The above seems to be the case for native Android apps, because when an Android app generates ClientData (which will be sent to the backend), it looks something like this:
Notice that on Android (see verifying origin) the origin doesn't start with https://... (which is required by WebAuthn library), but it uses android:apk-key-hash:.... The above JSON is generated by the "FIDO2 for Android" library, and it's not possible to set a custom origin. It's also not possible to modify the origin manually, because then the signature will be incorrect.
I wonder if the WebAuthn library could somehow support this use case, e.g. by allowing to specify a list of allowed Android apk-key-hashes, or maybe throwing a specific error, which could be handled downstream in the caller?
I'm trying to integrate this library, and get it working with an Android app (via FIDO2 API for Android).
From WebAuthn spec:
The above seems to be the case for native Android apps, because when an Android app generates
ClientData
(which will be sent to the backend), it looks something like this:Notice that on Android (see verifying origin) the
origin
doesn't start withhttps://...
(which is required by WebAuthn library), but it usesandroid:apk-key-hash:...
. The above JSON is generated by the "FIDO2 for Android" library, and it's not possible to set a custom origin. It's also not possible to modify the origin manually, because then the signature will be incorrect.I wonder if the WebAuthn library could somehow support this use case, e.g. by allowing to specify a list of allowed Android apk-key-hashes, or maybe throwing a specific error, which could be handled downstream in the caller?