Inconsistent Encoding Of WebAuthn `rawId`

Introduction

WebAuthn is a modern authentication standard that provides a secure and convenient way for users to authenticate on the web. However, inconsistencies in the encoding of WebAuthn rawId have been observed in the Bitwarden client. In this article, we will delve into the details of this issue and explore the expected and actual results.

Steps To Reproduce

To reproduce this issue, follow these steps:

1. Add a passkey without vault encryption: Create a new passkey in the Bitwarden client without enabling vault encryption. Capture the JSON that is passed in the POST request to /api/webauthn.
2. Notice the difference in id and rawId: Observe that id and rawId are different even though they are supposed to be the same. The difference stems from the fact that id is correctly base64url encoded, while rawId is base64-encoded.
3. Add vault encryption ability to the passkey: Enable vault encryption for the passkey and capture the JSON that is passed in the PUT request to /api/webauthn.
4. Notice the correct encoding of rawId: Observe that rawId is correctly encoded as base64url in the PUT request.

Expected Result

At a minimum, rawId should be encoded using the same strategy as id. Ideally, it should be base64url-encoded without padding, like id. However, at the very least, it should be encoded using the same strategy as rawId elsewhere.

Actual Result

The actual result is that rawId is encoded in base64 in the POST request to /api/webauthn. This is inconsistent with the encoding used in the PUT request and the login request.

Screenshots or Videos

No screenshots or videos are provided to illustrate this issue.

Additional Context

This issue is observed on all operating systems, including iOS, macOS, Windows, Linux, and Android, and on all web browsers, including Chrome, Safari, Microsoft Edge, Firefox, Opera, Brave, and Vivaldi.

Build Version

The build version affected by this issue is 2025.2.2.

Issue Tracking Info

This issue is tracked outside of GitHub, and a PR will be linked to this issue if one is opened to address it.

Conclusion

Inconsistent encoding of WebAuthn rawId has been observed in the Bitwarden client. The expected result is that rawId should be encoded using the same strategy as id, ideally base64url-encoded without padding. However, the actual result is that rawId is encoded in base64 in the POST request to /api/webauthn. This issue is observed on all operating systems and web browsers and is tracked outside of GitHub.

Recommendations

To resolve this issue, the Bitwarden client should be updated to consistently encode rawId using the same strategy as id. Ideally, this should be base64url-encoded without padding. At the very least, it should be encoded using the same strategy as rawId elsewhere.

Future Work

Future work should focus on updating the Bitwarden client to consistently encode rawId using the same strategy as id. This will ensure that the client is consistent and secure, providing a better user experience.

Related Issues

A previously opened bug (https://github.com/bitwarden/clients/issues/7259) was unfortunately closed. However, this issue highlights the importance of consistent encoding in the Bitwarden client.

Commit Message

If a PR is opened to address this issue, the commit message should be:

Fix inconsistent encoding of WebAuthn rawId

API Documentation

The API documentation should be updated to reflect the correct encoding of rawId. This will ensure that developers using the Bitwarden API are aware of the correct encoding strategy.

Testing

Q: What is the issue with the encoding of WebAuthn rawId in the Bitwarden client?

A: The issue is that rawId is encoded in base64 in the POST request to /api/webauthn, while it is encoded in base64url without padding in the PUT request and the login request. This inconsistency can lead to security vulnerabilities and make the client less secure.

Q: Why is it important to consistently encode rawId?

A: Consistent encoding of rawId is important because it ensures that the client is secure and provides a better user experience. Inconsistent encoding can lead to security vulnerabilities, such as unauthorized access to user data.

Q: What is the expected result for the encoding of rawId?

A: The expected result is that rawId should be encoded using the same strategy as id, ideally base64url-encoded without padding.

Q: Why is base64url encoding without padding preferred?

A: Base64url encoding without padding is preferred because it is more secure and provides a better user experience. It is also the encoding strategy used in the PUT request and the login request.

Q: What is the actual result for the encoding of rawId?

A: The actual result is that rawId is encoded in base64 in the POST request to /api/webauthn.

Q: Why is the actual result inconsistent with the expected result?

A: The actual result is inconsistent with the expected result because the POST request to /api/webauthn uses a different encoding strategy than the PUT request and the login request.

Q: What are the implications of this inconsistency?

A: The implications of this inconsistency are that the client may be less secure and provide a worse user experience. It may also lead to security vulnerabilities, such as unauthorized access to user data.

Q: How can this issue be resolved?

A: This issue can be resolved by updating the Bitwarden client to consistently encode rawId using the same strategy as id, ideally base64url-encoded without padding.

Q: What is the recommended solution for this issue?

A: The recommended solution is to update the Bitwarden client to consistently encode rawId using the same strategy as id, ideally base64url-encoded without padding.

Q: What are the benefits of resolving this issue?

A: The benefits of resolving this issue are that the client will be more secure and provide a better user experience. It will also reduce the risk of security vulnerabilities, such as unauthorized access to user data.

Q: How can developers ensure that their code is consistent with the expected result?

A: Developers can ensure that their code is consistent with the expected result by using the same encoding strategy for rawId as for id, ideally base64url-encoded without padding.

Q: What are the best practices for encoding rawId?

A: The best practices for encoding rawId are to use the same encoding strategy as id, ideally base64url-encoded without padding. This will ensure that the client is secure and provides a better user experience.

Q: How can users ensure that their data is secure?

A: Users can ensure that their data is secure by using a secure client, such as the Bitwarden client, and by following best practices for password management.

Q: What are the next steps for resolving this issue?

A: The next steps for resolving this issue are to update the Bitwarden client to consistently encode rawId using the same strategy as id, ideally base64url-encoded without padding. This will ensure that the client is secure and provides a better user experience.