Bug? Spring Security WebAuthn authentication saves anonymousUser in PublicKeyCredentialUserEntityRepository

[justincranford]

Asked in Stack Overflow a week ago.

https://stackoverflow.com/questions/79322876/why-does-spring-security-webauthn-authentication-save-anonymoususer-in-publick

Minimum Viable Example with Steps to Reproduce

I included a Minimum Reproducible Example with Steps in the Stack Overflow post.

App in GitHub: https://github.com/justincranford/spring-security-webauthn-demo

Spring versions used:

• Spring Boot 3.4.1
• Spring Security 6.4.1

Expected behavior

Expected behavior is anonymousUser should not be persisted in PublicKeyCredentialUserEntityRepository.java.

Said another way, expectation is WebAuthn functionality should only ever persist UserEntity and Credential, for authenticated users.

However, I see anonymousUser is persisted during WebAuthn Authentication. That seems like a bug.

Or, if there is a valid reason for persisting anonymousUser, I would like to understand the design intent, so I can handle it securely and correctly.

Logs

Logs from my wrapper of MapPublicKeyCredentialUserEntityRepository.java, to highlight what I see during WebAuthn Register and WebAuthn Authenticate.

WebAuthn Register

Notice user u was not found, then saved, then it was looked up again and found.

findByUsername failed, name: u

save, id: Bytes[nF5bm4qc-cztclmzyi-vbvz7ruzS7VOULT8aS9C0kWw], name: u, displayName: u

findByUsername succeeded, name: u, id: Bytes[nF5bm4qc-cztclmzyi-vbvz7ruzS7VOULT8aS9C0kWw], displayName: u

Assumes user logged in at https://localhost:8443/ of my sample app with username=u and password=p, before attempting WebAuthn Register.

WebAuthn Authenticate

Notice user anonymousUser was not found, then saved, and then user u was looked up and found. User u is the correct user saved during WebAuthn Register. It think the saving of anonymousUser is likely a bug.

findByUsername failed, name: anonymousUser

save, id: Bytes[fL8lr_HE0Yfe5DgPYAXOJfcj4OQdWRT8GhNwjHYvnQA], name: anonymousUser, displayName: anonymousUser

findById succeeded, id: Bytes[nF5bm4qc-cztclmzyi-vbvz7ruzS7VOULT8aS9C0kWw], name: u, displayName: u

Assumes user logged out before attempting WebAuthn Authenticate at https://localhost:8443/ of my sample app.

[Kehrlann]

Hey @justincranford, thanks for reaching out!

This is a known issue. We have merged the first milestone of passkey support, but there are still some rough edges.

In this specific case, see

spring-security/web/src/main/java/org/springframework/security/web/webauthn/management/Webauthn4JRelyingPartyOperations.java

Lines 336 to 337 in 9805648

	// FIXME: do not load credentialRecords if anonymous
	PublicKeyCredentialUserEntity userEntity = findUserEntityOrCreateAndSave(authentication.getName());

If you'd like to submit a PR, please let me know. Otherwise, it's on my todo list and I'll eventually get to it.