WebAuthn 2FA not working on Safari 14 #9601

New Issue

Open

opened 2025-11-02 08:44:09 -06:00 by GiteaMirror · 3 comments

GiteaMirror commented 2025-11-02 08:44:09 -06:00

Owner

Copy Link

Originally created by @jabberabbe on GitHub (Sep 22, 2022).

Description

Hi, I can successfully register a FIDO2 token (a YubiKey) after registration on Gitea, but I am unable to use it as a second factor for subsequent login attempts when I use Safari.

Safari requires the WebAuthn API (or at least the navigation.credentials.create function) to be called from a user gesture handler. This is explained well in the YubiKey support page and on this official WebKit blog post (see the "Propagating User Gestures" section). Apparently Gitea calls the WebAuthn JS API as soon as the /user/webauthn page is loaded. No user gesture is detected and therefore Safari rejects the request.

Moreover, when the This request has been cancelled by the user. alert is shown, the user has the option to reload the page, but the problem happens again. If the user presses 'Cancel', there is no button in the page to restart the WebAuthn API flow. Adding this simple button could solve the issue.

Screenshots

Error in the user page:

Safari developer tools Console:

Page when the alert is closed, without any button to restart the WebAuthn login process:

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

Yes

Operating System

macOS Big Sur 11.4

Browser Version

Safari 14.1.1

Originally created by @jabberabbe on GitHub (Sep 22, 2022). ### Description Hi, I can successfully register a FIDO2 token (a YubiKey) after registration on Gitea, but I am unable to use it as a second factor for subsequent login attempts when I use Safari. Safari requires the WebAuthn API (or at least the `navigation.credentials.create` function) to be called from a user gesture handler. This is explained well in the [YubiKey support page](https://support.yubico.com/hc/en-us/articles/360022004600-No-reaction-when-using-WebAuthn-on-macOS-iOS-and-iPadOS) and on [this official WebKit blog post](https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/) (see the "Propagating User Gestures" section). Apparently Gitea calls the WebAuthn JS API as soon as the `/user/webauthn` page is loaded. No user gesture is detected and therefore Safari rejects the request. Moreover, when the `This request has been cancelled by the user.` alert is shown, the user has the option to reload the page, but the problem happens again. If the user presses 'Cancel', there is no button in the page to restart the WebAuthn API flow. Adding this simple button could solve the issue. ### Screenshots Error in the user page:  Safari developer tools Console: <img width="1323" alt="image" src="https://user-images.githubusercontent.com/12698563/191713239-ce1f1338-453d-4927-bbdb-e482faec2225.png"> Page when the alert is closed, without any button to restart the WebAuthn login process: <img width="835" alt="image" src="https://user-images.githubusercontent.com/12698563/191715967-4bce7366-e835-4328-9efd-c613394d2638.png"> ### Gitea Version 1.17.2 ### Can you reproduce the bug on the Gitea demo site? Yes ### Operating System macOS Big Sur 11.4 ### Browser Version Safari 14.1.1

GiteaMirror added the topic/uitype/bug labels 2025-11-02 08:44:09 -06:00

GiteaMirror commented 2025-11-02 08:44:10 -06:00

Author

Owner

Copy Link

@m42e commented on GitHub (Oct 23, 2022):

I tried this, too. On Mac it offers the possibility to use the fingerprint as a security key, too. This works fine for me.
I checked the requests and it turned out that the attestationObject is much longer in case of the yubikey. I haven't digged into it, but may this be an issue?

EDIT: Doesn't seem so, the data firefox sends is as long as the one safari sends. the content however differs.

@m42e commented on GitHub (Oct 23, 2022): I tried this, too. On Mac it offers the possibility to use the fingerprint as a security key, too. This works fine for me. I checked the requests and it turned out that the `attestationObject` is much longer in case of the yubikey. I haven't digged into it, but may this be an issue? **EDIT**: Doesn't seem so, the data firefox sends is as long as the one safari sends. the content however differs.

GiteaMirror commented 2025-11-02 08:44:10 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Mar 8, 2023):

Is this still a problem in v1.18 ?

@lunny commented on GitHub (Mar 8, 2023): Is this still a problem in v1.18 ?

GiteaMirror commented 2025-11-02 08:44:10 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Mar 8, 2023):

I guess Apple has changed the behavior again, my old Safari can reproduce this issue, but my new Safari could work well.

@wxiaoguang commented on GitHub (Mar 8, 2023): I guess Apple has changed the behavior again, my old Safari can reproduce this issue, but my new Safari could work well.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/ui type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#9601