something the IdP will do but is possible if somebody scripts MFA to do it.
Assuming there’s nothing “secret” in it, then it’s just like any other cleanup practice, just good hygiene to not leave working state around.
In some cases like the AttributeResolver it can fully break the whole thing not to do so. Just varies.
There’s no reason to ever not clean something up if it can be.
Timo TunturiMarch 19, 2025 at 11:36 AM
If you se this to false should you clean up the WebAuthn context yourself after you are done with it? Does it have some potentially negative consequences to just leave it?
Philip SmartMarch 10, 2025 at 2:55 PM
Added property and wired it up.
The cleanup bean injection was not properly connected to the property that controlled it:
idp.authn.webauthn.removeAfterValidation. Default is now true (enabled), so this will need documenting in the release notes.