8

I'm intending to use WebAuthn for authentication, as shown at the demo site https://webauthn.io

Turns out that Android's WebView (and its iOS counterpart) does not implement this and it is explicitly stated that this won't be happen. One is getting referred to use a Chrome Tab.

But what I want to do is not to use any HTML/JavaScript for this when on a mobile device, that is, inside the App. In the app I would like to use a Java library similar to Firebase but which does provide the means to use the same account which got set up via WebAuthn, or to set up an account via the library on the App which can then later be accessed in a Browser by using WebAuthn.

I have come across AppAuth https://github.com/openid/AppAuth-Android and am unsure if this is related to WebAuthn.

My goal is to use a password- and email-less authentication system in order for users to use it on the Web via WebAuthn as well have their App access the backend via the library on their behalf. A system that doesn't require someone to have a user account at Facebook, Google or any other provider.

I would want to avoid using a workaround like a Chrome Tab in the Android App, it should all be handled in Java and the user interaction via Fragments.

Which are my options? Is FIDO2 capable of offering all that is needed to provide this? How does it relate to OAuth 2.0?

Daniel F
  • 13,684
  • 11
  • 87
  • 116
  • 1
    FIDO2 support has been introduced on Android 7.0 Nougat(API 24) and above. Here is the FIDO2 API reference >https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient Here is the FIDO Codelab >https://codelabs.developers.google.com/codelabs/fido2-for-android/#0 Hope this helps – albeee May 19 '20 at 23:52

3 Answers3

6

WebAuthn is a standard for browsers, which means it can only be implemented in browsers as of today. On Android, it's indeed restricted to the browser of ChromeCustomTabs. On iOS, it may be allowed in internal webviews - but still in a web component.

There is no way to have it working with the native UI, especially because WebAuthn authentication is bound to an URI (which there isn't in a native mobile application UI).

EDIT: since this answer was given, native FIDO2 support appeared on:

  • Android through the Fido2ApiClient API
  • Windows 10 through the the use of webAuthn.dll

It is still unsupported on iOS as of beginning of 2023.

WebAuthn and OAuth2 are not related. OAuth2 is a API access control protocol: you first get tokens on the authorization server using a web flow (except in some special cases), which typically involves an authentication and authorization process, and then consume these access tokens on an API that verifies them. WebAuthn is an authentication scheme: after initial enrolment, a user can authenticate with an authenticator without presenting a password.

The only way these two things are related is that WebAuthn can be used as an authentication scheme in the OAuth2 authentication process (instead of a password, an OTP sent by email or SMS, a push notification...).

If you want to have single authentication process between your native application and some of your web applications on the same mobile device, the way to go is to have a unique, central authentication service which will deal with authentication and SSO (Single Sign-On). It prevents a user from having multiple accounts, registration and authentication processes.

To do that, your native mobile application has to use it too - and therefore use web authentication. AppAuth is a library that allows doing such a thing, and uses the OAuth2 protocol (and therefore provides with OAuth2 access tokens, to access APIs). Since your native application has no data within itself, but needs to retrieve data somewhere (probably an API), that might be what you want. But you can't achieve SSO with fragments as far as I know, because any non-ChromeCustomeTab component will not share cookies outside of the application.

Tangui
  • 3,626
  • 2
  • 26
  • 28
  • 2
    WebAuthn can be implemented natively on Android using Fido2ApiClient (https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient) Here is a complete google code lab explaining the process. – Imran Baig Sep 11 '20 at 07:55
6

Android WebAuthn

In the case of Android WebAuthn can be implemented two ways.

1 Native implementation: By using Fido2ApiClient but this requires auth server to provide web request interfaces for attaching Fido credentials with the server. A code lab is available here https://codelabs.developers.google.com/codelabs/fido2-for-android/#0

2 Custom Tab Implementation:
In the custom tab implementation, you have to launch the URL for website implementing WebauthN. Website will be performing Fido credential related operations using client-side scripts. In the end, it will be calling a redirection link for the app to handle in the activity using host and scheme declaration for the activity in the manifest.xml. Android CustomTabsIntent.Builder offers a lot of options to style and customise the experience in the chrome browser tab See the link

Note WebAuthN does not work in Embedded WebView for Android

iOS WebAuthN iOS ATM only offers one option that is a custom tab in the browser and handling redirected URL at the end in the app.

Imran Baig
  • 357
  • 3
  • 4
  • I don't think it is correct to say that `WebAuthn` can be used in a purely native environment. `FIDO2` based authentication is implemented in a web environment using `WebAuthn` + `CTAP2`. Whereas, in a purely native environment, `FIDO2` based authentication is implemented using platform-specific `FIDO2-API` (Android/iOS) + `CTAP2`. This platform-specific `FIDO2-API` is not `WebAuthn`. – Jatin Oct 20 '22 at 05:43
0

I think currently Passkeys API would be recommended for a consumer applications.

https://developer.android.com/training/sign-in/passkeys

https://support.apple.com/guide/iphone/sign-in-with-passkeys-iphf538ea8d0/ios

MikhailKrishtop
  • 492
  • 4
  • 17