I upgraded from Spring Security 6.3 to 6.4. I was using Yubico's WebAuthn, and I am in the process of trying to switch to Spring Security's WebAuthn. However, Spring Security WebAuthn is missing support for registration by an anonymous user. It is a blocker for switching.

Expected Behavior

WebAuthn L1 (2019) and L2 (2021) specifications support registration of a credential by an anonymous user. If the user doesn't exist, then registration is supposed to create the account before associating the credential to it.

Current Behavior

Visiting /webauthn/registration and /webauthn/registration/options fails due to the implementation looking at request.getRemoteUser(), and returning an error if found to be null.

Context

WebAuthn L2 Specification => https://www.w3.org/TR/2021/REC-webauthn-2-20210408

Subsection 1.3.1. Registration specifically says Or the user may be in the process of creating a new account. It is the last sentence from this excerpt.

The user visits example.com, which serves up a script.
At this point, the user may already be logged in using a legacy username and password, or additional authenticator, or other means acceptable to the [Relying Party](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#relying-party).
Or the user may be in the process of creating a new account.

Example 1

Yubico's demo website https://webauthn.io/ shows how registration by anonymous user is supposed to work. Note, as the user, can choose between two WebAuthn registration types (Non-Resident vs Resident) under Advanced Settings via this setting.

Discoverable Credential:

1. Discouraged (Client wants Non-Resident/Non-Discoverable)
2. Preferred (Client wants Resident/Discoverable, but fallback to Non-Resident/Non-Discoverable is OK)
3. Required (Client wants Resident/Discoverable)

Passkeys is an alias for Resident/Discoverable added in the L2 spec, but the spec is backwards compatible with Non-Resident/Non-Discoverable.

Example 2

Yubico offers a Java WebAuthn Server. It comes with a demo you can run yourself and debug. It supports credential registration by an anonymous user too.

• https://github.com/Yubico/java-webauthn-server

Example 3

I used Yubico's WebAuthn Server with Spring Security 6.3 in my own project.

• Backend: Spring Boot 3.3 + Spring Security 6.3 + Yubico Java WebAuthn Server
• Frontend: https://github.com/justincranford/springs/blob/dev/springs-server-webauthn/src/main/resources/static/index.html

It is a new project, only WebAuthn registration and authentication are supported, and there are no other "legacy" authentication methods. Anonymous registration works. In this screenshot, you can see I used Google Chrome. Chrome's Developer Tools supports WebAuthn virtual authenticators for testing, and you can see I registered multiple Non-Resident and Resident credentials.