Cancelled passkey registration does not fall back to browser flow

[thgoebel]

When registering a new passkey, I cannot fall back to my physical hardware key when a KeepassXC database is open.

Steps to reproduce

1. Unlock KeepassXC
2. Enable passkeys and "passkeys fallback" in the KeepassXC browser add-on settings.
3. Go to https://webauthn.io/
4. Enter a username and click "Register"
5. In the KeepassXC popup ("Do you want to register a passkey for") click "Cancel"

Actual behaviour

The request is cancelled.

Expected behaviour

The request falls back to my browser's WebAuthn flow, so that I can register my hardware key.

Workaround

1. Lock the KeepassXC database.
2. Then register the hardware key
3. Re-open the database for other operations later

Metadata

• Ubuntu 24.04
• Firefox 133.0.3
• KeepassXC 2.7.9
• KeePassXC-Browser: 1.9.5

[varjolintu]

At least for me the browser fallbacks to the internal dialog when pressing cancel. Does it happen only when you have your hardware key connected?

[thgoebel]

It happens both with the hardware key connected and disconnected.

I stepped through it with Firefox' debugger, and it falls into this if-branch:

https://github.com/keepassxreboot/keepassxc-browser/blob/392fe2e/keepassxc-browser/background/keepass.js#L623

The response is:

(Sorry, I can't figure out a way to copy this from the devtools.)

So the response is a valid object, albeit with an error code.

[thgoebel]

I also see this popup, which looks suspiciously like errorMessagePasskeysRequestCanceled.

[varjolintu]

Try disabling the fallback option and enable it back again? Otherwise this would need some debugging to see why the fallback doesn't happen at all.

[thgoebel]

Enabling + disabling did not help.

It seems to run until here:

keepassxc-browser/keepassxc-browser/content/passkeys.js

Line 162 in 60355e8

return response.fallback ? originalCredentials.create(options) : null;

Then it fails with CredentialContainer request is not allowed. webauthn.io catches this DOMException and shows it as a red textbox. On Github the exception is printed in the console.

[varjolintu]

That's strange. The options should be identical to the one the server sent originally. I'd probably try downgrading Firefox, or installing it some other way. Does some other browser work without any issues?

[thgoebel]

I tried it on a spare laptop with a clean install of Kubuntu 24.10, Firefox 134.0.0 (snap), KeepassXC 2.7.9 (snap) and browser extension 1.9.5.

There it works correctly. 🥲

I don't have time to do more digging right now, so I'll close this (and live with it, and maybe do a clean system install of my main laptop at some point). Ideally there would be more details in the error message as to WHY it's not allowed (but that's a Firefox issue, not a KeepassXC issue). I couldn't get more info out of the dev tools. :/

[varjolintu]

Alternatively you can try installing Firefox from a plain .tar.bz2 package and see if it behaves differently:
https://support.mozilla.org/en-US/kb/install-firefox-linux