fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

Support FIDO2 platform authenticators natively in mobile apps

Open mooreds opened this issue 1 year ago • 2 comments

Support FIDO2 platform authenticators natively in mobile apps

Problem

I want to use FIDO2 platform authenticators to authenticate my mobile apps (CTAP2 to be precise), not have to open a web browser for WebAuthn.

Solution

Support CTAP2 as a connection mechanism for passing up authenticator results from native mobile apps.

Alternatives/workarounds

Use webauthn support in FusionAuth, force user to go to a web browser.

Additional context

Came up at a meetup where folks were talking about WebAuthn. Auth0 forces use of a browser.

Cross-platform authenticators are out of scope for this issue because they don't really fit the CIAM use case. If you want native support for native apps and cross-platform authenticators, please open another issue.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

mooreds avatar Sep 15 '22 17:09 mooreds

@spwitt since we are building our support for WebAuthn with an API - will we get this for free, or with minor additions to the APIs we already have in plan?

robotdan avatar Sep 19 '22 21:09 robotdan

We should get this functionality without any changes to the APIs. Most commonly a web browser will play the role of WebAuthn client, serving as the bridge to the authenticator device, but there are other options.

A quick search uncovered Android's Fido2ApiClient and iOS's ASAuthorizationSecurityKeyPublicKeyCredentialProvider. More investigation is needed, but it looks like these would work with the credential creation/request options returned by our APIs.

I would also like to point out that it is recommended you do not perform WebAuthn ceremonies within an embedded browser inside a native mobile app (such as Android's WebView or iOS's WKWebView) because of the amount of control the developer is given over the browser session in that case.

According to RFC 8252: Appendix B, which is about OAuth 2.0 in native apps, but I believe applies here as well, you can open a browser tab without leaving the app using SFSafariViewController (iOS) or the Android Custom Tabs feature. There may be additional entitlements required to support WebAuthn.

spwitt avatar Sep 20 '22 17:09 spwitt