WebAuthn fails on Android despite success in backend
Summary
WebAuthn fails on Android despite success in backend.
In Firefox it shows UnknownError in the end; in chrome it shows NotAllowedError.
Steps to reproduce
Example Project
Can be reproduced using https://gitlab.com/.
What is the current bug behavior?
It shows 'We heard back from your device. You have been authenticated.' by a split second, then immediately triggers a new WebAuthn process.
If I keep retrying as prompted, it continues to fail until the account is locked; if I swipe back, it shows UnknownError (Firefox) or NotAllowedError (Chrome).
What is the expected correct behavior?
Logs in normally like it does on desktop.
Relevant logs and/or screenshots
Chrome screen record: https://www.dropbox.com/s/09c0pic7wf67uee/GitLab%20WebAuthn%20Chrome.mp4?dl=0
Firefox screen record: https://www.dropbox.com/s/ih65nstl32m2qzt/GitLab%20WebAuthn%20Firefox.mp4?dl=0
I can reproduce this problem on my own instance as well, so here are the logs I found in backend:
gitlab-rails/production.log
Rendered layout layouts/devise.html.haml (Duration: 29.5ms | Allocations: 6480)
Filter chain halted as :authenticate_with_two_factor rendered or redirected
Completed 200 OK in 77ms (Views: 29.5ms | ActiveRecord: 11.2ms | Elasticsearch: 0.0ms | Allocations: 14482)gitlab-rails/production_json.log
{
"method": "POST",
"path": "/users/sign_in",
"format": "html",
"controller": "SessionsController",
"action": "create",
"status": 200,
"time": "2022-02-08T14:00:59.047Z",
"params": [
{
"key": "authenticity_token",
"value": "[FILTERED]"
},
{
"key": "user",
"value": {
"remember_me": "1",
"device_response": "{\"type\":\"public-key\",\"id\":\"redacted\",\"rawId\":\"redacted\",\"response\":{\"clientDataJSON\":\"redacted\",\"authenticatorData\":\"redacted\",\"signature\":\"redacted\",\"userHandle\":\"\"},\"clientExtensionResults\":{}}"
}
}
],
"remote_ip": "x.x.x.x",
"ua": "Mozilla/5.0 (Android 12; Mobile; rv:96.0) Gecko/96.0 Firefox/96.0",
"request_urgency": "default",
"target_duration_s": 1,
"cf_ray": "xxxx",
"redis_calls": 5,
"redis_duration_s": 0.002382,
"redis_read_bytes": 1530,
"redis_write_bytes": 332,
"redis_cache_calls": 4,
"redis_cache_duration_s": 0.001703,
"redis_cache_read_bytes": 807,
"redis_cache_write_bytes": 247,
"redis_sessions_calls": 1,
"redis_sessions_duration_s": 0.000679,
"redis_sessions_read_bytes": 723,
"redis_sessions_write_bytes": 85,
"db_count": 15,
"db_write_count": 3,
"db_cached_count": 2,
"db_replica_count": 0,
"db_primary_count": 15,
"db_replica_cached_count": 0,
"db_primary_cached_count": 2,
"db_replica_wal_count": 0,
"db_primary_wal_count": 0,
"db_replica_wal_cached_count": 0,
"db_primary_wal_cached_count": 0,
"db_replica_duration_s": 0,
"db_primary_duration_s": 0.012,
"cpu_s": 0.077378,
"mem_objects": 18849,
"mem_bytes": 1246552,
"mem_mallocs": 3936,
"mem_total_bytes": 2000512,
"pid": 552,
"correlation_id": "xxxx",
"db_duration_s": 0.01125,
"view_duration_s": 0.02946,
"duration_s": 0.07724
}Output of checks
Results of GitLab environment info
N/A. Reproduced on gitlab.com.
Results of GitLab application Check
N/A. Reproduced on gitlab.com.