Product Documentation

    When a native android app is built using android API's, Credential Manager API is leveraged that supports multiple sign-in methods, such as username and password, passkeys, and federated sign-in solutions (such as Sign-in with Google) in a single API, thus simplifying the integration for developers.

    To enable support for passkeys for a native android app, the app needs to be associated with the website that owns the app. This can be achieved by declaring the association using a Digital Asset Links (DAL) file and host it at the site controlled by the relying party. For example, if the sign-in domain is login.example.com  the DAL file should be hosted at https://login.example.com/.well-known/assetlinks.json

    The server hosting the "assetlinks.json" document must ensure it is served with a content type of application/json.

    The "assetlinks.json" file has the following content:

    [
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target" : {
      "namespace" : "android_app",
      "package_name" : "com.example.android",
      "sha256_cert_fingerprints" : [
        SHA_HEX_VALUE
      ]
    }
  }
]

     

    The relation field is an array of one or more strings that describe the relationship being declared. To declare that apps and sites share sign-in credentials, specify the relationships as delegate_permission/handle_all_urls and delegate_permission/common.get_login_creds. This will be the default and only options added to the file generated by SKFS.

    The target field is an object that specifies the asset the declaration applies to. The following fields identify an android app: 

    • namespace : android_app
    • package_name :  The package name declared in the app's manifest. For example, com.example
    • sha256_cert_fingerprints : The SHA256 fingerprint of the app's signing certificate.

     

    With version 4.15.0, SKFS introduces support for DAL, enabling RP to verify FIDO registrations and authentications generated by native apps using the credential manager API. SKFS administrators can now configure properties for a specific domain using the admin API to enable DAL and create a whitelist of sha 256 certificate fingerprints. Follow the steps here to enable DAL for a SKFS domain.

    When the credential manager api is used the clientDataJson that is received by SKFS contains the following in the origin android:apk-key-hash:<sha256_hash-of-apk-signing-cert>

    SKFS does not have the ability to process this origin for the origin verification unless DAL is configured by an administrator. Once configured, SKFS will have assetlinks.json file stored locally on the file system which will be used to verfify the sha256fingerprint received in the origin field of clientDataJson against the configured whitelist. Only if successful the transaction will proceed and an error (FIDO-ERR-9016) will be returned otherwise.

    Once enabled, DAL will be applicable to both registration and authentication operations.