identity-samples icon indicating copy to clipboard operation
identity-samples copied to clipboard

Published 20 hours ago verified publisher icon android

Credential Manager: ClientDataJSON origin mismatch with webauthn library (Mismatch between FIDO2 and w3c webauthn)

Open FahadDaBest opened this issue 1 year ago • 8 comments

Right now android matches the FIDO2 Spec and always sets the FacetID to the android:apk-key-hash https://fidoalliance.org/specs/uaf-v1.0-id-20141122/fido-appid-and-facets-v1.0-id-20141122.html

This becomes a problem because the w3c webauthn doesn't allow non http:// facet IDs https://github.com/w3c/webauthn/issues/1297

The python webauthn library will also throw an exception if the decoded "origin" value from clientDataJSON doesn't match the expected_origin.

https://github.com/duo-labs/py_webauthn/blob/d8e78f000b08dcc15d194a904d1c2dd381f87a9c/webauthn/registration/verify_registration_response.py#L124

iOS has mitigated this issue in their webauthn library by forcing you to set the relying party to override the iOS app bundle ID normally used as their Facet ID according to FIDO2 Specs: https://developer.apple.com/documentation/authenticationservices/asauthorizationplatformpublickeycredentialprovider

I believe this was supposed to be done on android with the origin field in CreatePublicKeyCredentialRequest, however its value doesn't affect the output and looking through source code the field appears to be unused https://developer.android.com/reference/androidx/credentials/CreatePublicKeyCredentialRequest

Please get this fixed before credential manager is stable, for now it will force developers to do hacky solutions of parsing to Json Objects, decoding, changing, re-encoding, and converting back to a string for the registrationResponseJson.

FahadDaBest avatar Jul 28 '23 22:07 FahadDaBest

Update: Manually overriding the "origin" field in clientDataJson allows registration to work, however sign-in fails. Sign in also requires clientDataJson "origin" field to be overridden - after overriding instead we get an InvalidAuthenticationResponse

I think this is due to the signature FE/BE not matching because of the hacky solution we do changing clientDataJson This currently feel likes a deadlock, but will look into further

https://github.com/duo-labs/py_webauthn/blob/d8e78f000b08dcc15d194a904d1c2dd381f87a9c/webauthn/authentication/verify_authentication_response.py#L162

FahadDaBest avatar Jul 31 '23 18:07 FahadDaBest

Update:

  • Moved up to beta version of credential manager: 1.2.0-beta01 as release notes mentioned changes to check if "origin" is populated - doesn't resolve the existing "origin" set to android-apk-key-hash issue
  • Also doesnt solve the InvalidAuthenticationResponse issue

FahadDaBest avatar Jul 31 '23 22:07 FahadDaBest

Hey thanks for sharing this, we are looking into this and share an update soon.

niharika2810 avatar Aug 08 '23 06:08 niharika2810

I can also confirm I'm having the exact same problem.

rafaelmotta avatar Aug 14 '23 20:08 rafaelmotta

We do faced that problem as well when integrating Passkey functionality to the app

Nublo avatar Aug 21 '23 11:08 Nublo

Hi all,

For the information on origin field on different platforms :

Upon registration response, for android, you should check the origin against the facetID based on FIDO spec. it usually follow the format of "android:apk-key-hash:<sha1_hash-of-apk-signing-cert>" . Check this link : https://fidoalliance.org/specs/common-specs/fido-appid-and-facets-v2.1-ps-20220523.pdf

the sha1_hash can be calculated following

keytool -exportcert -alias androiddebugkey -keystore &>2 /dev/null | openssl sha1 -binary | openssl base64 | sed 's/=//g' More details can be found at https://fidoalliance.org/specs/uaf-v1.0-id-20141122/fido-appid-and-facets-v1.0-id-20141122.html#the-appid-and-facetid-assertions

Let us know if this helps!

We shall share the update on InvalidAuthenticationResponse soon!

niharika2810 avatar Aug 28 '23 08:08 niharika2810

We have the same problem with androidx.credentials:credentials:1.2.0 . Is there any workaround?

amoral avatar Dec 01 '23 18:12 amoral

Hi all we are having the same issue documented here since July.

Passkeys on android webview are not working as per the standard implementation.

There is a guide (https://developer.android.com/training/sign-in/passkeys) that describes how to use the credential manager and links to this repository with code that is incomplete.

There is a workaround documented here: https://passkeys-auth.com/docs/implementation/flutter/android/ ... using javascript injection... for a fee.

Google is pushing passkeys for some time now.. and yet they are not able to address a simple issue for months!

Can anyone assist with code that solves this issue?

Thank you

terastio avatar Dec 10 '23 03:12 terastio

Hi, for information on origin field :

To understand origin on Android, please go through this information : https://developer.android.com/training/sign-in/passkeys#verify-origin

And for apps setting up the origin field : https://developer.android.com/training/sign-in/privileged-apps

We dont recomment the normal client apps to set origin field on their own.

Could you please let us know what exact issue you are facing after reading these and we should have fixed the invalid auth. response error?

Please let us know.

niharika2810 avatar Jan 16 '24 08:01 niharika2810

Hi, Closing this as no activity, please let me know if there's any other issue.

niharika2810 avatar Apr 28 '24 20:04 niharika2810