Closed Bug 1549418 Opened 6 years ago Closed 5 years ago

Implement Web Authentication FIDO2 support in GeckoView

Categories

(GeckoView :: General, enhancement, P1)

Product:
GeckoView
Component:
General
Platform:
All
Android
Type:
enhancement

Tracking

(geckoview66 wontfix, firefox-esr60 wontfix, firefox66 wontfix, firefox67 wontfix, firefox67.0.1 wontfix, firefox68 wontfix, firefox69 wontfix, firefox70 wontfix, firefox83 fixed)

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
geckoview66 --- wontfix
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox67.0.1 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox83 --- fixed

People

(Reporter: jcj, Assigned: snorp)

References

(Blocks 1 open bug,
URL
)

Details

(Whiteboard: [geckoview:m82])

Attachments

(2 files)

Bug 1549418 - Add GeckoRuntime.ActivityDelegate
47 bytes, text/x-phabricator-request
Details | Review
Bug 1549418 - Hook up WebAuthn support for GeckoView
47 bytes, text/x-phabricator-request
Details | Review

Implement Web Authentication via com.google.android.gms:play-services-fido. This is going to involving moving the code from https://phabricator.services.mozilla.com/D1148 (bug 1391438) to more permanent locations and adjusting to match the GV architecture.

I think the basic strategy here would be to add a method to GeckoSession.ContentDelegate or perhaps a new delegate. Something like:


class WebAuthnCredential {
    byte[] clientDataJson;
    byte[] keyHandle;
    byte[] attestationObject;
}

GeckoResult<WebAuthnCredential> onWebAuthnMakeCredential(String rpId, String rpName, String rpIcon,
                                                         ByteBuffer userId, String userName,
                                                         String userIcon, String userDisplayName,
                                                         final ByteBuffer challenge, long timeoutMs,
                                                         String origin, final Object[] idList,
                                                         final ByteBuffer transportList);

We would then let Android Components and/or Fenix handle all the nitty gritty of interacting with Play Services.

Adding [geckoview:fenix:p2] whiteboard tag because we'd like WebAuthn support in Fenix soon, but it's not a release blocker for Fenix MVP.

status-firefox66: --- → wontfix
status-firefox67: --- → wontfix
status-firefox68: --- → fix-optional
status-firefox-esr60: --- → wontfix
status-geckoview66: --- → wontfix
Depends on: 1391438
OS: All → Android
Priority: -- → P1
Whiteboard: [geckoview:fenix:p2]
Whiteboard: [geckoview:fenix:p2] → [geckoview:fenix:m7]

(In reply to Pulsebot from bug 1391438 comment #9)

https://hg.mozilla.org/integration/autoland/rev/d8e0bfeb5fa3
Support FIDO2 for WebAuthn on Android r=snorp,keeler

J.C., does the FIDO2 patch for bug 1391438 also fix this bug?

Flags: needinfo?(jjones)

As far as I understand it, no. It's most of the way, though, but the landed modules from bug 1391438 need to move to different locations for g-v / a-c.

Flags: needinfo?(jjones)

Bug 1555425 enabled WebAuthn for Fennec 68, but specifically excluded GeckoView. Once Google whitelists Fenix for WebAuthn, we should enable WebAuthn for GeckoView.

Type: defect → enhancement
status-firefox67.0.1: --- → wontfix
status-firefox68: fix-optionalwontfix
status-firefox69: --- → affected

Whitelisting is expected "June/July". Will update when I hear it's done.

That said, I think the code refactoring could happen anytime in mozilla-central.

Deferring this bug from Fenix's M7 (July) milestone to the M8 backlog for later in Q3.

Whiteboard: [geckoview:fenix:m7] → [geckoview:fenix:m8]

I'm editing a bunch of GeckoView bugs. If you'd like to filter all this bugmail, search and destroy emails containing this UUID:

e88a5094-0fc0-4b7c-b7c5-aef00a11dbc9

Priority: P1 → P2

Bumping from milestone M8 to M9 because the Fenix issue is in Fenix's Q4 backlog:

https://github.com/mozilla-mobile/fenix/issues/1340

Whiteboard: [geckoview:fenix:m8] → [geckoview:fenix:m9]
Rank: 24
Whiteboard: [geckoview:fenix:m9]

(In reply to J.C. Jones [:jcj] (he/him) from comment #6)

Whitelisting is expected "June/July". Will update when I hear it's done.

I didn't think to ping until now, but the Android team has confirmed this is done and ready-to-go.

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) (he/him) from comment #1)

I think the basic strategy here would be to add a method to GeckoSession.ContentDelegate or perhaps a new delegate. Something like:


class WebAuthnCredential {
    byte[] clientDataJson;
    byte[] keyHandle;
    byte[] attestationObject;
}

GeckoResult<WebAuthnCredential> onWebAuthnMakeCredential(String rpId, String rpName, String rpIcon,
                                                         ByteBuffer userId, String userName,
                                                         String userIcon, String userDisplayName,
                                                         final ByteBuffer challenge, long timeoutMs,
                                                         String origin, final Object[] idList,
                                                         final ByteBuffer transportList);

The billion arguments should obviously be captured inside some kind of WebAuthnRequest class :)

Assignee: nobody → jonalmeida942

Shouldn't this rank higher in type and severity? AFAICT, right now, if a user has adopted WebAuthn in Fennec, they get locked out of their accounts when they get the Fenix upgrade, which is alread rolling out.

Flags: needinfo?(jjones)

In particular this prevents anyone using Google's Advanced Protection setting to use FF on mobile.

Yeah, I think we need to get on this. I'm clearing priority so we'll retriage.

Priority: P2 → --

Thanks, :snorp.

Flags: needinfo?(jjones)
Priority: -- → P2
Whiteboard: [geckoview:m82]

Will handle most of this in GV.

Assignee: jonalmeida942 → snorp

I'm working on this now, hopefully will have something up this week. It will be trivial for Android Components to consume this, as they'll just need to launch the FIDO intent and collect the result.

Priority: P2 → P1

This allows GeckoView to ask the embedding application to launch
other Activities on our behalf and collect the result. We need
this to invoke the FIDO authentication tools for WebAuthn.

This mostly just refactors the stuff we had for Fennec.

We add a dependency on Google Play Services here, but care
is taken to ensure that things will fail gracefully if
Play Services are not present at runtime.

For uplift consideration: When Firefox has taken over the kinds of in-app browser views that Firefox can take over from Chrome, if the user tries to sign into Hey with a security key, the flow fails.

Pushed by jwillcox@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bb3cee345d37 Add GeckoRuntime.ActivityDelegate r=geckoview-reviewers,agi,esawin https://hg.mozilla.org/integration/autoland/rev/b2c7cf464308 Hook up WebAuthn support for GeckoView r=geckoview-reviewers,jcj,agi

https://hg.mozilla.org/mozilla-central/rev/bb3cee345d37
https://hg.mozilla.org/mozilla-central/rev/b2c7cf464308

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox83: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
Pushed by jwillcox@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d3d44f363444 Add GeckoRuntime.ActivityDelegate r=geckoview-reviewers,agi,esawin https://hg.mozilla.org/integration/autoland/rev/93743d0782aa Hook up WebAuthn support for GeckoView r=geckoview-reviewers,jcj,agi
Flags: needinfo?(snorp)

https://hg.mozilla.org/mozilla-central/rev/d3d44f363444
https://hg.mozilla.org/mozilla-central/rev/93743d0782aa

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox83: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: