WebAuthn login fails when validating allowCredentials #18158
Description
Describe the bug
When used as a single factor, WebAuthn login works.
Used as a second factor, WebAuthn login fails, because allowCredentials is not null and the sent credentialId does not match the stored allowCredentials. The following error is thrown:
org.springframework.security.authentication.BadCredentialsException: credentialId not listed in allowCredentials is used.
at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider.authenticate(WebAuthnAuthenticationProvider.java:80) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:183) ~[spring-security-core-7.0.0-RC3.jar:7.0.0-RC3]
at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter.attemptAuthentication(WebAuthnAuthenticationFilter.java:121) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:249) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:239) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
[...]
Caused by: com.webauthn4j.verifier.exception.NotAllowedCredentialIdException: credentialId not listed in allowCredentials is used.
at com.webauthn4j.verifier.internal.CredentialIdVerifier.verify(CredentialIdVerifier.java:17) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
at com.webauthn4j.verifier.AuthenticationDataVerifier.verify(AuthenticationDataVerifier.java:92) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
at com.webauthn4j.WebAuthnAuthenticationManager.verify(WebAuthnAuthenticationManager.java:254) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
at com.webauthn4j.WebAuthnAuthenticationManager.verify(WebAuthnAuthenticationManager.java:237) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
at com.webauthn4j.WebAuthnManager.verify(WebAuthnManager.java:369) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
at org.springframework.security.web.webauthn.management.Webauthn4JRelyingPartyOperations.authenticate(Webauthn4JRelyingPartyOperations.java:405) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider.authenticate(WebAuthnAuthenticationProvider.java:72) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
... 80 common frames omitted
To Reproduce
Use two factor auth, and use webauthn for the second factor. No matter which first factor is used.
Then CredentialRequestOptions.publicKey.allowCredentials is not null ; but during webauthn validation, the credential's binary id doesn't match known allowCredentials