Automatic integration between app and website with Google Smartlock Api

Question

I'm trying to set up an app which uses Google Smartlock feature to fetch credentials stored in Google's password manager and automatically log in. For this, I have set up a test website, where an user can login (while browsing in Google Chrome), and if she chooses to save the password for the site, it'll be saved in Google's password manager. The sample app that I have should be able to automatically fetch the stored credentials and use them to log in to the app content page.

I have followed the documentation thoroughly. Here's the Digital Assets file hosted at the website root :

[{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "web",
    "site": "https://officeloginsso.azurewebsites.net"
  }
 },
 {
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.mslogin.t_sopal.msloginsso",
    "sha256_cert_fingerprints": [
      "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"
    ]
  }
 },{
  "relation": ["delegate_permission/common.get_login_creds"],
  "target": {
    "namespace": "android_app",
    "package_name": "com.login.codelab.sopalsmartlock",
    "sha256_cert_fingerprints": [
      "XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX"
    ]
  }
}]

The Manifest file snippet that includes the link to the json file :

<application>    
<meta-data android:name="asset_statements" android:resource="@string/asset_statements" />
</application>

Strings.xml :

<string name="asset_statements" translatable="false">
      [{
        \"include\": \"https://officeloginsso.azurewebsites.net/.well-known/assetlinks.json\"
      }]
  </string>

The app has been published (with regional restriction) and the json file has been hosted, which returns response :

 HTTP/1.1 200 OK
 Content-Type: application/json

Despite having done these, the app still can't pick up the username/password stored through the website. Is there something I am missing here?

Answer 1

Per discussions in the comments, the resolution was to ensure that the asset links file matches the package and signature of a published Play Store app and that the apk being tested is signed with the same certificate as the published app (i.e., not signed from a debug / development keystore). You can use an alpha/beta channel if you want to test before releasing to a production channel.

In general, here are the things to check (some mentioned in the question):

• ensure your asset links file is valid json containing both app (the Play Store package and cert fingerprint) and any associated sign-in domains (desktop, mobile web, regional domains, etc. each of which needs it's own assetlinks.json at the well-known location, but may point to a canonical copy) without a path component (e.g. no trailing slash)

• check (e.g. with curl -I) that the file is served with an HTTP 200 (no redirects) from the well-known location (must be available at exactly /.well-known/assetlinks.json) with "Content-Type: application/json" header and is accessible to bots/crawlers

• verify that asset_statements in the app manifest is under application and is valid escaped json and points to the asset links file in the well-known https location. The app need to be published before we can detect this, but you can use an alpha/beta channel for testing, so long as that apk has the latest version code

Once these requirements are met and the app is published in the Play Store, the association will be enabled automatically with 1-2 business days. Details of these requirements are available at https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites

Answer 2

Since you have defined the assetlinks.json in this path

https://officeloginsso.azurewebsites.net/.well-known/assetlinks.json

is very important to define into your robots.txt file this lines:

User-agent: *
Allow: /.well-known/

to allow GoogleBot access to your file:

https://officeloginsso.azurewebsites.net/.well-known/assetlinks.json

read about robots.txt.

Answer 3

To integrate Smart Lock for Passwords into your Android app, you must add calls to the Credentials API to your app's start-up and sign-in flow.

To retrieve credentials:

• When the app starts, if no user is already signed in, call CredentialsApi.request().

• If getStatus().isSuccess() returns true, get the user's credentials with getCredential() and use them to sign in.

• If getStatus().isSuccess() returns false and getStatusCode() returns RESOLUTION_REQUIRED, user input is required to pick a credential. Call startResolutionForResult() to prompt the user to select a saved account, then call getParcelableExtra(Credential.EXTRA_KEY) to get the user's credentials and use them to sign in.

Note: If signing in with the retrieved credentials fails because the password is incorrect or the account doesn't exist, delete the credentials from Smart Lock.

This document shows how to integrate Smart Lock for Passwords into your Android app.