Fido2PrivilegedApiClient Security Error

[abdulbadi]

When using the fido2apiclient with the assetlinks.json approach, my returned clientDataJSON's origin property has the following value: android:apk-key-hash:_2HBUymcqGN1_5dimo7nVj8erNyC32NupRjdtBPMYYU .

I would like to set an arbitrary origin, using the Fido2PrivilegedApiClient. According to https://searchfox.org/mozilla-central/source/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebAuthnTokenManager.java , 'third party apps will need to get whitelisted themselves' . From my understanding, all that is required is an approved signing key, or are only browser applications allowed to use the Fido2PrivilegedApiClient?

Thanks

[abdulbadi]

@agektmr @yaraki @sbweeden

[agektmr]

@abdulbadi Why do you need to have the privilege to set an arbitrary origin?

[abdulbadi]

@agektmr we have a web app, and we would like for users to use the same security key across the web and mobile apps.

[abdulbadi]

we are using a third party SSO provider (ping identity) for the webauthn server. We are a heavily regulated Canadian cryptocurrency exchange http://ndax.io/

[agektmr]

That won't justify being privileged. Please follow the instructions here to associate the web and app: https://developers.google.com/identity/fido/android/native-apps I'm not familiar with how Ping Identity works, but if that domain is embedded inside an iframe, you can use the permissions policy as described here: https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance

[abdulbadi]

I have hosted an assetlinks.json file here: https://random-8f34a.web.app/.well-known/assetlinks.json . Is that supposed to change the clientDataJSON's origin? I am getting an error when registering my security key from their server: "Device activation failed: client data origin \'android:apk-key-hash:_2HBUymcqGN1_5dimo7nVj8erNyC32NupRjdtBPMYYU\' doesn\'t match credentials origin \'https://random-8f34a.web.app\'" , using the create request then the activate request: https://apidocs.pingidentity.com/pingone/platform/v1/api/#post-create-mfa-user-device-fido2---security_key @agektmr

[agektmr]

The server needs to handle both the web URL and the API hash as you can see in this code example: https://glitch.com/edit/#!/webauthn-codelab?path=libs%2Fauth.js%3A64%3A2 I don't know if Ping Identity supports Android native implementation. Please check with them.