From 3fc1decfadfcf1eb79c1cdce1983ff01f3a5b9f3 Mon Sep 17 00:00:00 2001 From: Allen Li Date: Wed, 30 Jul 2025 00:12:05 +0000 Subject: [PATCH 1/2] fix(reauth): Use UV=preferred for ReAuth WebAuthn challenge Since ReAuth is a second factor credential, it is not necessary to require UV here. This was discussed with ReAuth folks. Also, in practice, downstream clients disregard this because the U2F protocol doesn't expose UV enforcement. --- google/oauth2/challenges.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/google/oauth2/challenges.py b/google/oauth2/challenges.py index 6468498bc..59a2f9be4 100644 --- a/google/oauth2/challenges.py +++ b/google/oauth2/challenges.py @@ -225,7 +225,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler): challenge=self._unpadded_urlsafe_b64recode(challenge), timeout_ms=WEBAUTHN_TIMEOUT_MS, allow_credentials=allow_credentials, - user_verification="required", + user_verification="preferred", extensions=extension, ) From 4ee2cc90fae43360d6fd2ba321b276da302db929 Mon Sep 17 00:00:00 2001 From: Anthonios Partheniou Date: Mon, 5 Jan 2026 12:40:25 -0500 Subject: [PATCH 2/2] update test to match code changes --- tests/oauth2/test_challenges.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/oauth2/test_challenges.py b/tests/oauth2/test_challenges.py index c9b60148a..fb5e164d5 100644 --- a/tests/oauth2/test_challenges.py +++ b/tests/oauth2/test_challenges.py @@ -235,7 +235,7 @@ def test_security_key_webauthn(): challenge=challenge._unpadded_urlsafe_b64recode(sk_challenge["challenge"]), timeout_ms=challenges.WEBAUTHN_TIMEOUT_MS, allow_credentials=allow_credentials, - user_verification="required", + user_verification="preferred", extensions=extension, )