I have been successfully performing webAuthn registration and authenticate with Fido2ApiClient (https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient), is there any interface that I can manage the registered credentials, so that I can query or delete the existing credentials?

My Application maintains the webAuthn state (for e.g. The device has been registered), however, when the user clears storage either on the App or Google Play Services,

the state will be out of sync. Instead for the App to maintain the state, is there any interface we can query or delete the stored credentials from Google Play Services?

At step 5 (Register a credential using a fingerprint) of the Codelab when trying to run the application for register new credentials, the following exception happens:
E/AuthRepository: Cannot call registerResponse com.example.android.fido2.api.ApiException: Error calling /registerResponse; Unexpected attestation origin "android:apk-key-hash:OJBUtV27DYN2FkhZ2yTA5fdBkC4DFV9bO153gzhv6vw", expected "https://pattern-succinct-kick.glitch.me"

Tested on Android 12 and Android 7

https://github.com/googlecodelabs/fido2-codelab/blob/ac04b3e8d29a1c6f77ce8aea99b5fe943bf68f4d/android/app/src/main/java/com/example/android/fido2/api/AuthApi.kt#L369

When preparing the AuthenticatorSelectionCriteria (https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/api/common/AuthenticatorSelectionCriteria) using the Builder (https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/api/common/AuthenticatorSelectionCriteria.Builder), the builder does not allow to set the requireResidentKey and userVerification which defined in the spec
https://www.w3.org/TR/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey, is there a reason for that?

I did download your sample apk (Fido2.apk) and codelab, both are not working and giving some error "Something wrong happened while registration" and when i put username and press sign in..Toast says "request does not have valid list of allowed credential"

Hello

The demo app for Android is no longer working.
I followed the tutorial at https://codelabs.developers.google.com/codelabs/fido2-for-android.
I tried to follow the tutorial, to make my own glitch and also using the finished implementation.
Nothing works.

2020-11-13 18:46:51.465 5313-6730/com.example.android.fido2 E/AndroidRuntime: FATAL EXCEPTION: pool-1-thread-1 Process: com.example.android.fido2, PID: 5313 com.example.android.fido2.api.ApiException: Cookie not found: username at com.example.android.fido2.api.AuthApi.findSetCookieInResponse(AuthApi.kt:565) at com.example.android.fido2.api.AuthApi.username(AuthApi.kt:82) at com.example.android.fido2.repository.AuthRepository$username$1.run(AuthRepository.kt:133) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:919)

I have been working on a copy of this app that interacts with a different backend to the one provided as part of https://codelabs.developers.google.com/codelabs/webauthn-reauth

My backend does password validation, and I'd like the sample android app to work with it out-of-the-box, without breaking anything about how the app works with the existing codelab.

I've prepared a pull request which I believe achieves this goal and hope it is considered for inclusion in the base code.

Hello

If I change in the method router.post('/registerRequest') to force the attestation to direct let attestation = 'direct';
I added in the router.post('/registerResponse') the following code: console.log(registrationInfo.aaguid);
the result is: 00000000-0000-0000-0000-000000000000

I think the attestation statement is not retrieved even if we ask for it... Can you tell why this happens?
Is it a limitation of the FIDO2 API for Android?

Thank you.

I'm using the Fido2 demo and it works fine, but when I set a PIN for the yubico key, I can't register successfully. So how should I verify the PIN? Thanks!

Hey all, thank you for this code lab it was very helpful. I just wanted to point out an issue I spent a little while debugging earlier that might be fixed in the documentation. Perhaps this is the wrong place to report this, so please feel free to close if so.

This page https://codelabs.developers.google.com/codelabs/fido2-for-android/#2 mentions

In order to get the SHA256 hash of your developer signing certificate, use the command below. The default password of the debug keystore is "android".
$ keytool -exportcert -list -v -alias androiddebugkey -keystore ~/.android/debug.keystore

However this code is set up to use a keystore in android/debug.jks. This took a bit to debug and I figured it might be worth mentioning in the documentation.

I just installed the app and tried to do a login but I got an HTTP timeout connection.

Is the server up and running or is it just this endpoint that was removed?
https://webauthn-codelab.glitch.me/auth/username

With the sample application, after I click on the FAB registerRequest(), there is no fingerprint dialog and in the logcat console I got below error exception:

Caused by: java.lang.IllegalArgumentException: This application is not allowed to call FIDO2 API. The application package name must be whitelisted. at com.google.android.gms.fido.fido2.ui.AuthenticateChimeraActivity.onCreate(:com.google.android.gms@[email protected] (040700-239467275):53) at com.google.android.chimera.Activity.publicOnCreate(Unknown Source:0) at dvo.onCreate(:com.google.android.gms@[email protected] (040700-239467275):6) at ppa.onCreate(:com.google.android.gms@[email protected] (040700-239467275):2)

I am testing with Pixel 3 XL API 28 emulator

assetlinks.json
Here is the https://frosted-cod.glitch.me/.well-known/assetlinks.json

The sha256 key is generated by the debug.jks, but I tried ~/.android/debug.keystore also, both have the same error message.

When using the fido2apiclient with the assetlinks.json approach, my returned clientDataJSON's origin property has the following value: android:apk-key-hash:_2HBUymcqGN1_5dimo7nVj8erNyC32NupRjdtBPMYYU .

I would like to set an arbitrary origin, using the Fido2PrivilegedApiClient. According to https://searchfox.org/mozilla-central/source/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebAuthnTokenManager.java , 'third party apps will need to get whitelisted themselves' . From my understanding, all that is required is an approved signing key, or are only browser applications allowed to use the Fido2PrivilegedApiClient?

Thanks

Hello

I was to unable to perform the desired functionality and also i download the apk (that is available) and is always crashing.

This error happens sometimes when I submit username, the same happens in the apk that is available.

E/AndroidRuntime: FATAL EXCEPTION: pool-1-thread-5 Process: com.example.android.fido2, PID: 14386 java.lang.NullPointerException: null reference at com.google.android.gms.common.internal.Preconditions.checkNotNull(Unknown Source:2) at com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialRequestOptions.<init>(Unknown Source:5) at com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialRequestOptions$Builder.build(Unknown Source:17) at com.example.android.fido2.api.AuthApi.parsePublicKeyCredentialRequestOptions(AuthApi.kt:317) at com.example.android.fido2.api.AuthApi.signinRequest(AuthApi.kt:246) at com.example.android.fido2.repository.AuthRepository$signinRequest$1.run(AuthRepository.kt:361) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:764) D/EGL_emulation: eglMakeCurrent: 0xe64667c0: ver 3 0 (tinfo 0xe63b1b60)

This error happens whenever I ask to add a credential.

E/AuthRepository: Cannot call registerRequest java.lang.IllegalArgumentException: com.google.android.gms.fido.fido2.api.common.COSEAlgorithmIdentifier$UnsupportedAlgorithmIdentifierException: Algorithm with COSE value -8 not supported at com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialParameters.<init>(Unknown Source:11) at com.example.android.fido2.api.AuthApi.parseParameters(AuthApi.kt:449) at com.example.android.fido2.api.AuthApi.parsePublicKeyCredentialCreationOptions(AuthApi.kt:335) at com.example.android.fido2.api.AuthApi.registerRequest(AuthApi.kt:152) at com.example.android.fido2.repository.AuthRepository$registerRequest$1.run(AuthRepository.kt:253) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:764) Caused by: com.google.android.gms.fido.fido2.api.common.COSEAlgorithmIdentifier$UnsupportedAlgorithmIdentifierException: Algorithm with COSE value -8 not supported at com.google.android.gms.fido.fido2.api.common.COSEAlgorithmIdentifier.fromCoseValue(Unknown Source:10) at com.google.android.gms.fido.fido2.api.common.PublicKeyCredentialParameters.<init>(Unknown Source:8) at com.example.android.fido2.api.AuthApi.parseParameters(AuthApi.kt:449) at com.example.android.fido2.api.AuthApi.parsePublicKeyCredentialCreationOptions(AuthApi.kt:335) at com.example.android.fido2.api.AuthApi.registerRequest(AuthApi.kt:152) at com.example.android.fido2.repository.AuthRepository$registerRequest$1.run(AuthRepository.kt:253) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:764)

Another thing I'm also trying to implement using Yubico NFC (security key) instead of the fingerprint, can you tell me where the documentation is, and maybe add in the exercise the location of the documentation where it says how to use security keys with Fido2.