0

I have a question regarding FIDO2.

Little background: My company has decided to go with FIDO2 for user account management. So we've created a FIDO Server wrapper which mainly uses yubico webauthn library.   In Android side, we are using Fido2ApiClient google play services native library for FIDO support

implementation 'com.google.android.gms:play-services-fido:18.1.0'

According to Fido documentations, https://developers.google.com/identity/fido/android/native-apps#interoperability_with_your_website It is simple to allow users to seamlessly share credentials across your website and Android application.  However we are not using any website and only using a FIDO Server in API endpoint(AWS-ALB)

Without hosting a assetlinks.json file, Android FIDO Authenticator always return a following error message. 

code: SECURITY_ERR
message: The incoming request cannot be validated

Is assetlinks.json file hosting mandatory for FIDO? Has anyone had a success without hosting this file?

albeee
  • 1,452
  • 1
  • 12
  • 20
  • You already got your answer by following *official* documentation, you already made it work. You don't need affirmation from a random guy on Stack Overflow. You could restructure the question around *how* to serve `.well-known/assetlinks.json` in your current setup. – Eugen Pechanec May 28 '20 at 14:31
  • Thanks @Eugen. Please read the updated the question. – albeee May 28 '20 at 14:53

2 Answers2

3

TL;DR: No, assetlinks is a separate specification, not part of FIDO2.

Asset Links is a separate specification.
FIDO2 does not require the authentication server to expose a /.well-known/assetlinks.json endpoint.
It is, however, enforced by the Android FIDO2 api, since it is a way to verify that you own both the app and the server that you want to access through it.

Elaborating further on what Asset Links does and why it is useful in the Android use-case:
By making you include the fingerprint of the certificate used to sign the mobile app inside a file on the server, Asset Link creates a tangible proof that you own both the server and the signing key for the client app -the assetlinks.json file-.
If it was not like this, I may create my malicious version of your app and use your server as authentication server. Then, I may trick users to use my app to register/sign in and -whilst I would not be able to see their private key stored on the safe hardware- I could easily harvest sessionIds/tokens and make authenticated requests on their behalf.
To prevent this (and possibly other scenarios I do not know of), the FIDO2 api exposed by Android checks that the client has been authorized by the server before granting access to the associated credentials. The way it performs this check is by using Asset Links but, again, that is a specification on its own.

Asset Links is manged by Google, as visible from the .wellknown registry. The specification itself is accessible on github here and here.

bugbear
  • 187
  • 1
  • 11
1

Yes, the Fido2ApiClient from google play services native library requires the assetlinks.json.

Luke Walker
  • 333
  • 1
  • 4