android/security-samples

Fido auth with Android SDK. Error from a server: invalid origin

dikiyPetr opened this issue · 3 comments

dikiyPetr commented

I use a FIDO android SDK https://developers.google.com/android/reference/com/google/android/gms/fido/package-summary and
web FIDO lib https://github.com/lbuchs/WebAuthn as a server

To complete authentication I send to the server the following payload:

{"authenticatorData":"uGLTOEtQtBsB4wjhEvR0ZVayRWn/3mhUyp6dqFFY0a8BAAABDQ==","clientDataJSON":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiLW9zc3JiYXY3SmhmUWlQY1ZlMzFkdDQxMG5ZWHVvWW9kM1FYdHc5VmlIUSIsIm9yaWdpbiI6ImFuZHJvaWQ6YXBrLWtleS1oYXNoOmZiRU5UdkNTZVItQXdKVjVycnJCc2I5OHAtakV3MGM1U1NPTXVsX0t3YUkiLCJhbmRyb2lkUGFja2FnZU5hbWUiOiJjb20uYWZ0ZXJsb2dpYy5hdXJvcmEubWFpbCIsInRva2VuQmluZGluZyI6eyJzdGF0dXMiOiJwcmVzZW50IiwiaWQiOiJodHRwczpcL1wvdGVzdC5hZnRlcmxvZ2ljLmNvbSJ9fQ==","id":"LEBlQOlamqsmKzRBPQe9y0BFN5IaQ5BBB1ByiDH85HulzCYQTffqeK0RQDoZqUO7syGZY+hkfWf9P2FiQQ3eVA==","signature":"MEUCICFf8qFGiXxGTBokpstfUsCwbd7JTsLlDrFZoGMi3tZzAiEA0zAXxFDeqA7gF6YahudK+LD2gDUPtAnXqgAvvhVc/vE="}

The field clientDataJSON contains a base64-encrypted JSON object that has property "origin":"android:apk-key-hash:fbENTvCSeR-AwJV5rrrBsb98p-jEw0c5SSOMul_KwaI"

But the server responds with an error "invalid origin".

At the same time, my web FIDO auth implementation sends clientDataJSON with "origin":"https://test.afterlogic.com" and everything is working fine in this case.

How I can verify origin with android:apk-key-hash on the webserver? I will be appreciated any other ideas on how to deal with this.

ValarMarkhulis commented

I'm not a PHP or Laravel developer, but I had the same problem with a PHP server implementation that used https://github.com/web-auth/webauthn-framework and https://github.com/asbiin/laravel-webauthn.
I went and had a look into the exceptions that were given back by the PHP server. There I found code that suggested, that an origin with the value of "apk-key-hash:....", would never be evaluated to a valid origin. So I had no other choice than to add code, that would approve the apk-key-hash of my specific Android app.

Not the best solution, if even a real one, but I don't see any other way of doing it.
Try to look at https://developers.yubico.com/U2F/App_ID.html.
And please let me know if you figure out anything.

pavlo commented

I am experiencing the same issue with the origin. Is there any update on the issue? Thanks!

vyppN commented

Just add your android:apk-key-hash:fbENTvCSeR-AwJV5rrrBsb98p-jEw0c5SSOMul_KwaI in webauthn.Config in RPOrigins