search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
439 stars 137 forks source link

Android app sha256 signature is not supported as origin #332

Closed pitampoudel closed 7 months ago

pitampoudel commented 7 months ago

Android recommends implementing that way to put the sha256 signature as the origin but the yubico.webauthn library does not supports that

TRACE com.yubico.webauthn.OriginMatcher - isAllowed(android:apk-key-hash:qvuLMyLL__vtfHay6y_KGGHYL5Qkkf5aufucFCAtWVE, [https://pitampoudel.com.np], false, false)
DEBUG com.yubico.webauthn.OriginMatcher - Origin in client data is not a valid URL; will only match exactly: android:apk-key-hash:qvuLMyLL__vtfHay6y_KGGHYL5Qkkf5aufucFCAtWVE
DEBUG com.yubico.webauthn.OriginMatcher - No match: android:apk-key-hash:qvuLMyLL__vtfHay6y_KGGHYL5Qkkf5aufucFCAtWVE != https://pitampoudel.com.np
com.yubico.webauthn.exception.RegistrationFailedException: java.lang.IllegalArgumentException: Incorrect origin: android:apk-key-hash:qvuLMyLL__vtfHay6y_KGGHYL5Qkkf5aufucFCAtWVE
pitampoudel commented 7 months ago

please take a look at FinishRegistrationSteps.java

emlun commented 7 months ago

Hi! This looks like a duplicate of #159, is it?

pitampoudel commented 7 months ago

Yes. Thank you!

emlun commented 7 months ago

Great! But since this has come up a couple of times now, we should probably mention this in the usage instructions. I'll keep the issue open to track that.