Open knightcode opened 10 months ago
Hello and thank you for your interest in the SDK, you are right that the readme for the fido module is very simple, please look at the integration tests for the fido module in this folder. These tests cover different workflows and show how to make credential, assert for it, query all discoverable credentials stored in the authenticator, access the PIN management functionality and more. You can also run all those tests on a connected Android device with a real YubiKey, both USB and NFC connections are supported. The tests will overwrite and remove data from the security key, so use it only with testing devices. To run the tests follow this guide.
For the PIN we currently don't have any UI in the SDK and there are different ways how to know if a PIN is set, the simple one is catching the exception. The other way is to look at the value of the clientPin option in the session data. If that option is present and it's value is true, it indicates that the device is capable of accepting a PIN from the client and PIN has been set.
Maybe this guide could help you to setup wireless debugging on your tablet? It saved me many times when nothing else worked: https://developer.android.com/tools/adb#wireless
Let me know if you have any more questions.
Thanks... I can't let the tests overwrite my yubikey's data, but I'm following along with them well enough.
I'm running into this error as soon as I call any method on the Ctap2Session object and the yubikey connected via USB-C:
java.io.IOException: Failed to send full packed
at com.yubico.yubikit.android.transport.usb.connection.UsbFidoConnection.send(UsbFidoConnection.java:35)
at com.yubico.yubikit.core.fido.FidoProtocol.sendAndReceive(FidoProtocol.java:94)
at com.yubico.yubikit.fido.ctap.Ctap2Session$2.sendCbor(Ctap2Session.java:159)
at com.yubico.yubikit.fido.ctap.Ctap2Session.sendCbor(Ctap2Session.java:187)
I thought I had to set the PIN on the session before building a BasicWebAuthnClient
, but the error occurs even on calls to setPin
or getPinToken
.
I'm assuming that I'm over complicating this, but I can't find anything in the tests that suggest the SDK initiates its own UI to collect the PIN. Yet.. the yubikey acts as a hardware keyboard, so that Android prevents the soft keyboard from showing while the yubikey is plugged in... meaning that, in order to input the PIN, I have to make the user unplug the device, then input the PIN, and plug the device back in. ...And I wasted tons of time trying to force the soft keyboard to show ...but that can't be the requisite flow... there's no way the SDK would leave all that work to us. ...if that's the case, why would we bother with this in the world of Android or iOS passkeys.
I came here to ask similar, happy to see that someone already asked, but finding quite difficult to follow the tests for a very basic implementation, could we add the kotlin example of how to register a new security key using FIDO?
I believe is what most cases want:
I could really use more of a dev guide for implementing a passkey FIDO2 U2F flow than the couple of lines posted here: https://developers.yubico.com/yubikit-android/fido/
More specifically, the page above passes one value to
makeCredential()
when it really expects six parameters. I'm guessing that's just for simplicity. But then the first parameter is a JSON string we have to build ourselves and its data is redundant to everything incom.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions
that gets passed to the second parameter, so that I feel like I'm doing something wrong.The fourth param is labeled,
pin
, and I'm guessing that's the pin to unlock the yubikey(?), which suggests you don't have a UI ceremony that requests that from the user automatically, so that we have to build one ourselves, try this once, get the PIN exception, prompt the user, and then try a second time? ... also seems like I'd be doing something wrong there.Side note: I'm currently on a pixel tablet with no NFC and wireless debugging isn't working for me, so that my troubleshooting is impaired, and that's contributing to my ignorance here)