Is there a working usage example of FIDO 2 API in Android?

[Martin Patefield Smith]

Hi all,

I have started experimenting with calling the Google FIDO 2 Client API from an Android app, to see if I could get it working. As far as I can see I'm calling it correctly, but I am having issues getting the FIDO 2 intent to actually display anything. I was wondering if anybody on this forum has got the API working from an app and could share what they actually did as I can't find any example code from Google.

I have attached the code and manifest which show what I'm doing, which I believe are the absolute basic things to get the API to work. I've also attached device logs from Chrome vs device logs from my app. What I see is that when I call fido2PendingIntent.launchPendingIntent a new blank activity is displayed and the application hangs.

Any ideas what I'm missing?

FYI I'm running my sample app on a Samsung 8 running Android 8.0.0 and am targeting SDK version 28 in my app and building against version 17.0.0 of play-services-fido.

Thanks,

Martin Patefield-Smith

Technical Architect

Daon

[Kieun Shin]

The API is still private beta version. So, your app should be white-listed from Google side.

You'd better to wait for the official release.

Thanks. 

[Martin Patefield Smith]

Hi,

Thanks for the information. I saw an older mail saying that but I don't see any errors in the logs that indicate I'm being blocked, and it looks like the OS is at least attempting to do something. Have you tried it yourself?

Thanks,

Martin

[Fred Le Tamanoir]

Hi, is there an ETA for the official release ?

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4a30a8f9-b59f-4275-8426-267a8ba41a81%40fidoalliance.org.

[Kieun Shin]

You need to see some system logs for that. But anyway, you cannot call that API properly without white listing your app.

For our case, we've added our app to Google's white lists. So it works well as we've expected.

Thanks.

[Kieun Shin]

I don't know the detail. You'd better ask to Googler.

[Martin Patefield-Smith]

Thanks for the additional information. Is there an official process for adding an app to the google whitelist? How would I go about doing that?

Martin

[Martin Patefield Smith]

Hi,

Are any Google folk on this forum able to point me in the right direction as to how to get whitelisted to use the FIOD 2 API or give an ETA for public access to this interface? Any help much appreciated!

Thanks,

Martin

[Fred Le Tamanoir]

recently the whitelisting requirement was removed. enjoy.

[Jedri Visser]

I had the same problem. 

You need to host an assetlinks.json file at https://<rp_id>/.well-known/assetlinks.json with Content-Type: application/json instead of a trustedFacets file, like this one:

https://github.com/google/webauthndemo/blob/master/src/main/webapp/well-known/assetlinks.json

[Jedri Visser]

A working example can be found here: https://github.com/jedrivisser/fido2-android-api-demo

On Friday, 15 February 2019 12:59:40 UTC+2, Martin Patefield Smith wrote:

[Martin Patefield Smith]

Hi,

Thanks very much for the information. I'll try that and see if it works. Out of interest, how did you find that out?

Thanks,

Martin

[Jedri Visser]

This is the way android apps are given access to website information for other features, and the description of Google Digital Asset Links sound applicable:

The Digital Asset Links protocol and API enable an app or website to make public, verifiable statements about other apps or websites. For example, a website can declare that it is associated with a specific Android app, or it can declare that it wants to share user credentials with another website.

Here are some possible uses for Digital Asset Links:

Website A declares that links to its site should open in a designated app on mobile devices, if the app is installed.
Website A declares that it can share its Chrome user credentials with website B so that the user won't have to log in to website B if it is logged into website A.
App A declares that it can share device settings, such as location, with website B.

I have used it for App Links but it seemed to fit exactly what it is used for with Smart Lock for Passwords on Android:

If your app that uses Smart Lock for Passwords shares a user database with your website—or if your app and website use federated sign-in providers such as Google Sign-In—you can associate the app with the website so that users save their credentials once and then automatically sign in to both the app and the website.

[Jedri Visser]

Just found a reference to this. Very hard to find, kind of hidden under Public Methods and then setRp:

Note: the RpId should be an effective domain (aka, without scheme or port); and it should also be in secure context (aka https connection). Apps-facing API needs to check the package signature against Digital Asset Links, whose resource is the RP ID with prepended "//". Privileged (browser) API doesn't need the check.