fido2-net-lib icon indicating copy to clipboard operation
fido2-net-lib copied to clipboard
verified publisher icon passwordless-lib

UserPresent flag enforcement

Open explunit opened this issue 2 months ago • 4 comments

I see here that the user present flag is always required: https://github.com/passwordless-lib/fido2-net-lib/blob/v4.0.0/Src/Fido2/AuthenticatorAttestationResponse.cs#L103-L105

But for Apple App Attest attestations, that will not be the case.

Should there be an option to bypass this check?

If I am reading things correctly, the closest current unit test that might encounter this is always using the base _flags value that yields UserPresent = true.

explunit avatar Oct 01 '25 14:10 explunit

But for Apple App Attest attestations, that will not be the case.

Could you please describe more about this flow, I'm not very aware of it.

abergs avatar Oct 04 '25 12:10 abergs

It's this process here: https://developer.apple.com/documentation/devicecheck/validating-apps-that-connect-to-your-server

I'm not an iOS developer, but what I understand from my colleague is that they receive the already-signed webauthn attestation back from Apple and of course do not have the ability to set any flags such as User Present.

If I remove that one check for UP, everything else in MakeNewCredentialAsync works fine for the Apple attestation.

See also some previous discussion here: https://github.com/passwordless-lib/fido2-net-lib/issues/401#issuecomment-1614601623

patches2 avatar Oct 04 '25 12:10 patches2

Aha I see.

Supporting Apple App Attestation outside of fido2 flows was not a use case we planned on supporting. But since the technologies are overlapping, I agree we could tweak it to support it.

Keeping this issue open until that refactor is done.

abergs avatar Oct 06 '25 07:10 abergs

Related issue PR, not quite clear to me its intended use: https://github.com/passwordless-lib/fido2-net-lib/pull/322

explunit avatar Oct 08 '25 18:10 explunit