What setting work to create a new registration?

[russmenum]

I am using the DEMO or _test client.html and server.php at the base for trying to get this working...

However, neither the demo at https://webauthn.lubu.ch/_test/client.html nor my local clone of it work.

The JS runs, the PHP once configured tries to, but when you click new registration with the default setting when it gets to

const cred = await navigator.credentials.create(createArgs);

in

async function createRegistration() {}

It fails.

Trying to test with Chrome and do the "continue" to save to device to proof set up...

The createArgs being passed is

{
    "publicKey": {
        "rp": {
            "name": "WebAuthn Library",
            "id": "dev01.menumavin.com"
        },
        "authenticatorSelection": {
            "userVerification": "discouraged"
        },
        "user": {
            "id": {},
            "name": "demo",
            "displayName": "Demo Demolin"
        },
        "pubKeyCredParams": [
            {
                "type": "public-key",
                "alg": -8
            },
            {
                "type": "public-key",
                "alg": -7
            },
            {
                "type": "public-key",
                "alg": -257
            }
        ],
        "attestation": "direct",
        "extensions": {
            "exts": true
        },
        "timeout": 240000,
        "challenge": {},
        "excludeCredentials": []
    }
}

Clearly, these publicKey settings do not work, so do we know which ones do?

While we ultimately need to test with Apple iCloud and Google Profile, do not want to do the debug fake users proof in those. Any help with what settings are needed to allow this not to be what looks like blocked by the browser would be of help...

All this produces with these default values is a timeout trying to do the navigator.credentials.create, what setting will work?

The ERROR is

createRegistration() ERROR:  NotAllowedError: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.

I am not seeing what leak case is being triggered... any ideas which?

[russmenum]

Looking over this DOC says:

NotAllowedError DOMException
Possible causes include:

• Usage was blocked by a publickey-credentials-create Permissions Policy.
• The function is called cross-origin but the iframe's allow attribute does not set an appropriate publickey-credentials-create policy.
• The function is called cross-origin and the <iframe> does not have transient activation.
• An attempt is made to create a discoverable credential (residentKey is set to required in the create() call's PublicKeyCredentialCreationOptions option), but the user does not have a security key that supports discoverable credentials, and cancels the operation.

on the server added:

$this->response->header('Permissions-Policy', 'publickey-credentials-create=*');

verify set on client:

window.addEventListener('load', function() {
    const featurePolicy = document.featurePolicy;
    
    const allowed = featurePolicy.allowedFeatures();
    console.log("allowed: ", allowed);

    const allowlist = featurePolicy.getAllowlistForFeature("publickey-credentials-create");
    console.log("allowlist: ", allowlist);
    
});

result:

allowed:  (77) ['geolocation', 'ch-ua-full-version-list', 'cross-origin-isolated', 'screen-wake-lock', 'translator', 'publickey-credentials-get', 'shared-storage-select-url', 'ch-ua-arch', 'bluetooth', 'compute-pressure', 'ch-prefers-reduced-transparency', 'deferred-fetch', 'usb', 'ch-save-data', 'publickey-credentials-create', 'shared-storage', 'deferred-fetch-minimal', 'rewriter', 'run-ad-auction', 'ch-downlink', 'ch-ua-form-factors', 'otp-credentials', 'payment', 'ch-ua', 'ch-ua-model', 'ch-ect', 'autoplay', 'camera', 'language-detector', 'private-state-token-issuance', 'digital-credentials-get', 'accelerometer', 'ch-ua-platform-version', 'idle-detection', 'private-aggregation', 'interest-cohort', 'ch-viewport-height', 'captured-surface-control', 'local-fonts', 'ch-ua-platform', 'midi', 'ch-ua-full-version', 'xr-spatial-tracking', 'clipboard-read', 'gamepad', 'writer', 'display-capture', 'keyboard-map', 'join-ad-interest-group', 'ch-width', 'ch-prefers-reduced-motion', 'browsing-topics', 'encrypted-media', 'gyroscope', 'serial', 'ch-rtt', 'ch-ua-mobile', 'window-management', 'unload', 'ch-dpr', 'ch-prefers-color-scheme', 'ch-ua-wow64', 'attribution-reporting', 'fullscreen', 'identity-credentials-get', 'private-state-token-redemption', 'hid', 'summarizer', 'ch-ua-bitness', 'storage-access', 'sync-xhr', 'ch-device-memory', 'ch-viewport-width', 'picture-in-picture', 'magnetometer', 'clipboard-write', 'microphone']
passKey.js?4620250805:88 allowlist:  ['*']

So I think that rules out "Usage was blocked by a publickey-credentials-create Permissions Policy."?

I do not even see a [residentKey](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#residentkey) in the options... And the call is not in an iFrame for register... But clearly something is blocking this both in my case and on the demo site... Do we have any idea what? Knowing what it is not happy about is the Step ZERO to resolving this broken state of this...

[russmenum]

If as referenced here I enable "virtual authenticator on Chrome" I can proceed to

rep = await window.fetch('asskeyserver?fn=processpCreate' + getGetParams(), {
            method  : 'POST',
            body    : JSON.stringify(authenticatorAttestationResponse),
            cache   : 'no-cache'
        });

However that results in:

authenticatorAttestationServerResponse:  {success: false, msg: 'invalid challenge'}

So it looks like the CORE issue here may be the challenge is wrong?

FLOW OF challenge:

if ($fn === 'getCreateArgs') {
				$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
		
				// header('Content-Type: application/json');
				// print(json_encode($createArgs));
				// REFACTOR
				$this->response->type('application/json');
				echo json_encode($createArgs);
		
				// save challange to session. you have to deliver it to processGet later.
				// $_SESSION['challenge'] = $WebAuthn->getChallenge();
				// REFACTOR, must convert to store
				$this->Session->write('User.challenge', base64_encode($WebAuthn->getChallenge()) ); 

		
		
		
			// ------------------------------------
			// request for get arguments
			// ------------------------------------
		
			}

then create

} else if ($fn === 'processCreate') {
				$clientDataJSON = !empty($post->clientDataJSON) ? base64_decode($post->clientDataJSON) : null;
				$attestationObject = !empty($post->attestationObject) ? base64_decode($post->attestationObject) : null;
				// $challenge = $_SESSION['challenge'] ?? null;
				$challenge = base64_decode($this->Session->read('User.challenge')) ?? null;
				//DEBUG challenge VALUE FOR ENCODING on Throwable $ex
				$DEBUGchallenge = $challenge;

then

} catch (Throwable $ex) {
			$return = new stdClass();
			$return->success = false;
			$return->msg = $ex->getMessage();
			// DEBUG challenge
			$return->challenge = $DEBUGchallenge;
		
			// header('Content-Type: application/json');
			// print(json_encode($return));
			// ABOVE WONT WORK WITH CAKE, BELOW IS CAKE WAY
			$this->response->type('application/json');
			echo json_encode($return);
		}

output logging challenge with error

{
    "success": false,
    "msg": "invalid challenge",
    "challenge": "e3416ffbe51c9a4d6e0fc7651087d350ef177fdcde8eb3fb466a74571774b1bf"
}

it looks like the exception is from:

$data = $WebAuthn->processCreate($clientDataJSON, $attestationObject, $challenge, $userVerification === 'required', true, false);

If anyone has any ideas how to correct this challenge error, It would very much be welcome