QR code "hybrid" flow does not work (former: Unexpected token '<', ""<!doctype " ... is not valid JSON)

[jekinleeph]

Click the "Register" button on webauthn.io, select MyCredentialManager to register a Passkey, and then click the "Authenticate" button on the web page. An error will be reported: Unexpected token '<', ""<!doctype " ... is not valid JSON

[ko-koiwai]

Thanks for the report! The app works with Chrome 115 on my side. Could you please attach the logcat?

https://github.com/ko-koiwai/MyCredentialManager/assets/39606814/1f701551-42b2-4036-aa2e-5f33fc02aca8

[sharma1214]

Hi,

I am facing some issue while registering the passkey. I am using webauthn.io and webauthn.me for the passkey registration. When i select the the continue button app open the main activity for biometric prompt and before performing the biometric the webauthn.io is timed out with below error

"The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client."

Can you help us how to test this in desktop using chrome or safari (In MacBook).

[ko-koiwai]

Hi, @sharma1214 , could you tell me the browser versions that you tested with? I notice that some versions of Chrome canary didn't forward the request to MyCredMan app. Thanks!

[leviWikey]

hi @ko-koiwai i'm working with chrome "Version 119.0.6045.159 (Official Build) (x86_64)" and the request indeed forwards to the app (i stopped at a breakpoint) but i'm getting the same as @sharma1214

update:

this try was when i scanned a qr code on my macbook, because the app didn't fire on my phone at all. after i saw #1, i changed the settings in the chrome app on my phone and it worked.

any idea why it's not working with the macbook?

update2

tried on chromeOS and windows too. it didn't work. I think it is safe to say that it works only internally on the device. every attempt to scan a QR code in order to register (or authenticate) failed with the "timeout" error. to be more accurate it happens when setResult is called.

update3

it happens in other browsers (safari for example) too.

any idea what can lead to this behavior?

P.S. thanks a lot for this repo!

[sharma1214]

Hi @ko-koiwai i am using chrome Version 119.0.6045.124 (Official Build) (64-bit) in my windows machine. As @leviWikey said this is not working with windows or MacBook. Any idea how to make it work in windows or Macbook

[ko-koiwai]

Sorry, now I got what you all meant, I reproduced the issue on my side. So it happens when trying to authenticate on PCs via Hybrid (formerly known as caBLE) transport.

1. During Registration, the connection between the phone and PC are closed after the CredMan app is called
2. During authentication, no passkey available error is shown even though a credential has been created within the phone

Please give me some time to figure it out. Thanks a lot again for raising this.

[leviWikey]

@ko-koiwai Thank you for your reply!

I'm not an expert but I don't think that the connection is lost when the app is called (because i used breakpoints to see when the error is shown on the browser).

As I mentioned in my previous comment, the error is shown when the app called the setResult function.

Again I'm not an expert and I definitely might be wrong about it. Just wanted to lightened your way.

Levi.

[ko-koiwai]

Mmm, here is what happened on my side.... You can tell that the dialog on the PC closes before I tap the fingerprint sensor on the phone. Copied anyway, thanks again!

https://github.com/ko-koiwai/MyCredentialManager/assets/39606814/4baafa5d-c824-4f0e-8095-07b2d5b4ed74

[leviWikey]

I see... What I forgot to tell you.. I saw that when the fingerprint intent is called the browser show the error.. So.. I removed the fingerprint logic and made the app go straight to the response. After I did that the error on the browser is not shown until the app reaches setResult.

[sharma1214]

Mmm, here is what happened on my side.... You can tell that the dialog on the PC closes before I tap the fingerprint sensor on the phone. Copied anyway, thanks again!

hybrid.mp4

@ko-koiwai the one you have shown in the video is same happening with me. Once biometric dialog prompts webauthn service is timing out. Is there any fix for that or any workaround other than the one @leviWikey mentioned above.

[ko-koiwai]

I don't have enough time to try it out in full but my assumption is that there seem to be multiple factors causing the issue, off the top of my head:

• in CredmanUtils.kt, GMS is missing in privilegedAllowlist { "type": "android", "info": { "package_name": "com.google.android.gms", "signatures": [ { "build": "release", "cert_fingerprint_sha256": "7C:E8:3C:1B:71:F3:D5:72:FE:D0:4C:8D:40:C5:CB:10:FF:75:E6:D8:7D:9D:F6:FB:D5:3F:04:68:C2:90:50:53" }, { "build": "release", "cert_fingerprint_sha256": "D2:2C:C5:00:29:9F:B2:28:73:A0:1A:01:0D:E1:C8:2F:BE:4D:06:11:19:B9:48:14:DD:30:1D:AB:50:CB:76:78" }, { "build": "release", "cert_fingerprint_sha256": "F0:FD:6C:5B:41:0F:25:CB:25:C3:B5:33:46:C8:97:2F:AE:30:F8:EE:74:11:DF:91:04:80:AD:6B:2D:60:DB:83" }, { "build": "release", "cert_fingerprint_sha256": "19:75:B2:F1:71:77:BC:89:A5:DF:F3:1F:9E:64:A6:CA:E2:81:A5:3D:C1:D1:D5:9B:1D:14:7F:E1:C8:2A:FA:00" } ] } }
• some parsing issue of the request from gms
• the called activity is full-size thus the calling activity might be terminated or suspended. What if the called activity is changed to a dialog or something like that (now you can tell I'm not a very experienced Android developer)

Any input would be appreciated. If you modified the code to test, would you be able to fork the repo and publish the modified code in your repo so that we can be on the same page?

Thanks!

[sharma1214]

I did the changes and added the gsm in app list but same timeout is coming. I am not sure if 3rd party password manager supports windows chrome browser. I even tried on latest chrome canary version in windows 11. Any luck from you side

[PhearZero]

@ko-koiwai Hope you are well!

I've forked the repo and have it to the point where it will register credentials but the signature cannot be verified.

I have a project that we are migrating from FIDO2 to Credential Provider Service and ran into this same issue. This MainActivity should allow credential creation via hybrid transports but the authentication signature is invalid.

Aside from the Biometrics prompt issues, I've isolated it down to the clientDataHash. Excluding it most likely makes the signature invalid, including it crashes the Intent when using hybrid. Maybe this is a bug in the native api or some other property is missing?

In my research I found that 1Password Register/Create does not work with the hybrid transport but Authenticate/Get does. This means it's at least possible to fetch the credential with a hybrid transport.

I am not sure if 3rd party password manager supports windows chrome browser.

@sharma1214 Registration/Create seems bound to Google Password Manager but the Authenticate/Get requests do trigger the third party providers from Windows 11 in my testing

[kkoiwai]

@PhearZero , @sharma1214, thanks for waiting. Now I could at least authenticate with QR-code at webauthn.io.

https://github.com/ko-koiwai/MyCredentialManager/assets/16543860/054070ef-84af-4ce3-8edf-c77ed20515a5

Please check the branch below. https://github.com/kkoiwai/MyCredentialManager/tree/disable-prompt

There were various causes but one main issue was that with Hybrid, clientDataJSON was necessary while Androidx class doesn't provide one.

[levischechter]

So as I see there is no solution for full hybrid registration/authentication (with biometrics). is there any way to identify the transport type (internal/hybrid) so my app won't suggest my vaults/accounts on hybrid transport. I don't want to get bad feedbacks on the play store ;) P.S. I saw that Dashlane somehow did it.