Problem with accepting Android rpOrigin
155 views
Skip to first unread message
Tomer David
Apr 2, 2023, 9:09:47 AM4/2/23
to FIDO Dev (fido-dev)
Hello,
I'm failing to accept fido2 credentials created by a native Android application, due to an unexpected rpOrigin.
The tech stack:
Kotlin android client using Fido2ApiClient , associated to a website following the website interoperability guidelines
NodeJS server using fido2-lib
While fido2-lib only accepts rpOrigins that follow the https protocol , the clientDataJSON returned from the Fido2ApiClient holds an rpOrigin property that follows the Android FacetID - android:apk-key-hash:<apk-cert-hash> .
Is there an option to modify the Android's challenge response to have an https rpOrigin without using a browser's webauthn interface? OR - is there a known solution for the server side to accept non https rpOrigin s ?
We have the same server working with iOS applications, and they used an https origin, even though iOS is supposed to have a non-https FacetID - so that's why we believe something can be done.
Thanks ahead,
Tomer
I'm failing to accept fido2 credentials created by a native Android application, due to an unexpected rpOrigin.
The tech stack:
Kotlin android client using Fido2ApiClient , associated to a website following the website interoperability guidelines
NodeJS server using fido2-lib
While fido2-lib only accepts rpOrigins that follow the https protocol , the clientDataJSON returned from the Fido2ApiClient holds an rpOrigin property that follows the Android FacetID - android:apk-key-hash:<apk-cert-hash> .
Is there an option to modify the Android's challenge response to have an https rpOrigin without using a browser's webauthn interface? OR - is there a known solution for the server side to accept non https rpOrigin s ?
We have the same server working with iOS applications, and they used an https origin, even though iOS is supposed to have a non-https FacetID - so that's why we believe something can be done.
Thanks ahead,
Tomer
Adam Langley
Apr 4, 2023, 1:24:40 PM4/4/23
to FIDO Dev (fido-dev), Tomer David
On Sunday, April 2, 2023 at 6:09:47 AM UTC-7 Tomer David wrote:
Hello,
I'm failing to accept fido2 credentials created by a native Android application, due to an unexpected rpOrigin.
The tech stack:
Kotlin android client using Fido2ApiClient , associated to a website following the website interoperability guidelines
NodeJS server using fido2-lib
While fido2-lib only accepts rpOrigins that follow the https protocol , the clientDataJSON returned from the Fido2ApiClient holds an rpOrigin property that follows the Android FacetID - android:apk-key-hash:<apk-cert-hash> .
Is there an option to modify the Android's challenge response to have an https rpOrigin without using a browser's webauthn interface? OR - is there a known solution for the server side to accept non https rpOrigin s ?
There's currently no option to change the origin in the clientDataJSON for Android apps.
The assetlinks.json on a site authorise an app to use credentials with that site's RP ID, but the origin in the clientDataJSON informs the validator of the identity of the entity that requested an operation. In the case of an app, that identity is not a Web origin, but something platform specific. Thus a validator that expects to process results from a non-Web context must be able to recognise those identifiers.
Cheers
AGL
Tomer David
Apr 9, 2023, 3:52:23 AM4/9/23
to FIDO Dev (fido-dev), Adam Langley, Tomer David
Thanks for the reply !
I guess there's nothing to do in the client side at the moment, we'll work on adding support to the validator.
Do you have an idea why our iOS client didn't encounter this issue, and signed with an https origin ?
Cheers,
Tomer
Cheers,
Tomer
Tim Cappalli
Apr 9, 2023, 5:20:22 PM4/9/23
to Tomer David, FIDO Dev (fido-dev), Adam Langley, Tomer David
It's not an issue per se. Android and iOS handle app to web origin binding in different ways.
tim
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/43d0addc-c892-4dd6-9a15-790458d9f62dn%40fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages