Skip to content

Only add the none verifier when attestation conveyance preference is none (or default) #43723

New issue
New issue
Closed
bug
#43727
Closed
Only add the none verifier when attestation conveyance preference is none (or default)#43723
bug
#43727
Assignees
rmartinc
Labels
area/authentication/webauthnkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.11release/26.4.4release/26.5.0team/core-clients
@rmartinc

Description

@rmartinc
rmartinc
opened on Oct 27, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication/webauthn

Describe the bug

When attestation conveyance preference is set to direct or indirect we are adding the none verifier (see here). This means that even we are requesting an attestation, the authenticator can return none and we are accepting it. Better if we simply does not include the none verifier when the attestation is configured.

Version

24.0.2

Regression

  • The issue is a regression

Expected behavior

Only when attestation coneyance is none (or default, empty) the none verifier is added and accepted.

Actual behavior

The none verifier is always accepted even when direct attestation is configured.

How to Reproduce?

  1. Star webauthn registration with none allowed in the policy.
  2. When the page is presented with 'none' (default), change to 'direct' the policy.
  3. Finish the registration, that return no attestation.
  4. This is allowed and should be rejected by keycloak.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/authentication/webauthnkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.11release/26.4.4release/26.5.0team/core-clients

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions