clientDataJSON.origin in Android app

[Andrey Paramonov]

Greetings,

Do you know if string like this

android:apk-key-hash:JkaHB2AO3EdBdsJYCnoZJTYzqzN4P6qR15EyfbgtTDM 

is a valid value for the origin field inside clientDataJSON during WebAuthn attestation? If so, what should RP do to validate it?

Thanks.

[My1]

Well if an rp expects an android app doing fido, they should check for it. The data is pretty likely the base64 or base64url representation of the signing key of the apk

This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/11be180b-c76a-4d5d-97c5-2c805b72a4c3n%40fidoalliance.org.

[Andrey Paramonov]

Do you know if it is possible to change Android code to return web origin instead of the origin in android:... format?

[My1]

Kick the user into the browser or a webview maybe?

The ideal change is just to have your server also accept the android origin