corbado / flutter-passkeys

Easily provide passkey authentication based on FIDO2 / WebAuthn for Flutter apps (iOS & Android) via a dedicated Flutter package
https://www.corbado.com/passkeys/flutter
BSD 3-Clause "New" or "Revised" License
64 stars 29 forks source link

Unable to login on Passkeys.eu #61

Open rajakeenu opened 7 months ago

rajakeenu commented 7 months ago

When I created an account on iOS and tried to log in from Android, it didn't work. But when I created an account on Android and then logged in from iOS, it worked fine using your website passkeys.eu.

Why am I unable to log in from Android after creating an account using an iOS device?

vincentdelitz commented 7 months ago

Hey @rajakeenu,

Are you talking about a Flutter where you want to login or the Corbado demo web app at passkeys.eu?

rajakeenu commented 7 months ago

I am talking about Corbado demo web app at passkeys.eu

On Thu, 25 Apr 2024, 23:15 Vincent Delitz, @.***> wrote:

Hey @rajakeenu https://github.com/rajakeenu,

Are you talking about a Flutter where you want to login or the Corbado demo web app at passkeys.eu?

— Reply to this email directly, view it on GitHub https://github.com/corbado/flutter-passkeys/issues/61#issuecomment-2077880900, or unsubscribe https://github.com/notifications/unsubscribe-auth/BICPBADZ6FVTOF2AP46JKSLY7FB2XAVCNFSM6AAAAABGYZUBXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZXHA4DAOJQGA . You are receiving this because you were mentioned.Message ID: @.***>

--

DISCLAIMER: THIS EMAIL MESSAGE AND ATTACHMENTS ARE INTENDED ONLY FOR THE USE OF ADDRESSEE(S) NAMED ABOVE AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED AND CONFIDENTIAL. IF YOU ARE NOT THE INTENDED RECIPIENT, ANY DISPLAY, DISSEMINATION, DISTRIBUTION, OR COPYING IS STRICTLY PROHIBITED. IF YOU BELIEVE YOU HAVE RECEIVED THIS EMAIL MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER BY REPLYING TO THIS EMAIL MESSAGE AND DELETE THIS MESSAGE FROM YOUR SYSTEM.

rajakeenu commented 7 months ago

One more issue I am facing is that my assetlink file is not publically available so because of this fido is not opening in Redmi mobile but when I am trying same thing of samsung mobile using samsung passkeys it is working how it is possible , If I will do fido authentication using gmail on samsung it is not working but same thing working on samsung passkeys key.

It this exception except samsung passkey PlatformException(android-unhandled:_androidx.credentials.TYPE_CREATE_PUBLIC_KEY_CREDENTIAL_DOM_EXCEPTION/androidx.credentials.TYPE_SECURITY_ERROR,_The_incoming_request_cannot_be_validated,_The_incoming_request_cannot_be_validated,_null)

vincentdelitz commented 7 months ago

@rajakeenu I think you're describing two different problems and two different applications, right?

  1. The first problem is regarding the creation of a passkey in our demo at https://passkeys.eu. This is a standalone web app hosted by us (not built in Flutter) and has nothing to do with any native app. Regarding the different behavior on Android & iOS. Here it depends in which passkey provider you create+store the passkey. If you use the default, it's iCloud Keychain on iOS and Google Password Manager on Android. So, actually sharing a passkey between these two passkeys providers is not possible (independent in which you created the passkey and where you tried to login). What happens in the demo that we allow to create another passkey after successful email OTP confirmation. Is that what you did?
  2. Regarding the second option. Are you hosting the assocation file yourself or are you using our hosted relying party server?
rajakeenu commented 7 months ago

In a Flutter app on iOS, after signing up for an account using passkeys, when attempting to log in, why does it log in with Samsung mobile using Samsung Passkey? Also ,

When you sign up for an account in a Flutter app on Android and use Google Password Manager, why does it login with Samsung Passkeys on Samsung devices?

vincentdelitz commented 7 months ago

@rajakeenu apparently Samsung Pass is set up to be your passkey provider / passkey management system. Usually, there is a dialogue in the passkey creation screen, where you can switch the passkey provider. The default passkey provider can be changed in your device settings.

rajakeenu commented 7 months ago

@vincentdelitz The issue we are facing while using Samsung Pass is that if I sign up for an account using Google Password Manager, it automatically signs in on Samsung devices using Samsung Pass. How can I stop this?

vincentdelitz commented 7 months ago

You can change the default passkey provider in the settings: image

rajakeenu commented 7 months ago

@vincentdelitz, let me explain. I'm developing a payment app where users can add their accounts using Passkey registration and do payments using the Passkey authentication. The issue arises when a user links their account via a Redmi device (Google password manager) but later logs in on a Samsung device using the same account. When making a payment, the Samsung Passkey is prompted, and the user successfully authenticates the transaction. How is this possible when the user initially linked their account using Google password manager?

rajakeenu commented 6 months ago

@vincentdelitz , let me explain. I'm developing a payment app where users can add their accounts using Passkey registration and do payments using the Passkey authentication. The issue arises when a user links their account via a Redmi device (Google password manager) but later logs in on a Samsung device using the same account. When making a payment, the Samsung Passkey is prompted, and the user successfully authenticates the transaction. How is this possible when the user initially linked their account using Google password manager?

vincentdelitz commented 6 months ago

@rajakeenu thanks for the additional information.

That's indeed very interesting and from what you have described, it should not be possible. Can you delete all the passkeys from Google Password Manager and Samsung Pass, set up a new account and share screenshots from the behavior? Are you sure that there were not two passkeys added to this account?