1862132 - Support Credential Manager JetPack API on Android 14+

Status: RESOLVED FIXED

(Core :: DOM: Web Authentication, enhancement, P2)

Description

[danfoulkes@gmail.com]

User Agent: Mozilla/5.0 (Linux; Android 14; SAMSUNG SM-S918B) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36

Steps to reproduce:

Given
Running Android 14
User is using preferred service for passwords as a third party app 1password
User has a passkey saved in 1password for github.com
When
User navigates to a github.com
Selects login via passkey

Actual results:

Firefox looks for the passkey in the default Android credentials

Expected results:

Firefox to use the new Google Credentails Manager.
This would of thus triggered 1password app to authenticate
https://developer.android.com/training/sign-in/passkeys

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:aputanu, could you have a look please?

For more information, please visit BugBot documentation.

Comment 2

[Makoto Kato [:m_kato]]

If you are Nightly/beta user, you can use password via Credential Provider when setting security.webauthn.webauthn_enable_android_fido2.residentkey=true via about:config

Comment 3

[Ash]

(In reply to Makoto Kato [:m_kato] from comment #2)

If you are Nightly/beta user, you can use password via Credential Provider when setting security.webauthn.webauthn_enable_android_fido2.residentkey=true via about:config

I just tested this and it did not work. My passkey for GitHub in 1Password worked fine in Chrome (once I enabled a flag) but it did not in Firefox Beta after enabling the above flag.

Comment 4

[Makoto Kato [:m_kato]]

Thank you for testing. Google's FIDO library that we use doesn't seem to support 3rd party credential manager. New androidx.credentials:credentials will support it.

Comment 5

[Jake Vis]

Hi all, does anyone have a link to the work item around swapping to the new androidx.credentials:credentials api?

Comment 6

[Makoto Kato [:m_kato]]

Attachment: Bug 1862132 - Part 1. Move data class to WebAuthnUtils.

I would like to move data class from WebAuthnTokenManager to new class
since WebAuthnTokenManager may becomes complex when we add Credential
Manager support.

Comment 7

[Makoto Kato [:m_kato]]

Attachment: Bug 1862132 - Part 2 - Make makeCredential and getAssertion more simple.

A small clean up for makeCredential and getAssertion with FIDO API.

Comment 8

[Makoto Kato [:m_kato]]

Attachment: Bug 1862132 - Part 3. Modifify GeckoBundle structure to fit with Credential Manager API.

Credential Manager API requires that request parameter is JSON. So I
would like to modify GeckoBundle structure for upcoming new API
support.

Comment 9

[Makoto Kato [:m_kato]]

Attachment: Bug 1862132 - Part 4. Move WebAuthn's Exception class to WebAuthnUtils.

Comment 10

[Makoto Kato [:m_kato]]

Attachment: Bug 1862132 - Part 5. Support Credential Manager on Android 14+.

Android 14+ has credential manager service to store credentials such as
Passkeys. 3rd party password managers such as 1Password support this
service and passkeys, so GeckoView should support it for 3rd party
service.

Actually, we use GMS's FIDO2 library to handle WebAuthn APIs. If
resident key is required on creating credential, we try to use Credential
Manager for Passkeys. If not, we use FIDO2 library.

When getting credential, we try to use credential manager without UI
action, then if requested credential is stored in credential manager, we
use it. If not, we use FIDO2 library.

Comment 11

[Makoto Kato [:m_kato]]

Attachment: Bug 1862132 - Part 6. Add Credential Manager permission on GVE.

Comment 12

[Pulsebot]

Pushed by m_kato@ga2.so-net.ne.jp:
https://hg.mozilla.org/integration/autoland/rev/db1c24ed2492
Part 1. Move data class to WebAuthnUtils. r=jschanck,geckoview-reviewers,owlish
https://hg.mozilla.org/integration/autoland/rev/279041997a78
Part 2 - Make makeCredential and getAssertion more simple. r=jschanck,geckoview-reviewers,owlish
https://hg.mozilla.org/integration/autoland/rev/62d282f0a362
Part 3. Modifify GeckoBundle structure to fit with Credential Manager API. r=jschanck,geckoview-reviewers,owlish
https://hg.mozilla.org/integration/autoland/rev/33b527652344
Part 4. Move WebAuthn's Exception class to WebAuthnUtils. r=jschanck,geckoview-reviewers,owlish
https://hg.mozilla.org/integration/autoland/rev/7095d3bca694
Part 5. Support Credential Manager on Android 14+. r=jschanck,geckoview-reviewers,owlish
https://hg.mozilla.org/integration/autoland/rev/1a3eb3733a05
Part 6. Add Credential Manager permission on GVE. r=geckoview-reviewers,owlish

Comment 13

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/db1c24ed2492
https://hg.mozilla.org/mozilla-central/rev/279041997a78
https://hg.mozilla.org/mozilla-central/rev/62d282f0a362
https://hg.mozilla.org/mozilla-central/rev/33b527652344
https://hg.mozilla.org/mozilla-central/rev/7095d3bca694
https://hg.mozilla.org/mozilla-central/rev/1a3eb3733a05

Comment 14

[Tom Schuster (MoCo)]

I think this would be a good candidate for a release note.

Comment 15

[Makoto Kato [:m_kato]]

(In reply to Tom Schuster (MoCo) from comment #14)

I think this would be a good candidate for a release note.

This feature requires both bug 1897048 and bug 1831137. So if both bugs are fixed, I will request relnote.

Comment 16

[John Schanck [:jschanck]]

Release Note Request (optional, but appreciated)
[Why is this notable]: Previously, Android users were only able to create Passkeys in Google Password Manager.
[Affects Firefox for Android]: yes
[Suggested wording]: Users on Android 14 or later can create and use Passkeys in third-party Passkey management applications.
[Links (documentation, blog post, etc)]:
https://developers.google.com/identity/android-credential-manager

Comment 17

[:gerard-majax]

Would this change landing explain why suddenly FIrefox Nightly on Android asked me to create a PIN code on my YubiKey? https://www.yubico.com/fr/product/security-key-c-nfc-by-yubico-black/

Comment 18

[John Schanck [:jschanck]]

Yes, the relying party indicates a "user verification preference" as part of every webauthn transaction---either "discouraged", "preferred", or "required". The API we were using previously did not support user verification, so transactions would fail completely in the "required" case and would fail to meet the relying party's preference in the "preferred" case. The new API prompts for user verification (in your case a PIN) in the "preferred" and "required" cases.

Do you get prompted to create/use a PIN in other browsers as well?

Comment 19

[:gerard-majax]

I dont use other brothers so i cannot tell for sure, but at least it confirms we changed something. So it means our Duo 2FA does request the user verification, as well as the WebAuthn website from my testing. Though, when I had to re-connect on Bitwarden on my Pinebook Pro it failed the 2FA step and never asked for a PIN. This is the same system where I verified WebAuthn that correctly prompted a PIN.

Is it the website that asks for the user verification or our use of the API ?

Comment 20

[Ryan VanderMeulen [:RyanVM]]

Added to the Fx128 relnotes.

Comment 22

[Josh Triplett]

Is there already an issue filed somewhere for supporting Firefox as a Google Credential Manager backend, so that Firefox and other things wanting Passkeys can store those passkeys in Firefox and sync them via Firefox Sync?

EDIT: Sorry, posted this to the wrong issue.