KEYCLOAK-16091: only persist webauthn-authentication count if the authenticator increments it beyond zero
Fixes an issue with Apple Keys stored in the secure enclave. They don's support counters and recommend attestation instead. This is a valid design choice according to the Webauthn-Spec (counters are mentioned as SHOULD)
This commit is contained in:
parent
62e6883524
commit
10f7ea01d4
1 changed files with 9 additions and 4 deletions
|
@ -195,12 +195,17 @@ public class WebAuthnCredentialProvider implements CredentialProvider<WebAuthnCr
|
||||||
|
|
||||||
logger.debugv("response.getAuthenticatorData().getFlags() = {0}", authenticationData.getAuthenticatorData().getFlags());
|
logger.debugv("response.getAuthenticatorData().getFlags() = {0}", authenticationData.getAuthenticatorData().getFlags());
|
||||||
|
|
||||||
// update authenticator counter
|
|
||||||
long count = auth.getCount();
|
|
||||||
CredentialModel credModel = getCredentialStore().getStoredCredentialById(realm, user, auth.getCredentialDBId());
|
CredentialModel credModel = getCredentialStore().getStoredCredentialById(realm, user, auth.getCredentialDBId());
|
||||||
WebAuthnCredentialModel webAuthnCredModel = getCredentialFromModel(credModel);
|
WebAuthnCredentialModel webAuthnCredModel = getCredentialFromModel(credModel);
|
||||||
webAuthnCredModel.updateCounter(count + 1);
|
|
||||||
getCredentialStore().updateCredential(realm, user, webAuthnCredModel);
|
// update authenticator counter
|
||||||
|
// counters are an optional feature of the spec - if an authenticator does not support them, it
|
||||||
|
// will always send zero. MacOS/iOS does this for keys stored in the secure enclave (TouchID/FaceID)
|
||||||
|
long count = auth.getCount();
|
||||||
|
if (count > 0) {
|
||||||
|
webAuthnCredModel.updateCounter(count + 1);
|
||||||
|
getCredentialStore().updateCredential(realm, user, webAuthnCredModel);
|
||||||
|
}
|
||||||
|
|
||||||
logger.debugf("Successfully validated WebAuthn credential for user %s", user.getUsername());
|
logger.debugf("Successfully validated WebAuthn credential for user %s", user.getUsername());
|
||||||
dumpCredentialModel(webAuthnCredModel, auth);
|
dumpCredentialModel(webAuthnCredModel, auth);
|
||||||
|
|
Loading…
Reference in a new issue