Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Passkey FIDO2 example #117

Open
knightcode opened this issue Jan 22, 2024 · 3 comments
Open

Add Passkey FIDO2 example #117

knightcode opened this issue Jan 22, 2024 · 3 comments

Comments

@knightcode
Copy link

I could really use more of a dev guide for implementing a passkey FIDO2 U2F flow than the couple of lines posted here: https://developers.yubico.com/yubikit-android/fido/

More specifically, the page above passes one value to makeCredential() when it really expects six parameters. I'm guessing that's just for simplicity. But then the first parameter is a JSON string we have to build ourselves and its data is redundant to everything in com.yubico.yubikit.fido.webauthn.PublicKeyCredentialCreationOptions that gets passed to the second parameter, so that I feel like I'm doing something wrong.

The fourth param is labeled, pin, and I'm guessing that's the pin to unlock the yubikey(?), which suggests you don't have a UI ceremony that requests that from the user automatically, so that we have to build one ourselves, try this once, get the PIN exception, prompt the user, and then try a second time? ... also seems like I'd be doing something wrong there.

Side note: I'm currently on a pixel tablet with no NFC and wireless debugging isn't working for me, so that my troubleshooting is impaired, and that's contributing to my ignorance here)

@AdamVe
Copy link
Member

AdamVe commented Jan 23, 2024

Hello and thank you for your interest in the SDK, you are right that the readme for the fido module is very simple, please look at the integration tests for the fido module in this folder. These tests cover different workflows and show how to make credential, assert for it, query all discoverable credentials stored in the authenticator, access the PIN management functionality and more. You can also run all those tests on a connected Android device with a real YubiKey, both USB and NFC connections are supported. The tests will overwrite and remove data from the security key, so use it only with testing devices. To run the tests follow this guide.

For the PIN we currently don't have any UI in the SDK and there are different ways how to know if a PIN is set, the simple one is catching the exception. The other way is to look at the value of the clientPin option in the session data. If that option is present and it's value is true, it indicates that the device is capable of accepting a PIN from the client and PIN has been set.

Maybe this guide could help you to setup wireless debugging on your tablet? It saved me many times when nothing else worked: https://developer.android.com/tools/adb#wireless

Let me know if you have any more questions.

@knightcode
Copy link
Author

Thanks... I can't let the tests overwrite my yubikey's data, but I'm following along with them well enough.

I'm running into this error as soon as I call any method on the Ctap2Session object and the yubikey connected via USB-C:

java.io.IOException: Failed to send full packed
        at com.yubico.yubikit.android.transport.usb.connection.UsbFidoConnection.send(UsbFidoConnection.java:35)
        at com.yubico.yubikit.core.fido.FidoProtocol.sendAndReceive(FidoProtocol.java:94)
        at com.yubico.yubikit.fido.ctap.Ctap2Session$2.sendCbor(Ctap2Session.java:159)
        at com.yubico.yubikit.fido.ctap.Ctap2Session.sendCbor(Ctap2Session.java:187)

I thought I had to set the PIN on the session before building a BasicWebAuthnClient, but the error occurs even on calls to setPin or getPinToken.

I'm assuming that I'm over complicating this, but I can't find anything in the tests that suggest the SDK initiates its own UI to collect the PIN. Yet.. the yubikey acts as a hardware keyboard, so that Android prevents the soft keyboard from showing while the yubikey is plugged in... meaning that, in order to input the PIN, I have to make the user unplug the device, then input the PIN, and plug the device back in. ...And I wasted tons of time trying to force the soft keyboard to show ...but that can't be the requisite flow... there's no way the SDK would leave all that work to us. ...if that's the case, why would we bother with this in the world of Android or iOS passkeys.

@Canato
Copy link

Canato commented Sep 21, 2024

I came here to ask similar, happy to see that someone already asked, but finding quite difficult to follow the tests for a very basic implementation, could we add the kotlin example of how to register a new security key using FIDO?

I believe is what most cases want:

  • Click a button
  • Discover
  • Register
  • Show list/edit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants