Scenario
- Use Safari on macOS and then trigger Webauthn authentication with non-empty allow list
- Select QR code authentication flow and use Android passkey by scanning QR code and performing UV
- Check userhandle field in authenticator response coming from Safari.
Issue: currently, the returned userHandle is empty ("") string. As a RP side, we could handle empty string as null, but some server implementation might reject such response since it's not valid value.
Exepected behavior: If the authenticator does not return any userHandle to the browser, the userHandleResult (userhandle returned by the browser) should be null rather than empty string.
Other observations: Chrome on macOS returns null userHandle for above scenarios which I'm thinking it's correct behavior. Safari on iOS returns populated userHandle (which is not null and empty) even the authentication is requested with non-empty allow credentials. I'm thinking that this is not the problem.
See followings: https://w3c.github.io/webauthn/#assertioncreationdata-userhandleresult
Also there are related discussions: https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/v6JBaTsNv08