go-webauthn · james-d-elliott · Aug 26, 2025 · Aug 26, 2025 · Aug 26, 2025
@@ -67,6 +67,7 @@ table for more information. We also include JSON mappings for those that wish to
 |           type            |            N/A             |            N/A             |                       This field is always `publicKey` for WebAuthn                       |
 |            id             |             ID             |             id             |                                                                                           |
 |         publicKey         |         PublicKey          |         publicKey          |                                                                                           |
+|     attestationFormat     |      AttestationType       |      attestationType       |           This field is currently named incorrectly and this will be corrected.           |
 |         signCount         |  Authenticator.SignCount   |  authenticator.signCount   |                                                                                           |
 |        transports         |         Transport          |         transport          |                                                                                           |
 |       uvInitialized       |     Flags.UserVerified     |     flags.userVerified     |                                                                                           |

@@ -214,7 +214,7 @@ func (a *AttestationObject) VerifyAttestation(clientDataHash []byte, mds metadat
 		return nil
 	}
 
-	if e := ValidateMetadata(context.Background(), mds, aaguid, attestationType, x5cs); e != nil {
+	if e := ValidateMetadata(context.Background(), mds, aaguid, attestationType, a.Format, x5cs); e != nil {
 		return ErrInvalidAttestation.WithInfo(fmt.Sprintf("Error occurred validating metadata during attestation validation: %+v", e)).WithDetails(e.DevInfo).WithError(e)
 	}
 

@@ -10,11 +10,15 @@ import (
 	"github.com/go-webauthn/webauthn/metadata"
 )
 
-func ValidateMetadata(ctx context.Context, mds metadata.Provider, aaguid uuid.UUID, attestationType string, x5cs []any) (protoErr *Error) {
+func ValidateMetadata(ctx context.Context, mds metadata.Provider, aaguid uuid.UUID, attestationType, attestationFormat string, x5cs []any) (protoErr *Error) {
 	if mds == nil {
 		return nil
 	}
 
+	if AttestationFormat(attestationFormat) == AttestationFormatNone {
+		return nil
+	}
+
 	var (
 		entry *metadata.Entry
 		err   error

@@ -372,7 +372,7 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
 		err   error
 	)
 
-	// Ensure authenticators with a bad status is not used.
+	// Ensure authenticators with a bad status are not used.
 	if webauthn.Config.MDS != nil {
 		var aaguid uuid.UUID
 
@@ -382,7 +382,7 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
 			return nil, protocol.ErrBadRequest.WithDetails("Failed to decode AAGUID").WithInfo(fmt.Sprintf("Error occurred decoding AAGUID from the credential record: %s", err)).WithError(err)
 		}
 
-		if e := protocol.ValidateMetadata(context.Background(), webauthn.Config.MDS, aaguid, "", nil); e != nil {
+		if e := protocol.ValidateMetadata(context.Background(), webauthn.Config.MDS, aaguid, "", credential.AttestationType, nil); e != nil {
 			return nil, protocol.ErrBadRequest.WithDetails("Failed to validate credential record metadata").WithInfo(e.DevInfo).WithError(e)
 		}
 	}