Skip to content

Fix deserializer for AuthenticationExtensionsClientOutputs#18644

Open
ziqin wants to merge 3 commits intospring-projects:mainfrom
ziqin:gh-18643
Open

Fix deserializer for AuthenticationExtensionsClientOutputs#18644
ziqin wants to merge 3 commits intospring-projects:mainfrom
ziqin:gh-18643

Conversation

@ziqin
Copy link
Contributor

@ziqin ziqin commented Feb 5, 2026

The deserializer is updated to properly ignore unknown extensions.

This PR fixes gh-18643.

@ziqin ziqin mentioned this pull request Feb 5, 2026
Open
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 5, 2026
jzheaux
jzheaux requested changes Mar 5, 2026
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @ziqin. I've left some feedback inline. Also, will you please rebase on 7.0.x so folks can get the fix earlier? Finally, please also add to your commit message "Closes gh-18643" as this helps with tracking down changes in the future.

webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java
}

@Test
void readAuthenticationExtensionsClientOutputsWhenUnknownExtension() throws Exception {
Copy link
Contributor

@jzheaux jzheaux Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it appears that this would pass without your changes, will you please place this in an earlier commit to confirm that your changes don't alter this behavior?

Copy link
Contributor Author

@ziqin ziqin Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is also intended for identifing the deserialization bug.

According to the results on my machine, it also fails without the fix.

webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
}

@Test
void readAuthenticationExtensionsClientOutputsWhenUnknownExtension() {
Copy link
Contributor

@jzheaux jzheaux Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it appears that this would pass without your changes, will you please place this in an earlier commit to confirm that your changes don't alter this behavior?

Copy link
Contributor Author

@ziqin ziqin Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is also intended for identifing the deserialization bug.

According to the results on my machine, it also fails without the fix.

@jzheaux jzheaux self-assigned this Mar 5, 2026
@jzheaux jzheaux added type: bug A general bug in: webauthn WebAuthn and Passkeys and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 5, 2026
@jzheaux jzheaux added this to the 7.0.x milestone Mar 5, 2026
@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label Mar 5, 2026
ziqin added 3 commits March 5, 2026 13:28
@ziqin
Test WebAuthn deserializer with unknown obj/arr ext
e118133 
Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@ziqin
Test WebAuthn deserializer with unknown primitive ext
378833c 
Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@ziqin
Fix deserializer for AuthenticationExtensionsClientOutputs
6d3f4a6 
The deserializer is updated to properly ignore unknown extensions.

This fix addresses the WebAuthn authentication failure appeared when
using FIDO2 security keys on Safari.

Closes spring-projectsgh-18643

Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
@ziqin
Copy link
Contributor Author

ziqin commented Mar 5, 2026

Hi, @jzheaux

I have rebased this PR on 7.0.x. The two tests are now placed on earlier commits and the GitHub issue is now mentioned in the fixing commit message.

Thanks for your review.

@ziqin
Copy link
Contributor Author

ziqin commented Mar 5, 2026

I believe that this fix should also be backported to 6.5.x because the deserilization bug also exists there, although it may not cause an immediate WebAuthn authentication failure.

@ziqin ziqin requested a review from jzheaux March 5, 2026 06:50
@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 5, 2026
@jzheaux jzheaux modified the milestones: 7.0.x, 6.5.x Mar 10, 2026
@jzheaux jzheaux removed the status: feedback-provided Feedback has been provided label Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jzheaux jzheaux Awaiting requested review from jzheaux

Assignees

@jzheaux jzheaux

Labels

in: webauthn WebAuthn and Passkeys type: bug A general bug

Projects

None yet

Milestone

6.5.x

Development

Successfully merging this pull request may close these issues.

Jackson deserialization error causes WebAuthn authentication failure when using FIDO2 security keys on Safari

3 participants

@ziqin @jzheaux @spring-projects-issues