Support Android's FIDO2 origin

[giann]

Description

In Android's FIDO2 implementation, the clientDataJSON's origin is not the rpId but a hash of the apk signature key like so:

{
  "type": "webauthn.create",
  "challenge": "XaAWM4lgb_GjwtfnANmevCo_Wc9L6I5RSRd6Rgia3F8",
  "origin": "android:apk-key-hash:sjYxqUM11Op8oHJuOdbrsCqtvYvbKHhQoKBlt28dLec",
  "androidPackageName": "com.my.app"
}

The link with the relying party is done by checking that the key's fingerprint is present at https://my-relying-party.com/.well-known/assetlinks.json.

Would it be possible for webauthn-framework to support this?

[Spomky]

Hi,

Would it be possible for webauthn-framework to support this?

Good question. At first sight I would say yes. Let me dig deeper in the documentation before.
Also, it would be nice if you could sent real options and authenticator responses as JSON. This will certainly help me testing it.

Regards.

[giann]

Thanks for the quick answer!

I started implementing it in a fork.

I'd have to edit out some elements of options and authenticator response before posting it here. Not sure it would be helpful to you then?

[LauJosefsen]

What is the status of this issue?

Did you have a working fork @giann ?

Would a PR be appreciated? If so, what solution is desired? I was thinking of being able to provide a list of whitelisted origins maybe? Or integration/interpretation of the .well-known/assetlinks.json?

Here is a sample clientData json array from an android attestation request

{
    "type": "webauthn.create",
    "challenge": "QtZ8KlBHsey4FuBsz_Pr4fmA_hn5A3lEqFWOpoo1TXk",
    "origin": "android:apk-key-hash:NztP-sfNqy2_XIe4erm4qR-w4eRJ2Dl6JduFbPCYHik",
    "androidPackageName": "com.example"
}

The key hash is the base64url unpadded encoding of the hex2binary decoded fingerprint listed in .well-knowns/assetlinks.json.

Edit: Just forked the 4.8 branch, and i saw you guys have already made changes to the origin check, and it looks possible to hook into and whitelist origins on this version. So i think 4.8/5.0 will resolve this issue.

[Spomky]

Edit: Just forked the 4.8 branch, and i saw you guys have already made changes to the origin check, and it looks possible to hook into and whitelist origins on this version. So i think 4.8/5.0 will resolve this issue.

Indeed. I am not sure to implement this feature and I took the opportunity of 4.8 to extract input verification to dedicated services.
It will be easier to include such origins in the future.

[viniciushrk]

I saw this problem, and found a possible solution.

basically it checks if the origin is a url, if not it validates if the origin has the android origin.

I think no have break changes.

[ks217]

Hi I am facing the same issue on a project.
Is there any rough plan on how this can be implemented or fixed?
I would be happy to create a PR for this if someone can guide me.

and it looks possible to hook into and whitelist origins on this version. So i think 4.8/5.0 will resolve this issue.

Is it already possible to validate android:apk-key-hash:<sdk-fingerprint> with 4.8 ?

[Spomky]

The plan is to rely on an interface to validate the origins.
This will arrive soon.

[WaylandAce]

@Spomky Hello, any updates here?