Passkey: implement PublicKeyCredential.toJSON() (save error on Oracle Cloud among others)

[holow29]

Steps To Reproduce

1. Register for an account at https://www.oracle.com/cloud/sign-in.html
2. During registration, it will ask if you want to save a passkey/fido authenticator.
3. Click setup
4. Save passkey in bitwarden

If you already have an account, you can add a passkey under Profile -> Security -> Fido Passkey Authenticator -> Configure.

Expected Result

Expected indication that passkey was successfully saved on Oracle's end

Actual Result

Nothing/error: TypeError: Illegal invocation

Screenshots or Videos

No response

Additional Context

First mentioned in #6804

Operating System

macOS

Operating System Version

No response

Web Browser

Brave

Browser Version

1.73 (Chromium 131)

Build Version

2024.11.0

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for reporting this issue! We've added this to our internal tracking system.
ID: PM-15077

[gboudreau]

Of note: I'm also receiving the TypeError: Illegal invocation error, but when trying to log in on Oracle Cloud using my Passkey, and using 1Password. So maybe the problem is from Oracle Cloud, and not Bitwarden. TBC.

[iodize6399]

I've also started receiving Illegal Invocation as well when using passkey already stored on Bitwarden to login OCI. I'm using Version 131.0.6778.93 (Official Build, ungoogled-chromium) (64-bit)

[danktankk]

same error and issue. I cant use bitwarden either

[Tvangeste]

I've digged deeper into the problem, since it started to annoy me more and more.

My take on the problem is here: aws-samples/amazon-cognito-passwordless-auth#94 (comment)

Basically, Chrome 129 added PublicKeyCredential.toJSON() function, per spec, and the credentials from Bitwarden/1Password are not ready so calling this method leads to TypeError.

I assume that the best way forward is for the Bitwarden/1Password extensions to properly implement/handle PublicKeyCredential.toJSON().

Workarounds for now:

1. Use Chrome 128
2. Play with devtools and local overrides to delete PublicKeyCredential.toJSON from the object
3. Wait for Bitwarden/1Password fix their implementations according to spec.

For more info about browser compatibility with PublicKeyCredential.toJSON() take a look here:

https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/toJSON#browser_compatibility

Basically, every browser that implements this toJSON() function breaks authentication with 1Password (and I assume Bitwarden too).

[Qualify5]

The same issue seems to occur at https://signon.oracle.com/ using Bitwarden in Edge or Chrome. I was previously able to create a passkey and save it to Bitwarden, and it worked as expected up until a few months ago. Since then, I get the Illegal invocation error.

The steps are:

1. Enter an e-mail address at https://signon.oracle.com/ - you are redirected to https://signon-int.oracle.com/signin.
2. Click the button labelled "Verify passkey on device Bitwarden" - Bitwarden launches as expected and prompts to select a passkey.
3. Select a passkey to use - the logon page instantly displays "TypeError: Illegal invocation".

[kurumigi]

Basically, Chrome 129 added PublicKeyCredential.toJSON() function, per spec, and the credentials from Bitwarden/1Password are not ready so calling this method leads to TypeError.

Oh, It solved my question.
In Firefox 133.0.3, Another error message appears, "TypeError: 'toJSON' called on an object that does not implement interface PublicKeyCredential."

[holow29]

@coroiu Is implementing PublicKeyCredential.toJSON() on BW roadmap?

[coroiu]

@holow29 Thanks for bringing this to my attention! I've brought this up internally and it's currently being reviewed/planned. We'll hopefully have a fix for this soon!

[holow29]

@coroiu Great to hear! Thanks for picking this up. As an aside, I've found https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential somewhat helpful to keep up with some of the work browser devs are doing for web compat. There are some new experimental APIs and methods (e.g. signalAllAcceptedCredentials_static for "Signal API" - https://chromestatus.com/feature/5101778518147072) being tested in Chromium which might be good to keep an eye on as development progresses. Also a potentially useful test site: https://signal-api-demo.glitch.me/