Using WebAuthn-created keys from Android App?

42 views
Skip to first unread message

Anders Rundgren

unread,
Nov 17, 2022, 3:17:31 AM11/17/22
to FIDO Dev (fido-dev)
Google's docs and FIDO samples are not overly easy to decipher, so may I ask a very basic question?

I want to create keys using the existing WebAuthn system in Android and then reuse these keys from a native App.  Is that possible and what are steps needed?  Constraints?

How the App gets the associated credentialId and rpId is not the question :)

Cheers,
Anders

Shane Weeden

unread,
Nov 17, 2022, 5:48:35 AM11/17/22
to Anders Rundgren, FIDO Dev (fido-dev)
Yes it’s possible. See https://github.com/googlecodelabs/fido2-codelab

Sent from my iPhone

On 17 Nov 2022, at 6:17 pm, Anders Rundgren <anders.ru...@gmail.com> wrote:

Google's docs and FIDO samples are not overly easy to decipher, so may I ask a very basic question?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6270d131-4a42-4663-b0f0-4f8ddaa4f582n%40fidoalliance.org.

Anders Rundgren

unread,
Nov 18, 2022, 11:06:32 AM11/18/22
to FIDO Dev (fido-dev), Shane Weeden, FIDO Dev (fido-dev), Anders Rundgren
Thanx Shane,
I did simply download the release fido2.apk and installed in Android 7 and 10.
It did not work at all, while the Web version did.

I still don't understand how web assets are supposed to work:

[{"relation":["delegate_permission/common.handle_all_urls","delegate_permission/common.get_login_creds"],
  "target":{"namespace":"web","site":"https://webauthn-codelab.glitch.me"}},
 {"relation":["delegate_permission/common.handle_all_urls","delegate_permission/common.get_login_creds"],"
  target":{"namespace":"android_app","package_name":"com.example.android.fido2","sha256_cert_fingerprints":["47:CC:4E:EE:B9:50:59:A5:8B:E0:19:45:CA:0A:6D:59:16:F9:A9:C2:96:75:F8:F3:64:86:92:46:2B:7D:5D:5C"]}}]

How do "web" and "android_app" relate to each other?

To put it differently:  If this declaration permits apps to login to any domain, this would be a major security issue.

API-wise it seems that you can specify whatever rpId you want:

Anders

Shane Weeden

unread,
Nov 18, 2022, 2:24:18 PM11/18/22
to Anders Rundgren, FIDO Dev (fido-dev)
I am no Android expert but it seems that Android will take the RPId you are using and then visit a well-known url at that site to retrieve the asset links.json file. The api will only be allowed to execute the Fido APIs with the RPId if that file contains the thumbprint of the cert used to sign the app. 

Sent from my iPhone

On 19 Nov 2022, at 2:06 am, Anders Rundgren <anders.ru...@gmail.com> wrote:



Ki-Eun Shin

unread,
Nov 19, 2022, 2:39:32 AM11/19/22
to FIDO Dev (fido-dev), Shane Weeden, FIDO Dev (fido-dev), anders.ru...@gmail.com
It's a kind of cross referencing between the app and web site.
The web (RP id) site should serve asset links (assetlinks.json) including your native apps information (app's signing certificate fingerprint).
Also, the Android app (which is associated with the site - given RP id) needs to include such statement.

So, you need to do this cross referencing on your web sit and app.
This is android digital asset links mechanism. Please refer this site:

In similar way, for iOS native app, it need to do similar job, app-site-association in Apple ecosystem terms.
Reply all
Reply to author
Forward
0 new messages