I've two devices which does not send userHandle during the WebAuthn authentication. But once both of the devices are registered, one of two is not allowed to login.
Caused by: java.lang.IllegalArgumentException: Unknown credential: ByteArray(*****)
at com.yubico.internal.util.ExceptionUtil.assure(ExceptionUtil.java:42)
at com.yubico.webauthn.FinishAssertionSteps$Step2.validate(FinishAssertionSteps.java:214)
at com.yubico.webauthn.FinishAssertionSteps$Step.next(FinishAssertionSteps.java:105)
When the device is getting registered, it adds two distinct values for userHandle into the credentialRepository. But during the authentication flow, it invokes credentialRepository.getUserHandleForUsername at here if the userHandle is null.
When there are two devices registered for the same user, getUserHandleForUsername returns one of them, the credential lookup returns empty when that returned userHandle does not match with the credentialId and that's the reason for other device for not being able to login at all.
While researching on this, I noticed this commit on webauthn library. But I'm not clear whether this commit is intended to solve this issue or whether there is a different way to address this issue or this usecase can not be supported.
