Comments (8)
One other question: Why are we using a rather "untyped" interface so far?
RegisterResponse register(String options)
That means that on boths sides (Android and Flutter) we are not really able to validate much without parsing first because all there is, is a JSON string. We could just use types instead of the string, right?
I used a single json string because the android credential manager just takes the whole json as input - like navigator.create in the browser does, but if it is the better option I'll create the json in native code instead of flutter. However ideally you would use the raw pubKey-jsonobject that's coming from the backend without having to parse it, change it and encode it back to a string (except for validation maybe) - maybe I'll find a clean way to do that
Edit: Stayed with parsing and added variables to pass down for the important additional parameters
from flutter-passkeys.
Yes sure makes sense, I called it getFacetID because that's what the spec names it. If origin is a better name, I can change it to that.
from flutter-passkeys.
@nicolaistein quick question regarding the "Origin" header:
I saw that you added android:apk-key-hash:xyz as an "Origin" header.
Is our frontend API already respecting that header? I did not set it for the iOS implementation and I still got valid responses. Did you have problems when not setting it?
from flutter-passkeys.
One other question: Why are we using a rather "untyped" interface so far?
RegisterResponse register(String options)
That means that on boths sides (Android and Flutter) we are not really able to validate much without parsing first because all there is, is a JSON string. We could just use types instead of the string, right?
from flutter-passkeys.
@nicolaistein quick question regarding the "Origin" header: I saw that you added android:apk-key-hash:xyz as an "Origin" header. Is our frontend API already respecting that header? I did not set it for the iOS implementation and I still got valid responses. Did you have problems when not setting it?
Android puts the apk key hash as origin in the signed clientDataJSON and our api requires the clientDataJSON-origin to be identical to the origin of the webauthn api requests
ios doesn't do that so no origin change in the requests is required.
from flutter-passkeys.
@nicolaistein quick question regarding the "Origin" header: I saw that you added android:apk-key-hash:xyz as an "Origin" header. Is our frontend API already respecting that header? I did not set it for the iOS implementation and I still got valid responses. Did you have problems when not setting it?
Android puts the apk key hash as origin in the signed clientDataJSON and our api requires the clientDataJSON-origin to be identical to the origin of the webauthn api requests ios doesn't do that so no origin change in the requests is required.
Ok I see, makes sense. Two things we can think about:
- I am not perfectly familiar with the WebAuth0 specs, but I would guess that iOS does something similar than Android here. At least there are some FIDO docs that explain that: https://fidoalliance.org/specs/uaf-v1.0-id-20141122/fido-appid-and-facets-v1.0-id-20141122.html#the-appid-and-facetid-assertions => if that is true, we might have to do something for iOS here (+ mabye also our backend misses something)
- "getSignatureFingerprint" (the method that we added in this issue) is very Android specific. If it turns out that iOS also sends an Origin header we could change that to a method like "getOriginHeader" => than every platform can make its own decision on the header and we don't have to have an unimplemented method in iOS
Does that make sense?
from flutter-passkeys.
Looks good. I had one small comment on the second PR. Besides of that please merge both PRs then.
from flutter-passkeys.
@nicolaistein the PRs are already merged, right? So we can close this issue?
from flutter-passkeys.
Related Issues (20)
- Why the login to google is required ? HOT 1
- How to retrieve the public key? HOT 1
- missing `icon` in extension.yaml HOT 2
- Is low-level access to the passkeys possible? HOT 1
- Can not register passkey on iOS Simulator with local RelyingPartyServer
- sign up and get "Socket operation failed" HOT 3
- Add support for excludeCredentials HOT 1
- Add support for shouldShowHybridTransport, userVerificationRequirement and attestationPreference
- Update loginWithPasskey to support automatic conditionalUI for iOS
- Support for roaming authenticator/hardware security key HOT 5
- Update from 1.3.2 to 2.0.4 issue HOT 3
- Handling Back Navigation in Android Version 14: Dealing with Google Authenticator Popup Dismissal HOT 6
- How to implement conditional UI? HOT 6
- Unable to build iOS after plugin update from 1.1.0 to 2.0.7 HOT 3
- Android 10 Passkey authentication issue help
- Error when registering passkey on Android HOT 7
- Exception: your device doesn't support credential manager HOT 2
- androidx.credentials.TYPE_SECURITY_ERROR when using example app HOT 3
- Unable to login on Passkeys.eu HOT 11
- Error in web application when running build_runner with corbado_auth package HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flutter-passkeys.