bitwarden
Please add Firefox Nightly to fido2_privileged_allow_list.json.
Steps To Reproduce
- Navigate to a website that supports passkey.
- The passkey list is shown.
- Select a passkey.
Expected Result
Bitwarden shows (fingerprint)authentication form and continues to website.
Actual Result
An error occurred. "Passkey operation failed because browser is not privileged"
Screenshots or Videos
No response
Additional Context
There is no Firefox nightly(org.mozilla.fenix) in fido2_privileged_allow_list.json.
Operating System
Android
Operating System Version
14
Device
Samsung Galaxy S24+
Build Version
2024.5.1 (10574)
Beta
- [ ] Using a pre-release version of the application.
Hi there,
Thank you for your report! This has been flagged to our engineering team.
Can Iceraven also be added? Firefox fork for Android https://github.com/fork-maintainers/iceraven-browser
How are browser developers on Android expected to work around this when testing passkey support with Bitwarden?
This issue was introduced by:
- https://github.com/bitwarden/mobile/pull/3190
Could we be informed of the reasoning behind PM-7658 and why it's beneficial and/or necessary for Bitwarden to implement its own verification on top of Android's existing passkey flow?
Seconding bb010g: This seems like a poor design choice. What benefit is there to locking out uncommon/nonstandard browsers from passkey usage? Surely it should be the user's responsibility to avoid unsafe browsers, not Bitwarden's to refuse to interoperate with them.
If there really is a need for this, perhaps a setting could be added by which users can whitelist specific apps (such as Firefox Nightly) to be considered privileged, so that at the very least it isn't something that requires a PR to fix for each new browser.
@vvolkgang @fedemkr Please give some priority to this issue. A whole set of users are not able to use passkeys because your team forgot to include Firefox Nightly in the allowed browsers list. We have Chrome canary in the list but not firefox nightly.
Why user choice is being taken away in the first place? Why should I only use the browsers mentioned in the list?
It feels like the team's priority is to make meaningless design changes instead of fixing the bugs which are significantly hammering the usuability.
👋🏾 We're following Google's security guidelines and API requirements, as documented here: https://developer.android.com/identity/sign-in/credential-provider#obtain-allowlist
In the new bitwarden/android repository we recently improved this approach by creating a community supported allow list file where you'll find some of the browsers previously mentioned in this thread and are also free to contribute to with additional browsers:
https://github.com/bitwarden/android/blob/main/app/src/main/assets/fido2_privileged_community.json
@vvolkgang Thanks for the update. I am sorry for being harsh. Will look forward to release of the new bitwarden android app.
@vvolkgang I'm glad to see the new process for the rewrite. Could allowlist changes from there be mechanically backported to here until the original app is deprecated?
👋🏾 We're following Google's security guidelines and API requirements, as documented here: https://developer.android.com/identity/sign-in/credential-provider#obtain-allowlist
In the new bitwarden/android repository we recently improved this approach by creating a community supported allow list file where you'll find some of the browsers previously mentioned in this thread and are also free to contribute to with additional browsers:
https://github.com/bitwarden/android/blob/main/app/src/main/assets/fido2_privileged_community.json
Hi, this list should not be hardcoded (even if done through community sourcing), instead there should be a user setting to add browser package names to the list in the app that is passed onto the API. Defaults can be provided but should not be the end all be all.
What happens if another browser is created? Users have to wait for it to be added to the community whitelist? Why not make it user configurable, and you can keep the(default) whitelist if you want to?
In fact, the Firefox Nightly org.mozilla.fenix mentioned in this issue still hasn’t been added to the allowed list?
This should now be fixed in the main branch for the native app, Firefox Nightly should work soon (https://github.com/bitwarden/android/pull/4450)
I originally did not add F Nightly because I honestly thought it was already trusted by Google, actually in my mind I had seen it, anyone using Mull, Fennec, Mulch, CalyxOS Chromium, Cromite (possibly a few others I don't remember) those are already in the list and if they're not working, it's either the browser not properly using the right APIs, or you're not in Android 14+, or something else's off with BW. The Chromium browsers seem to be a bit broken with that ATM unfortunately.
According to https://github.com/bitwarden/android/blob/main/app/src/main/assets/fido2_privileged_community.json Quetta browser is supported, but I still get the same "Passkey operation failed because browser is not privileged". Is it because that file isn't live yet? Is there a way to whitelist a browser, even if it requires root?
