search

lbuchs / WebAuthn

A simple PHP WebAuthn (FIDO2/Passkey) server library
https://webauthn.lubu.ch
MIT License
419 stars 75 forks source link

Support for native Android apps - FIDO2 API for Android #94

Closed armatys closed 1 day ago

armatys commented 1 month ago

I'm trying to integrate this library, and get it working with an Android app (via FIDO2 API for Android).

From WebAuthn spec:

Other specifications mimicking the WebAuthn API to enable WebAuthn public key credentials on non-Web platforms (e.g. native mobile applications), MAY define different rules for binding a caller to a Relying Party Identifier.

The above seems to be the case for native Android apps, because when an Android app generates ClientData (which will be sent to the backend), it looks something like this:

{
  "type":"webauthn.get",
  "challenge":"6wihG...",
  "origin":"android:apk-key-hash:A0JAQL4...",
  "androidPackageName":"com.example.myapp"
}

Notice that on Android (see verifying origin) the origin doesn't start with https://... (which is required by WebAuthn library), but it uses android:apk-key-hash:.... The above JSON is generated by the "FIDO2 for Android" library, and it's not possible to set a custom origin. It's also not possible to modify the origin manually, because then the signature will be incorrect.

I wonder if the WebAuthn library could somehow support this use case, e.g. by allowing to specify a list of allowed Android apk-key-hashes, or maybe throwing a specific error, which could be handled downstream in the caller?

xellio commented 3 weeks ago

PR that should solve this issue: https://github.com/lbuchs/WebAuthn/pull/95