Openbravo Issue Tracking System - Modules |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0055146 | Modules | Web Authentication | public | 2024-04-09 18:14 | 2024-04-15 07:33 |
|
| Reporter | caristu | |
| Assigned To | caristu | |
| Priority | high | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | | |
| Merge Request Status | |
| Regression date | |
| Regression introduced by commit | |
| Regression level | |
| Review Assigned To | |
| Support ticket | |
| OBNetwork customer | |
| Regression introduced in release | |
|
| Summary | 0055146: Avoid showing the user verification prompt in Chrome |
| Description | In Chrome the user verification setting is ignored when using discoverable credentials, in that case even if userVerification="discouraged" a prompt to enter the PIN of the authenticator device is always being shown. This has been reported as a bug to Chrome[1].
Until this issue is fixed we should find a workaround to avoid showing that user verification prompt in the approvals flow in order to minimize disruption to the user interaction flow , providing a fast authentication experience.
[1] https://issues.chromium.org/issues/332580481 [^] |
| Steps To Reproduce | Using chrome:
1) Link a supervisor with an authenticator device
2) Execute a user action that requires approval from a supervisor
3) Try to approve the user action with WebAuthn, using the authenticator device of the supervisor configured in step 1). Note that the device PIN prompt is always requested to the user. |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0054752 | | closed | Triage Platform Base | Support authenticating users with Web Authentication (phase 2) |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2024-04-09 18:14 | caristu | New Issue | |
| 2024-04-09 18:14 | caristu | Assigned To | => caristu |
| 2024-04-09 18:14 | caristu | Issue generated from | 0054752 |
| 2024-04-09 18:14 | caristu | Relationship added | related to 0054752 |
| 2024-04-09 18:27 | hgbot | Note Added: 0162999 | |
| 2024-04-09 18:29 | hgbot | Note Added: 0163000 | |
| 2024-04-15 07:33 | hgbot | Resolution | open => fixed |
| 2024-04-15 07:33 | hgbot | Status | new => closed |
| 2024-04-15 07:33 | hgbot | Note Added: 0163164 | |
| 2024-04-15 07:33 | hgbot | Note Added: 0163165 | |
| 2024-04-15 07:33 | hgbot | Note Added: 0163166 | |
| 2024-04-15 07:33 | hgbot | Note Added: 0163167 | |
|
Notes |
|
|
(0162999)
|
|
hgbot
|
|
2024-04-09 18:27
|
|
|
|
|
(0163000)
|
|
hgbot
|
|
2024-04-09 18:29
|
|
|
|
|
(0163164)
|
|
hgbot
|
|
2024-04-15 07:33
|
|
Directly closing issue as related merge request is already approved.
Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.authentication.webauthn [^]
Changeset: 2716176cfd839a0413e4e9ba33d53098a2587198
Author: Carlos Aristu <carlos.aristu@openbravo.com>
Date: 15-04-2024 07:30:59
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.authentication.webauthn/-/commit/2716176cfd839a0413e4e9ba33d53098a2587198 [^]
fixes BUG-55146: Avoid showing the user verification prompt in Chrome
Due to a bug in Chrome[1], the user verification (PIN) prompt is
always being displayed, event when the user verification is set as
"discouraged".
As we want to minimize disruption to the user interaction flow,
providing a fast login experience for the approvals, here we are
implementing a workaround to force this prompt not to appear, by using
the allowCredentials (non discoverable credentials) array with the
credentials of all the supervisors in the options of the credential
request of the authentication ceremony. This makes the user verification
prompt not to appear in Chrome during the user authentication.
Note that this workaround has the limitation of not allowing more that
64 supervisor credentials, because is the limit allowed for the
allowCredentials array. If that limit is reached, then an empty
allowCredentials is passed (discoverable credentials will be used) and
in that case the user verification prompt will appear in Chrome.
Finally, we are also removing the "hybrid" transport option for the
supported transports set, this is because by removing it, another prompt
that allows to choose between available authenticators is displayed by
the browser. Without this option, that prompt is not shown, allowing the
authentication to be as faster as possible.
If in the future it is desired to support the "hybrid" transport which
is used to authenticate with smartphones, the transport must be done a
configurable setting in the Authentication Provider Configuration
window.
[1] https://issues.chromium.org/issues/332580481 [^]
---
M src/org/openbravo/authentication/webauthn/WebAuthnHandler.java
M src/org/openbravo/authentication/webauthn/service/WebAuthnAuthenticationService.java
---
|
|
|
|
(0163165)
|
|
hgbot
|
|
2024-04-15 07:33
|
|
|
|
|
(0163166)
|
|
hgbot
|
|
2024-04-15 07:33
|
|
|
|
|
(0163167)
|
|
hgbot
|
|
2024-04-15 07:33
|
|
|