CODEWITHSUNDEEP
androidauthenticationwebauthnfido
Tooroop
Tooroop

Reputation: 1884

Android FIDO2 throwing vague errors

I am trying to implement FIDO2 on Android. I have the assetlinks.json hosted on my domain (Sorry I don't want and not sure if I'm allowed to reveal the whole url yet). I have the assets_statements string defined and added it to my Manifest and I also implemented the whole get register challenge logic where I am creating a pending intent from PublicKeyCredentialCreateOptions. After I launch the intent I see a white screen which shows up and closes really fast without any descriptive error or anything and I have no idea how to debug this issue. The log shows:

ActivityTaskManager: Displayed com.google.android.gms/.fido.fido2.ui.Fido2FullScreenActivity
E/Fido: [DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
E/Fido: [Fido2RequestController] The incoming request cannot be validated
E/Fido: [Fido2RequestController] The incoming request cannot be validated

On https://developers.google.com/digital-asset-links/tools/generator it says that my domain grants app deeplinking to my package name.

I am using com.google.android.gms:play-services-fido:18.1.0

The errors in the log are not helpful in any way and I'm not sure if I am still missing something here, any help would be appreciated.

Upvotes: 6

Views: 3059

Answers (5)

Yuri Schimke
Yuri Schimke

Reputation: 13458

You can verify the link with the digitalassetlinks API with your details.

https://digitalassetlinks.googleapis.com/v1/assetlinks:check?source.web.site=https://WEBHOST&relation=delegate_permission/common.handle_all_urls&target.android_app.package_name=PACKAGE_NAME&target.android_app.certificate.sha256_fingerprint=SHA256

Response will be like

{
  "linked": true,
  "maxAge": "59.999314746s"
}

Upvotes: 0

Brett Sutton
Brett Sutton

Reputation: 4554

So same symptom.

In my case, the issue was I was trying to host the assetlinks.json file on an internal dev server.

This does NOT work.

The assetlinks.json file MUST be hosted on a server publicly accessible to google's servers.

Upvotes: 3

Amos Joshua
Amos Joshua

Reputation: 1753

Another reason that this error can appear: if the relation delegate_permission/common.handle_all_urls is missing from the assetlinks.json, Android devices may reject the association with the error above.

So for example the following assetlinks (which I've copied straight out of the docs) will be rejected with the above error:

[{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://signin.example.com"
  }
 },
 {
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints": [SHA_HEX_VALUE]
  }
 }]

The solution in my case was to add the handle_all_urls relation:

[{
  "relation": ["delegate_permission/common.handle_all_urls", "delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://signin.example.com"
  }
 },
 {
  "relation": ["delegate_permission/common.handle_all_urls", "delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.example",
    "sha256_cert_fingerprints": [SHA_HEX_VALUE]
  }
 }]

Upvotes: 3

Alexandr Kalashnikov
Alexandr Kalashnikov

Reputation: 410

Got the same error JSON Object doesn't have linked key on Fido2ApiClient.getSignPendingIntent() call. The solution for my case was to set real user key (aka id) in allowList.

Upvotes: -1

Tooroop
Tooroop

Reputation: 1884

OK, I figured it out by playing with the example app https://github.com/googlecodelabs/fido2-codelab and changing things around, so I'm going to answer my own question. When requesting a registration challenge the RP.id field needs to be the same as your domain name. On the sample the Rp.id value is "webauthn-codelab.glitch.me", I changed it to "webauthn.glitch.me" just to try out what would happen. Guess what, I'm getting the same errors as before:

E/Fido: [DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
E/Fido: [Fido2RequestController] The incoming request cannot be validated
E/Fido: [Fido2RequestController] The incoming request cannot be validated

To conclude, be sure that the RP.id that get's returned from backend matches the domain url. Also here is a link explaining RP id: https://www.w3.org/TR/webauthn-2/#relying-party-identifier

Upvotes: 4

Related Questions