feat(passkeys): Support password manager browser extensions #699
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
24597b7 to
5422819
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enables passkeys to work with password manager browser extensions by adding support for autofill UI dialogs and handling encoding differences between password managers and the WebAuthn specification. The key changes include adding base64url normalization functions, improved error handling for credential operations, and support for both modal and autofill authentication flows.
Key changes:
- Added base64url encoding normalization to handle password managers that use standard base64 encoding
- Enhanced error handling for WebAuthn credential operations with granular AbortError and NotAllowedError handling
- Refactored authentication flow to support both native modal dialogs and password manager autofill UI
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
tjsilver
reviewed
Nov 6, 2025
Contributor
tjsilver
left a comment
There was a problem hiding this comment.
I could not test as I was unable to add a passkey to Lastpass for Janus on Firefox. When I tried on prod Janus, adding the passkey to Lastpass extension was successful, but on Janus I got the toast error 'invalid passkey field'. I am also unable to get to the local janus running this branch with the error: Could not resolve substitution to a value: ${PASSKEY_MANAGER_CONTACT_LINK}. So I think I'm caught in a situation where I can't register a passkey, but also can't proceed without one on this branch.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the purpose of this change?
This change enables passkeys to be authenticated by and stored in password managers, as well as the native options provided by the OS and the browser currently.
Conditions for changed experience
The changed experience
At registration and authentication time, an autofill UI dialog provided by the password manager appears top right instead of the native modal dialog. (If multiple password managers are installed, a dialog supplied by one of them opens. I'm not sure what the rules of precedence are here.)
What is the value of this change and how do we measure success?
Users can be provided with an org-managed password manager extension to make it easier to provide passkeys.
Caution
Not all password managers respect the user verification options of the WebAuthn spec without further configuration. Even though the authentication response they send to the server for verification claims that user verification took place.
To Test
There are many scenarios but these are the important ones: