Spring Security WebAuthn login fails when validating allowCredentials

Describe the bug

When used as a single factor, WebAuthn login works.

Used as a second factor, WebAuthn login fails, because allowCredentials is not null and the sent credentialId does not match the stored allowCredentials. The following error is thrown:

org.springframework.security.authentication.BadCredentialsException: credentialId not listed in allowCredentials is used.
    at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider.authenticate(WebAuthnAuthenticationProvider.java:80) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:183) ~[spring-security-core-7.0.0-RC3.jar:7.0.0-RC3]
    at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter.attemptAuthentication(WebAuthnAuthenticationFilter.java:121) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:249) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:239) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) ~[spring-security-web-7.0.0-RC3.jar:7.0.0-RC3]
[...]
Caused by: com.webauthn4j.verifier.exception.NotAllowedCredentialIdException: credentialId not listed in allowCredentials is used.
    at com.webauthn4j.verifier.internal.CredentialIdVerifier.verify(CredentialIdVerifier.java:17) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
    at com.webauthn4j.verifier.AuthenticationDataVerifier.verify(AuthenticationDataVerifier.java:92) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
    at com.webauthn4j.WebAuthnAuthenticationManager.verify(WebAuthnAuthenticationManager.java:254) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
    at com.webauthn4j.WebAuthnAuthenticationManager.verify(WebAuthnAuthenticationManager.java:237) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
    at com.webauthn4j.WebAuthnManager.verify(WebAuthnManager.java:369) ~[webauthn4j-core-0.29.7.RELEASE.jar:na]
    at org.springframework.security.web.webauthn.management.Webauthn4JRelyingPartyOperations.authenticate(Webauthn4JRelyingPartyOperations.java:405) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
    at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationProvider.authenticate(WebAuthnAuthenticationProvider.java:72) ~[spring-security-webauthn-7.0.0-RC3.jar:7.0.0-RC3]
    ... 80 common frames omitted

To Reproduce

Use two factor auth, and use webauthn for the second factor. No matter which first factor is used.

Then CredentialRequestOptions.publicKey.allowCredentials is not null ; but during webauthn validation, the credential's binary id doesn't match known allowCredentials

Comment From: Kehrlann

I'll take care of this one.

Comment From: rwinch

Thanks @Kehrlann I'm going to close this as a duplicate and use the PR 18163