WebAuthn: Native Android origin verification

[nduplessis]

Heya

I'm busy implementing native Android app passkey support using rodauth. On native Android apps the origin is set as follows:

For Android apps, the user agent automatically sets origin to the signature of the calling app. This signature should be verified as a match on your server to validate the caller of the passkey API. The Android origin is a URI derived from the SHA-256 hash of the APK signing certificate, such as:

android:apk-key-hash:<sha256_hash-of-apk-signing-cert>

https://developer.android.com/training/sign-in/passkeys#verify-origin

I can't seem to find anything in rodauth that would indicate it being possible to perform the origin verification correctly for the above.

Am I missing something or is this not possible with rodauth at the moment?

[jeremyevans]

Does using webauth_origin 'android:apk-key-hash:<sha256_hash-of-apk-signing-cert>' in your Rodauth configuration work?

[nduplessis]

@jeremyevans definitely this would work, but if I understand correctly this will override the origin for all requests, correct?

In that case it would not allow me to have working credential validation for native Android apps alongside website / iOS origins

[jeremyevans]

  webauth_origin do
    if # request is an android app request
      'android:apk-key-hash:<sha256_hash-of-apk-signing-cert>'
    else
      super()
    end
  end

[nduplessis]

🤦‍♂️

I'm an idiot, thanks @jeremyevans