Support Webauthn - Githubissues

pichillilorenzo / flutter_inappwebview

A Flutter plugin that allows you to add an inline webview, to use a headless webview, and to open an in-app browser window.

https://inappwebview.dev

Apache License 2.0

3.29k stars 1.62k forks source link

Support Webauthn #699

Closed netgfx closed 3 years ago

netgfx commented 3 years ago

Environment

Flutter version: Latest Android version: 10+
iOS version: 13+ Xcode version: 11+

Description

To support Webauthn or point me to a documentation if it already supported

Alternatives you've considered:

Images:

pichillilorenzo commented 3 years ago

Well, you can use JavaScript Web Authentication API if it is supported by the native WebView itself. Just check here https://caniuse.com/webauthn if this API is supported by the native WebViews or not. As you can see there, this feature is supported on Android API level 21+. Instead on iOS, the native WKWebView class doesn't support it yet.

This is something not related to this plugin or any other WebView Flutter plugin, but it depends on the underlying Operating System.

In this case, the native WebView classes used are:

netgfx commented 3 years ago

@pichillilorenzo I believe it can work with SFSafariViewController is that used by flutter_inappwebview or can it be used instead of WKWebView? Also can you elaborate on the use JavaScript part? You mean via Flutter/Dart somehow? Or via Swift?

Thanks!

pichillilorenzo commented 3 years ago

Yes, probably, with SFSafariViewController the JavaScript Web Authentication API will work.

But SFSafariViewController and WKWebView are two different things: SFSafariViewController is not a simple WebView, you don't have control over it and you can't execute any custom javascript from flutter/dart side. In fact, as you can see from the documentation of this plugin, there isn't any controller. You can just listen to some basic events.

In general, you use a WebView if your app customizes, interacts with, or controls the display of web content.

You can read When should I use Custom Tabs vs WebView? for more details.

Also can you elaborate on the use JavaScript part? You mean via Flutter/Dart somehow? Or via Swift?

I mean with JavaScript (that you inject from flutter side or that is already in the webpage).

Or do you mean something else? When you say Webauthn, what are you referring to? The JavaScript Web Authentication API or something else?

Other things you may refer to is an Authentication Flow using Deep Linking, where I need to work on.

netgfx commented 3 years ago

@pichillilorenzo Thanks for the explanation. I mean Webauthn as described here https://webauthn.io/ either on the web or through a webview, which is basically a way to authenticate a user by using their mobile device as an authenticator with biometric challenge. In that regard an App can self validate it self by using a webview and the same device to provide the biometric challenge.

pichillilorenzo commented 3 years ago

Ok, I tested https://webauthn.io/ example demo form with InAppWebView and it seems that it doesn't support Webauthn (see https://stackoverflow.com/questions/56258147/android-webview-support-webauthn).

So, if you need Webauthn API enabled, you can use the ChromeSafariBrowser class, that is SFSafariViewController on iOS and ChromeCustomTabs on Android.

To enable JavaScript Webauthn API on InAppWebView widget (that is native "pure" WebView), it should be implemented natively (for example, on Android could be used this library) or, maybe, with Flutter/Dart if already exists a library for Webauthn (I didn't find any), and also create a bridge through JavaScript interfaces/handlers. Well, in general, this requires a lot of work!!

So, if you need Webauthn API, you should use ChromeSafariBrowser class: tested on a real Android and iOS phone. On the emulator, the Webauthn API won't work!

netgfx commented 3 years ago

Thank you for your guidelines, really appreciate it!

mkhtradm01 commented 3 weeks ago

Ok, I tested https://webauthn.io/ example demo form with InAppWebView and it seems that it doesn't support Webauthn (see https://stackoverflow.com/questions/56258147/android-webview-support-webauthn).

So, if you need Webauthn API enabled, you can use the ChromeSafariBrowser class, that is SFSafariViewController on iOS and ChromeCustomTabs on Android.

To enable JavaScript Webauthn API on InAppWebView widget (that is native "pure" WebView), it should be implemented natively (for example, on Android could be used this library) or, maybe, with Flutter/Dart if already exists a library for Webauthn (I didn't find any), and also create a bridge through JavaScript interfaces/handlers. Well, in general, this requires a lot of work!!

So, if you need Webauthn API, you should use ChromeSafariBrowser class: tested on a real Android and iOS phone. On the emulator, the Webauthn API won't work!

In pub there is this library which can help to reopen this issue:

https://pub.dev/packages/webauthn

pichillilorenzo commented 3 weeks ago

@mkhtradm01 implementing webauthn using that package is something that if it has to be implemented, it has to be done by the developer who uses this plugin and not this plugin directly. In that case, you can implement whatever you want using javascript channels or whatever.

github-actions[bot] commented 6 days ago

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug and a minimal reproduction of the issue.