fix(reauth): Use UV=preferred for ReAuth WebAuthn challenge

darkfeline · darkfeline · commit 3fc1decfadfc · 2025-07-30T00:22:31.000Z
Since ReAuth is a second factor credential, it is not necessary to
require UV here.  This was discussed with ReAuth folks.

Also, in practice, downstream clients disregard this because the U2F
protocol doesn't expose UV enforcement.
diff --git a/google/oauth2/challenges.py b/google/oauth2/challenges.py
@@ -225,7 +225,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler):
             challenge=self._unpadded_urlsafe_b64recode(challenge),
             timeout_ms=WEBAUTHN_TIMEOUT_MS,
             allow_credentials=allow_credentials,
-            user_verification="required",
+            user_verification="preferred",
             extensions=extension,
         )
 

Original file line number	Diff line number	Diff line change
`@@ -225,7 +225,7 @@ def _obtain_challenge_input_webauthn(self, metadata, webauthn_handler):`
`225`	`225`	`challenge=self._unpadded_urlsafe_b64recode(challenge),`
`226`	`226`	`timeout_ms=WEBAUTHN_TIMEOUT_MS,`
`227`	`227`	`allow_credentials=allow_credentials,`
`228`		`- user_verification="required",`
	`228`	`+ user_verification="preferred",`
`229`	`229`	`extensions=extension,`
`230`	`230`	`)`
`231`	`231`