search

AzureAD / microsoft-authentication-library-common-for-android

Common code used by both the Active Directory Authentication Library (ADAL) and the Microsoft Authentication Library (MSAL)
MIT License
41 stars 36 forks source link

Use legacy FIDO2 API to provide security key support to Android 13 devices, Fixes AB#3027082 #2508

Closed melissaahn closed 2 months ago

melissaahn commented 2 months ago

Summary

Android's Credential Manager API does not have FIDO2 security key support for Android versions 13 and below. They recommend using their legacy FIDO2 API instead. Thus, this PR includes and uses the legacy FIDO2 API in order to provide FIDO2 security key support for our customers using Android 13 and below.

As discussed with the PMs, we are going to use this API as a fallback from an attempt with CredMan in the case where a NoCredentialException is thrown AND the device OS is Android 13 or lower. As a supplement, we're setting preferImmediatelyAvailableCredentials in the CredMan getCredentialRequest object to true if the device OS is Android 13 or lower. This ensures the behavior where no dialog from CredMan is shown if no passkey cred is present. The end goal is for an Android <= 13 user who only has a security key to see one dialog which will allow them to authenticate.

This PR includes some new classes in the fido package. I attempted to draw a diagram to explain the relation: image

The legacy FIDO2 API provides a PendingIntent which the host app needs to start, and when the resulting Activity closes is when we get our results. This is different from CredMan's exposed endpoints, and thus I tried to wrap the legacy API in such a way which mimics the behavior of CredMan.

Some unit tests have been added, and I am going to continue to add unit tests this month, but planning on splitting this up into another PR since this PR is already on the longer side. (Shadow and extended classes will be needed)

There is a flight variable guarding the feature, but since the logic is in common, the CommonFlight variable is set to true by default, while the BrokerFlight variable is set to false by default.

AB#3027082

github-actions[bot] commented 2 months ago

✅ Work item link check complete. Description contains link AB#3027082 to an Azure Boards work item.

rpdome commented 2 months ago

As discussed with the PMs, we are going to use this API as a fallback from an attempt with CredMan in the case where a NoCredentialException is thrown AND the device OS is Android 13 or lower.

<< (Assuming that Crewman on <=13 is always going to fail) why not just do the OS check?

melissaahn commented 2 months ago

As discussed with the PMs, we are going to use this API as a fallback from an attempt with CredMan in the case where a NoCredentialException is thrown AND the device OS is Android 13 or lower.

<< (Assuming that Crewman on <=13 is always going to fail) why not just do the OS check?

@rpdome This is actually something I'm trying to ask Android about. Context is that CredMan on <=13 does not always fail- it's supposed to work for GPM passkeys. And on the FIDO2 legacy API docs, they recommend using CredMan for passkey purposes. Thing is, I do think GPM passkeys appear as an option in the legacy API UI dialog. I don't know if it actually works, due to a lack of Android 13 devices and some server side bugs, but I agree that if it can be asserted that it works on Android 13 and below, it would be much simpler to do an OS check.

mohitc1 commented 2 months ago

Left a few suggestions. None blocking