The incoming request cannot be validated

Question

The incoming request cannot be validated

Will5 opened this issue a year ago · 6 comments

I am trying to implement FIDO2 on Android, and I am testing using the CredentialManager sample and code lab. However, when I click on "Sign Up with passkey", I get the following exception:

Auth com.google.credentialmanager.sample E createPasskey failed with exception: The incoming request cannot be validated

The Documentation suggests "The app's package ID is not registered with your server. Validate this in your server-side integration." However, I have the assetlinks.json hosted on my domain, and I have used the following tools to verify:

The asset links looks like this:

[
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target" : {
      "namespace" : "web",
      "site" : "${SITE}"
    }
  },
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target" : {
      "namespace" : "android_app",
      "package_name" : "com.google.credentialmanager.sample",
      "sha256_cert_fingerprints" : [
        "${SHA256_CERT_FINGERPRINT}"
      ]
    }
  }
]

Any thoughts or suggestions?

Answer 1 · 2024-01-16T09:01:16.000Z

Hi

We do have a codelab for FIDO2, mostly the same steps and asset linking, did you try that as well? Also, are you still facing the issue?

https://codelabs.developers.google.com/codelabs/fido2-for-android

Answer 2 · 2024-01-16T09:02:07.000Z

Also, throguh the codelab, to verify, you could once try same glitch me server and check if you are able to replicate or if there is some other issue.

Answer 3 · 2024-03-17T10:17:41.000Z

After spending two days finally i got the answer of your question.

Step 1: First add your release SHA256 key with your package name into assetlinks.json file and upload it your rp (realing party website) /.well-known path

Step 2: Change your build varint to release build.

Step 3: Most important step is to add build flavour inside signInConfig block in build.gradle file like this

signingConfigs {
debug {

}
release {
    storeFile file('../my_keystore.keystore')
    storePassword 'password'
    keyAlias 'password'
    keyPassword 'password'
}

}
step 4 : Inside buildTypes block asscess your release file flavour

buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
Now you are good to go. this steps will work on both Fido2 and CredentialManager api android

Answer 4 · 2024-04-28T20:04:24.000Z

Hey, closing this. let me know if there's any other issue here :)

Answer 5 · 2024-05-01T09:25:12.000Z

@SumitProgrammer5955 I didn't quite understand if you had the problem only in debug or if it also works with the SHA256 debug key. I'm having the same problem but still in development I have the app only in debug mode.

Answer 6 · 2024-05-03T03:25:17.000Z

Hi All, i have followed through the following but still getting "The incoming request cannot be validated":

added assetlinks.json to server
tested using https://developers.google.com/digital-asset-links/tools/generator

Anyone has any idea or suggestions?