This repository has been archived by the owner on Nov 8, 2024. It is now read-only.
AttestationConveyancePreference should be NONE as long as Spring Security doesn't verify webauthn attestation #84
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Current Spring Security implementation uses
AttestationConveyancePreference.DIRECTto requests attestation,https://github.com/spring-projects/spring-security/blob/7a1718887c0c10149b1f5057a7b532320f136b0a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java#L185
but it doesn't verify the requested attestation since Spring Security creates
WebAuthnManagerwithcreateNonStrictWebAuthnManager()factory method.https://github.com/spring-projects/spring-security/blob/7a1718887c0c10149b1f5057a7b532320f136b0a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java#L98C60-L98C90
Since attestation verification is mainly for enterprise use cases and isn’t really recommended for general use cases, it’s reasonable not to verify the attestation in the first version.
However, in that case, attestation should not be required.
The text was updated successfully, but these errors were encountered: