Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0055146
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Modules] Web Authenticationmajorhave not tried2024-04-09 18:142024-04-15 07:33
ReportercaristuView Statuspublic 
Assigned Tocaristu 
PriorityhighResolutionfixedFixed in Version
StatusclosedFix in branchFixed in SCM revision
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Regression date
Regression introduced by commit
Regression level
Review Assigned To
Regression introduced in release
Summary

0055146: Avoid showing the user verification prompt in Chrome

DescriptionIn Chrome the user verification setting is ignored when using discoverable credentials, in that case even if userVerification="discouraged" a prompt to enter the PIN of the authenticator device is always being shown. This has been reported as a bug to Chrome[1].

Until this issue is fixed we should find a workaround to avoid showing that user verification prompt in the approvals flow in order to minimize disruption to the user interaction flow , providing a fast authentication experience.

[1] https://issues.chromium.org/issues/332580481 [^]
Steps To ReproduceUsing chrome:

1) Link a supervisor with an authenticator device
2) Execute a user action that requires approval from a supervisor
3) Try to approve the user action with WebAuthn, using the authenticator device of the supervisor configured in step 1). Note that the device PIN prompt is always requested to the user.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to defect 0054752 closedTriage Platform Base Support authenticating users with Web Authentication (phase 2) 

-  Notes
(0162999)
hgbot (developer)
2024-04-09 18:27

 Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.authentication.webauthn/-/merge_requests/3 [^]
(0163000)
hgbot (developer)
2024-04-09 18:29

 Merge Request created: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1446 [^]
(0163164)
hgbot (developer)
2024-04-15 07:33

 Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.authentication.webauthn [^]
Changeset: 2716176cfd839a0413e4e9ba33d53098a2587198
Author: Carlos Aristu <carlos.aristu@openbravo.com>
Date: 15-04-2024 07:30:59
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.authentication.webauthn/-/commit/2716176cfd839a0413e4e9ba33d53098a2587198 [^]

fixes BUG-55146: Avoid showing the user verification prompt in Chrome

  Due to a bug in Chrome[1], the user verification (PIN) prompt is
always being displayed, event when the user verification is set as
"discouraged".

  As we want to minimize disruption to the user interaction flow,
providing a fast login experience for the approvals, here we are
implementing a workaround to force this prompt not to appear, by using
the allowCredentials (non discoverable credentials) array with the
credentials of all the supervisors in the options of the credential
request of the authentication ceremony. This makes the user verification
prompt not to appear in Chrome during the user authentication.

  Note that this workaround has the limitation of not allowing more that
64 supervisor credentials, because is the limit allowed for the
   allowCredentials array. If that limit is reached, then an empty
allowCredentials is passed (discoverable credentials will be used) and
in that case the user verification prompt will appear in Chrome.

  Finally, we are also removing the "hybrid" transport option for the
supported transports set, this is because by removing it, another prompt
that allows to choose between available authenticators is displayed by
the browser. Without this option, that prompt is not shown, allowing the
authentication to be as faster as possible.

  If in the future it is desired to support the "hybrid" transport which
is used to authenticate with smartphones, the transport must be done a
configurable setting in the Authentication Provider Configuration
window.

[1] https://issues.chromium.org/issues/332580481 [^]

---
M src/org/openbravo/authentication/webauthn/WebAuthnHandler.java
M src/org/openbravo/authentication/webauthn/service/WebAuthnAuthenticationService.java
---
(0163165)
hgbot (developer)
2024-04-15 07:33

 Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.authentication.webauthn/-/merge_requests/3 [^]
(0163166)
hgbot (developer)
2024-04-15 07:33

 Repository: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2 [^]
Changeset: 3e76f541173528f98e036e62d7ed63b70c5baf94
Author: Carlos Aristu <carlos.aristu@openbravo.com>
Date: 12-04-2024 12:53:29
URL: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/commit/3e76f541173528f98e036e62d7ed63b70c5baf94 [^]

related to ISSUE-55146: Identify the approvals flow

---
M web-jspack/org.openbravo.core2/src/core/security/ApprovalChecker.js
---
(0163167)
hgbot (developer)
2024-04-15 07:33

 Merge request merged: https://gitlab.com/openbravo/product/pmods/org.openbravo.core2/-/merge_requests/1446 [^]

- Issue History
Date Modified Username Field Change
2024-04-09 18:14 caristu New Issue
2024-04-09 18:14 caristu Assigned To => caristu
2024-04-09 18:14 caristu Issue generated from 0054752
2024-04-09 18:14 caristu Relationship added related to 0054752
2024-04-09 18:27 hgbot Note Added: 0162999
2024-04-09 18:29 hgbot Note Added: 0163000
2024-04-15 07:33 hgbot Resolution open => fixed
2024-04-15 07:33 hgbot Status new => closed
2024-04-15 07:33 hgbot Note Added: 0163164
2024-04-15 07:33 hgbot Note Added: 0163165
2024-04-15 07:33 hgbot Note Added: 0163166
2024-04-15 07:33 hgbot Note Added: 0163167

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker