Validation failure for WebAuthN origin validator for android fido2 app

830 views

Skip to first unread message

ashok dhakar

unread,

Sep 25, 2020, 2:27:56 PM9/25/20

to fido...@fidoalliance.org

I created the sample app on android to use Android Fido2 client api, using Fido2ClientApi to create the public key credentials.

The credentials creation response which is sent to Fido2 server which uses the WebAuthN spec. The clientDataJSON coming from the Android app contains the origin: android:apk-key-hash:<hash>, while the WebAuthn4J library expects the Origin should start with https scheme. The WebAuthN spec does not provide any details for Android Native Fido2 response on how one should validate the Origin.

Looking for suggestions on how to validate the clientDataJSON for the android App and ios App where the fido2 authenticator is platform type.

Regards,

Ashok

On server

I am using Android Fido2 Client API to register the user with RP.

Carsten Hagemann

unread,

Sep 27, 2020, 3:34:43 AM9/27/20

to FIDO Dev (fido-dev), dhakar...@gmail.com

That "<hash>" is the SHA256 fingerprint of the Android signing key.

The same key needs to be added to the https://<your-domain.com>/.well-known/assetlinks.json file.

At runtime that value is verified by Google Play Services when you call the Fido2ClientApi.

For more details have a look at:

- https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website

- https://codelabs.developers.google.com/codelabs/fido2-for-android/#2

Regards,

Carsten

Reply all

Reply to author

Forward

0 new messages