Skip to content

Make acceptable AAGUID ckeck in WebAuthn stricter (26.6)#48513

Merged
stianst merged 3 commits into
keycloak:release/26.6from
rmartinc:backport-48404-26.6
Apr 28, 2026
Merged

Make acceptable AAGUID ckeck in WebAuthn stricter (26.6)#48513
stianst merged 3 commits into
keycloak:release/26.6from
rmartinc:backport-48404-26.6

Conversation

@rmartinc

@rmartinc rmartinc commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

Closes #48388

PR: #48404
Commit: e03bc86
PR branch: backport-48404-26.6
Target branch: https://github.com/keycloak/keycloak/tree/release/26.6

rmartinc added 3 commits April 27, 2026 15:56
@rmartinc
Make acceptable AAGUID ckeck in WebAuthn stricter
0e9cb7a 
Closes keycloak#48388

Signed-off-by: rmartinc <rmartinc@redhat.com>
@rmartinc
Check Acceptable AAGUIDs sets a attestation preference different to N…
686ec4e 
…one in admin console

Closes keycloak#48388

Signed-off-by: rmartinc <rmartinc@redhat.com>
@rmartinc
Changes for rebase and review.
8dece7b 
Closes keycloak#48388

Signed-off-by: rmartinc <rmartinc@redhat.com>
@rmartinc rmartinc requested review from a team as code owners April 27, 2026 15:18
@mabartos mabartos linked an issue Apr 27, 2026 that may be closed by this pull request
[CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration #48388
Closed
keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed Apr 27, 2026
View reviewed changes

@keycloak-github-bot keycloak-github-bot Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot

keycloak-github-bot Bot commented Apr 27, 2026

Copy link
Copy Markdown

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected AppPage but was PushTheButton (https://localhost:8543/auth/realms/test/login-actions/authenticate?execution=4d68e557-15f9-492a-89f0-f094380fd9e3&client_id=test-app&tab_id=LOZZRK24aNw&client_data=eyJydSI6Imh0dHBzOi8vbG9jYWxob3N0Ojg1NDMvYXV0aC9yZWFsbXMvbWFzdGVyL2FwcC9hdXRoIiwicnQiOiJjb2RlIn0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:39)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
...

Report flaky test

@stianst stianst merged commit 368eb80 into keycloak:release/26.6 Apr 28, 2026
79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stianst stianst stianst approved these changes

@mabartos mabartos mabartos approved these changes

+1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

flaky-test team/cloud-native team/core-clients team/core-iam team/ui

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CVE-2026-6856] Acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration

3 participants

@rmartinc @stianst @mabartos