Change attestation in PublicKeyCredentialCreationOptions to none

The attestation option in PublicKeyCredentialCreationOptions is a parameter that controls whether to request attestation from the security key. However, Spring Security Passkeys currently doesn't implement attestation verification. Therefore, requesting attestation is unnecessary. Specifying `direct` to request attestation may trigger browsers to display additional privacy related dialog to users, so it is best to avoid specifying `direct` unnecessarily.
2024-12-10 23:25:13 +09:00 · 2024-12-10 23:25:13 +09:00 · d7d5253607
parent 99cc65d74c
commit d7d5253607
4 changed files with 4 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
+++ b/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java
@ -183,7 +183,7 @@ public class Webauthn4JRelyingPartyOperations implements WebAuthnRelyingPartyOpe
 		List<CredentialRecord> credentialRecords = this.userCredentials.findByUserId(userEntity.getId());

 		PublicKeyCredentialCreationOptions options = PublicKeyCredentialCreationOptions.builder()
-			.attestation(AttestationConveyancePreference.DIRECT)
+			.attestation(AttestationConveyancePreference.NONE)
 			.pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256,
 					PublicKeyCredentialParameters.RS256)
 			.authenticatorSelection(authenticatorSelection)
--- a/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/api/TestPublicKeyCredentialCreationOptions.java
@ -40,7 +40,7 @@ public final class TestPublicKeyCredentialCreationOptions {
 		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
 				ImmutableAuthenticationExtensionsClientInput.credProps);
 		return PublicKeyCredentialCreationOptions.builder()
-			.attestation(AttestationConveyancePreference.DIRECT)
+			.attestation(AttestationConveyancePreference.NONE)
 			.user(userEntity)
 			.pubKeyCredParams(PublicKeyCredentialParameters.EdDSA, PublicKeyCredentialParameters.ES256,
 					PublicKeyCredentialParameters.RS256)
--- a/web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
@ -149,7 +149,7 @@ class JacksonTests {
 	void writePublicKeyCredentialCreationOptions() throws Exception {
 		String expected = """
 				{
-				    "attestation": "direct",
+				    "attestation": "none",
 				    "authenticatorSelection": {
 				        "residentKey": "required"
 				    },
--- a/web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/webauthn/registration/PublicKeyCredentialCreationOptionsFilterTests.java
@ -153,7 +153,7 @@ class PublicKeyCredentialCreationOptionsFilterTests {
 									"residentKey": "required",
 									"userVerification": "preferred"
 								},
-								"attestation": "direct",
+								"attestation": "none",
 								"extensions": {
 									"credProps": true
 								}