WSO2 IS 5.11 - Unable to use FIDO authentication on Apple devices

Question

Summary: WSO2 IS 5.11 has been installed and configured with FIDO as a local authenticator for a service provider. As a user on an Apple device attempting to log into a service provider using the FIDO local authenticator, the user is immediately redirected to a failed login attempt page.

According to Safari Web Inspector attached to the user's device, the fido2-auth.jsp [1] generates the following error message:

User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' within user activated events.

Apple requires that WebAuthn API calls originate from a user gesture [2]. fido2-auth.jsp attempts to call the WebAuthn API through an onload [3] event which causes the aforementioned error message.

Questions: Would an appropriate workaround be to have a "retry" button on this page that explicitly calls the WebAuthn API through a user gesture and , upon onload failure, disable the automatic form submission in talkToDevice() [4] so the user can use the "retry" button? Has WSO2 identified another path for users using Apple devices to perform FIDO authentication?

References

[1] - https://github.com/wso2/identity-apps/blob/master/apps/authentication-portal/src/main/webapp/fido2-auth.jsp

[2] - https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/

[3] - https://github.com/wso2/identity-apps/blob/master/apps/authentication-portal/src/main/webapp/fido2-auth.jsp#L43

[4] - https://github.com/wso2/identity-apps/blob/master/apps/authentication-portal/src/main/webapp/fido2-auth.jsp#L182

Answer 1

This issue is caused by Safari requiring user actions to initiate the webauthn flow. Since other browsers don't mandate the same, we don't face this issue in any other browsers.

So, to address this issue, WSO2 Identity Server has added a proceed button to the authentication page for Safari users. So, Safari users can now click on this button to initiate the webauthn flow.