From 01fa39767200e5961787d4c5444b218d8f036993 Mon Sep 17 00:00:00 2001 From: Stefan Jacobi Date: Wed, 10 Apr 2024 15:31:11 +0200 Subject: [PATCH] feat(webauthn): change default attestation mode Changes the default attestation conveyance preference from 'none' to 'direct' for better AAGUID handling on Windows. Co-authored-by: Stefan Jacobi --- backend/handler/webauthn.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/handler/webauthn.go b/backend/handler/webauthn.go index ba693835f..2b5cdfe5e 100644 --- a/backend/handler/webauthn.go +++ b/backend/handler/webauthn.go @@ -50,7 +50,7 @@ func NewWebauthnHandler(cfg *config.Config, persister persistence.Persister, ses RPDisplayName: cfg.Webauthn.RelyingParty.DisplayName, RPID: cfg.Webauthn.RelyingParty.Id, RPOrigins: cfg.Webauthn.RelyingParty.Origins, - AttestationPreference: protocol.PreferNoAttestation, + AttestationPreference: protocol.PreferDirectAttestation, AuthenticatorSelection: protocol.AuthenticatorSelection{ RequireResidentKey: &f, ResidentKey: protocol.ResidentKeyRequirementDiscouraged, @@ -113,7 +113,7 @@ func (h *WebauthnHandler) BeginRegistration(c echo.Context) error { ResidentKey: protocol.ResidentKeyRequirementRequired, UserVerification: protocol.UserVerificationRequirement(h.cfg.Webauthn.UserVerification), }), - webauthn.WithConveyancePreference(protocol.PreferNoAttestation), + webauthn.WithConveyancePreference(protocol.PreferDirectAttestation), // don't set the excludeCredentials list, so an already registered device can be re-registered )