Add passkey registration support for WebView, Fixes AB#3385532

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Add passkey registration support for WebView (#2769)
 - [MINOR] Add callback for OneAuth for measuring Broker Discovery Client Perf (#2796)
 - [MINOR] Add new span name for DELEGATION_CERT_INSTALL's telemetry (#2790)
 - [MINOR] Refactor getAccountByLocalAccountId (#2781)

common/build.gradle

@@ -151,6 +151,7 @@ android {
 }
 
 dependencies {
+    implementation "androidx.webkit:webkit:$rootProject.ext.webkitVersion"
     testImplementation project(path: ':testutils')
 
     localApi(project(":common4j")) {
@@ -409,7 +410,7 @@ tasks.withType(GenerateMavenPom).all {
     }
 }
 
-def dependenciesSizeInMb = project.hasProperty("dependenciesSizeMb") ? project.dependenciesSizeMb : "15"
+def dependenciesSizeInMb = project.hasProperty("dependenciesSizeMb") ? project.dependenciesSizeMb : "16"
 String configToCheck = project.hasProperty("dependenciesSizeCheckConfig") ? project.dependenciesSizeCheckConfig : "distReleaseRuntimeClasspath"
 tasks.register("dependenciesSizeCheck") {
     doLast() {

common/src/main/assets/js-bridge.js

@@ -0,0 +1,205 @@
+// filepath: c:\repos\android-complete\common\common\src\main\java\com\microsoft\identity\common\internal\providers\oauth2\js-bridge.js
+//
+// WebAuthn JavaScript Bridge for Android Credential Manager
+//
+// This JavaScript code is injected into WebViews to intercept WebAuthn API calls
+// (navigator.credentials.create/get) and bridge them to the Android Credential Manager.
+// It handles the communication protocol between the web page and the native Android code.
+//
+// ⚠️ IMPORTANT: MINIFICATION REQUIRED ⚠️
+// Any modifications to this file MUST be minified and the minified output MUST be
+// updated in PasskeyWebListener.kt in the constant WEB_AUTHN_INTERFACE_JS_MINIFIED.
+//
+// Steps to update:
+// 1. Make changes to this file (js-bridge.js)
+// 2. Minify the code using a JavaScript minifier (e.g., https://www.toptal.com/developers/javascript-minifier, https://minify-js.com/)
+// 3. Update the WEB_AUTHN_INTERFACE_JS_MINIFIED constant in PasskeyWebListener.kt
+// 4. Test thoroughly to ensure the minified version works correctly
+//
+// Failure to update the minified version will result in the changes NOT being
+// reflected in the actual WebView injection.
+//
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+var __webauthn_interface__;
+var __webauthn_hooks__;
+(function (__webauthn_hooks__) {
+
+    //Adding event listener to the interface for replies by default
+    __webauthn_interface__.addEventListener('message', onReply);
+    // pendingResolveGet/Create is the thunk to resolve an outstanding get request.
+    var pendingResolveGet = null;
+    var pendingResolveCreate = null;
+    // pendingRejectGet/Create is the thunk to fail an outstanding request.
+    var pendingRejectGet = null;
+    var pendingRejectCreate = null;
+    // create overrides 'navigator.credentials.create' which proxies webauthn requests
+    // to the create embedder
+    function create(request) {
+        if (!("publicKey" in request)) {
+            return __webauthn_hooks__.originalCreateFunction(request);
+        }
+        var ret = new Promise(function (resolve, reject) {
+            pendingResolveCreate = resolve;
+            pendingRejectCreate = reject;
+        });
+        var temppk = request.publicKey;
+        if (temppk.hasOwnProperty('challenge')) {
+            var str = CM_base64url_encode(temppk.challenge);
+            temppk.challenge = str;
+        }
+        if (temppk.hasOwnProperty('user') && temppk.user.hasOwnProperty('id')) {
+            var encodedString = CM_base64url_encode(temppk.user.id);
+            temppk.user.id = encodedString;
+        }
+        // Encode all excludeCredentials ids if provided
+        if (temppk.hasOwnProperty('excludeCredentials') && Array.isArray(temppk.excludeCredentials) && temppk.excludeCredentials.length > 0) {
+            for (var i = 0; i < temppk.excludeCredentials.length; i++) {
+                var cred = temppk.excludeCredentials[i];
+                if (cred && cred.hasOwnProperty('id')) {
+                    cred.id = CM_base64url_encode(cred.id);
+                }
+            }
+        }
+        var jsonObj = {"type":"create", "request":temppk};
+
+        var json = JSON.stringify(jsonObj);
+        __webauthn_interface__.postMessage(json);
+        return ret;
+    }
+    __webauthn_hooks__.create = create;
+    // get overrides `navigator.credentials.get` and proxies any WebAuthn
+    // requests to the get embedder.
+    function get(request) {
+        if (!("publicKey" in request)) {
+            return __webauthn_hooks__.originalGetFunction(request);
+        }
+        var ret = new Promise(function (resolve, reject) {
+            pendingResolveGet = resolve;
+            pendingRejectGet = reject;
+        });
+        var temppk = request.publicKey;
+        if (temppk.hasOwnProperty('challenge')) {
+            var str = CM_base64url_encode(temppk.challenge);
+            temppk.challenge = str;
+        }
+        var jsonObj = {"type":"get", "request":temppk}
+
+        var json = JSON.stringify(jsonObj);
+        __webauthn_interface__.postMessage(json);
+        return ret;
+    }
+    __webauthn_hooks__.get = get;
+
+    // The embedder gives replies back here, caught by the event listener.
+    function onReply(msg) {
+        console.log(msg.data);
+        var reply = JSON.parse(msg.data);
+        if(reply.type === "get") {
+            onReplyGet(reply);
+        } else if (reply.type === "create") {
+            onReplyCreate(reply);
+        } else {
+            console.log("Incorrect response format for reply: " + reply.type);
+        }
+    }
+
+    // Resolves what is expected for get, called when the embedder is ready
+    function onReplyGet(reply) {
+        if (pendingResolveGet === null || pendingRejectGet === null) {
+            console.log("Reply failure: Resolve: " + pendingResolveCreate +
+                    " and reject: " + pendingRejectCreate);
+            return;
+        }
+        if (reply.status != 'success') {
+            var reject = pendingRejectGet;
+            pendingResolveGet = null;
+            pendingRejectGet = null;
+            reject(new DOMException(reply.data.domExceptionMessage, reply.data.domExceptionName));
+            return;
+        }
+        var cred = credentialManagerDecode(reply.data);
+        var resolve = pendingResolveGet;
+        pendingResolveGet = null;
+        pendingRejectGet = null;
+        resolve(cred);
+    }
+    __webauthn_hooks__.onReplyGet = onReplyGet;
+    // This a specific decoder for expected types contained in PublicKeyCredential json
+    function CM_base64url_decode(value) {
+        var m = value.length % 4;
+        return Uint8Array.from(atob(value.replace(/-/g, '+')
+            .replace(/_/g, '/')
+            .padEnd(value.length + (m === 0 ? 0 : 4 - m), '=')), function (c)
+            { return c.charCodeAt(0); }).buffer;
+    }
+    __webauthn_hooks__.CM_base64url_decode = CM_base64url_decode;
+    function CM_base64url_encode(buffer) {
+        return btoa(Array.from(new Uint8Array(buffer), function (b)
+        { return String.fromCharCode(b); }).join(''))
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/, '');
+    }
+    __webauthn_hooks__.CM_base64url_encode = CM_base64url_encode;
+    // Resolves what is expected for create, called when the embedder is ready
+    function onReplyCreate(reply) {
+        if (pendingResolveCreate === null || pendingRejectCreate === null) {
+            console.log("Reply failure: Resolve: " + pendingResolveCreate +
+            " and reject: " + pendingRejectCreate);
+            return;
+        }
+
+        if (reply.status != 'success') {
+            var reject = pendingRejectCreate;
+            pendingResolveCreate = null;
+            pendingRejectCreate = null;
+            reject(new DOMException(reply.data.domExceptionMessage, reply.data.domExceptionName));
+            return;
+        }
+        var cred = credentialManagerDecode(reply.data);
+        var resolve = pendingResolveCreate;
+        pendingResolveCreate = null;
+        pendingRejectCreate = null;
+        resolve(cred);
+    }
+    __webauthn_hooks__.onReplyCreate = onReplyCreate;
+    /**
+     * This decodes the output from the credential manager flow to parse back into URL format. Both
+     * get and create flows ultimately return a PublicKeyCredential object.
+     * @param json_result
+     */
+    function credentialManagerDecode(decoded_reply) {
+        decoded_reply.rawId = CM_base64url_decode(decoded_reply.rawId);
+        decoded_reply.response.clientDataJSON = CM_base64url_decode(decoded_reply.response.clientDataJSON);
+        if (decoded_reply.response.hasOwnProperty('attestationObject')) {
+            decoded_reply.response.attestationObject = CM_base64url_decode(decoded_reply.response.attestationObject);
+        }
+        if (decoded_reply.response.hasOwnProperty('authenticatorData')) {
+            decoded_reply.response.authenticatorData = CM_base64url_decode(decoded_reply.response.authenticatorData);
+        }
+        if (decoded_reply.response.hasOwnProperty('signature')) {
+            decoded_reply.response.signature = CM_base64url_decode(decoded_reply.response.signature);
+        }
+        if (decoded_reply.response.hasOwnProperty('userHandle')) {
+            decoded_reply.response.userHandle = CM_base64url_decode(decoded_reply.response.userHandle);
+        }
+        decoded_reply.getClientExtensionResults = function getClientExtensionResults() { return {}; };
+        decoded_reply.response.getTransports = function getTransports() {
+            if (decoded_reply.response.hasOwnProperty('transports')) { return decoded_reply.response.transports; }
+            return [];
+        };
+        return decoded_reply;
+    }
+})(__webauthn_hooks__ || (__webauthn_hooks__ = {}));
+__webauthn_hooks__.originalGetFunction = navigator.credentials.get;
+__webauthn_hooks__.originalCreateFunction = navigator.credentials.create;
+navigator.credentials.get = __webauthn_hooks__.get;
+navigator.credentials.create = __webauthn_hooks__.create;
+// Some sites test that `typeof window.PublicKeyCredential` is
+// `function`.
+window.PublicKeyCredential = (function () { });
+window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable =
+    function () {
+        return Promise.resolve(true);
+    };

common/src/main/java/com/microsoft/identity/common/internal/fido/FidoChallengeField.kt

@@ -112,10 +112,13 @@ data class FidoChallengeField<K>(private val field: FidoRequestField,
         @Throws(ClientException::class)
         fun throwIfInvalidProtocolVersion(field: FidoRequestField, value: String?): String {
             val version = throwIfInvalidRequiredParameter(field, value)
-            if (version != FidoConstants.PASSKEY_PROTOCOL_VERSION) {
-                throw ClientException(ClientException.PASSKEY_PROTOCOL_REQUEST_PARSING_ERROR, "Provided protocol version is not currently supported.")
+            if (FidoConstants.supportedPasskeyProtocolVersions.contains(version)) {
+                return version
             }
-            return version
+            throw ClientException(
+                ClientException.PASSKEY_PROTOCOL_REQUEST_PARSING_ERROR,
+                "Passkey protocol version '$version' is not supported. Supported versions: ${FidoConstants.supportedPasskeyProtocolVersions.joinToString()}"
+            )
         }
 
         /**

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/CredentialManagerHandler.kt

@@ -0,0 +1,86 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.providers.oauth2
+
+import android.app.Activity
+import android.os.Build
+import androidx.credentials.CreatePublicKeyCredentialRequest
+import androidx.credentials.CreatePublicKeyCredentialResponse
+import androidx.credentials.CredentialManager
+import androidx.credentials.GetCredentialRequest
+import androidx.credentials.GetCredentialResponse
+import androidx.credentials.GetPublicKeyCredentialOption
+import com.microsoft.identity.common.logging.Logger
+
+/**
+ * Handler class to encapsulate Credential Manager APIs for passkey operations.
+ *
+ * @property activity The activity context used for credential operations.
+ */
+class CredentialManagerHandler(private val activity: Activity) {
+
+    companion object {
+        const val TAG = "CredentialManagerHandler"
+    }
+
+    private val mCredMan = CredentialManager.create(activity.applicationContext)
+
+    /**
+     * Encapsulates the create passkey API for credential manager in a less error-prone manner.
+     *
+     * @param request a create public key credential request JSON required by [CreatePublicKeyCredentialRequest].
+     * @return [CreatePublicKeyCredentialResponse] containing the result of the credential creation.
+     */
+    suspend fun createPasskey(request: String): CreatePublicKeyCredentialResponse {
+        val methodTag = "$TAG:createPasskey"
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+            val createRequest = CreatePublicKeyCredentialRequest(request)
+            return (mCredMan.createCredential(
+                activity,
+                createRequest
+            ) as CreatePublicKeyCredentialResponse).also {
+                Logger.info(methodTag, "Passkey created successfully.")
+            }
+        } else {
+            Logger.warn(
+                methodTag,
+                "Passkey creation is not supported on Android versions below 9 (Pie). Current version: ${Build.VERSION.SDK_INT}"
+            )
+            throw UnsupportedOperationException("Passkey creation requires Android 9 or higher.")
+        }
+    }
+
+    /**
+     * Encapsulates the get passkey API for credential manager in a less error-prone manner.
+     *
+     * @param request a get public key credential request JSON required by [GetCredentialRequest].
+     * @return [GetCredentialResponse] containing the result of the credential retrieval.
+     */
+    suspend fun getPasskey(request: String): GetCredentialResponse {
+        val methodTag = "$TAG:getPasskey"
+        val getRequest = GetCredentialRequest(listOf(GetPublicKeyCredentialOption(request)))
+        return mCredMan.getCredential(activity, getRequest).also {
+            Logger.info(methodTag, "Passkey retrieved successfully.")
+        }
+    }
+}