Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

authentication/webauthn

Describe the bug

When attestation conveyance preference is set to direct or indirect we are adding the none verifier (see here). This means that even we are requesting an attestation, the authenticator can return none and we are accepting it. Better if we simply does not include the none verifier when the attestation is configured.

Version

24.0.2

Regression

[ ] The issue is a regression

Expected behavior

Only when attestation coneyance is none (or default, empty) the none verifier is added and accepted.

Actual behavior

The none verifier is always accepted even when direct attestation is configured.

How to Reproduce?

1. Star webauthn registration with none allowed in the policy.
2. When the page is presented with 'none' (default), change to 'direct' the policy.
3. Finish the registration, that return no attestation.
4. This is allowed and should be rejected by keycloak.

Anything else?

No response