Support Android's FIDO2 origin

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework

MIT License

409 stars 54 forks source link

Support Android's FIDO2 origin #393

Open giann opened 1 year ago

giann commented 1 year ago

Description

In Android's FIDO2 implementation, the clientDataJSON's origin is not the rpId but a hash of the apk signature key like so:

{
  "type": "webauthn.create",
  "challenge": "XaAWM4lgb_GjwtfnANmevCo_Wc9L6I5RSRd6Rgia3F8",
  "origin": "android:apk-key-hash:sjYxqUM11Op8oHJuOdbrsCqtvYvbKHhQoKBlt28dLec",
  "androidPackageName": "com.my.app"
}

The link with the relying party is done by checking that the key's fingerprint is present at https://my-relying-party.com/.well-known/assetlinks.json.

Would it be possible for webauthn-framework to support this?

Spomky commented 1 year ago

Hi,

Would it be possible for webauthn-framework to support this?

Good question. At first sight I would say yes. Let me dig deeper in the documentation before. Also, it would be nice if you could sent real options and authenticator responses as JSON. This will certainly help me testing it.

Regards.

giann commented 1 year ago

Thanks for the quick answer!

I started implementing it in a fork.

I'd have to edit out some elements of options and authenticator response before posting it here. Not sure it would be helpful to you then?

LauJosefsen commented 8 months ago

What is the status of this issue?

Did you have a working fork @giann ?

Would a PR be appreciated? If so, what solution is desired? I was thinking of being able to provide a list of whitelisted origins maybe? Or integration/interpretation of the .well-known/assetlinks.json?

Here is a sample clientData json array from an android attestation request

{
    "type": "webauthn.create",
    "challenge": "QtZ8KlBHsey4FuBsz_Pr4fmA_hn5A3lEqFWOpoo1TXk",
    "origin": "android:apk-key-hash:NztP-sfNqy2_XIe4erm4qR-w4eRJ2Dl6JduFbPCYHik",
    "androidPackageName": "com.example"
}

The key hash is the base64url unpadded encoding of the hex2binary decoded fingerprint listed in .well-knowns/assetlinks.json.

Edit: Just forked the 4.8 branch, and i saw you guys have already made changes to the origin check, and it looks possible to hook into and whitelist origins on this version. So i think 4.8/5.0 will resolve this issue.

Spomky commented 7 months ago

Edit: Just forked the 4.8 branch, and i saw you guys have already made changes to the origin check, and it looks possible to hook into and whitelist origins on this version. So i think 4.8/5.0 will resolve this issue.

Indeed. I am not sure to implement this feature and I took the opportunity of 4.8 to extract input verification to dedicated services. It will be easier to include such origins in the future.

viniciushrk commented 7 months ago

I saw this problem, and found a possible solution.

Captura de tela 2024-03-07 105039

basically it checks if the origin is a url, if not it validates if the origin has the android origin.

I think no have break changes.

ks217 commented 5 months ago

Hi I am facing the same issue on a project. Is there any rough plan on how this can be implemented or fixed? I would be happy to create a PR for this if someone can guide me.

and it looks possible to hook into and whitelist origins on this version. So i think 4.8/5.0 will resolve this issue.

Is it already possible to validate android:apk-key-hash:<sdk-fingerprint> with 4.8 ?

Spomky commented 5 months ago

The plan is to rely on an interface to validate the origins. This will arrive soon.

WaylandAce commented 4 months ago

@Spomky Hello, any updates here?