Closed Bug 1907531 Opened 1 year ago Closed 11 months ago

Can't create a passkey in a password manager on Android if resident key is not required

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox139 --- fixed

People

(Reporter: mozilla.qns16, Assigned: michel)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1907531 - Also use Credential Manager on Android when RK is preferred. r=jschanck,m_kato
48 bytes, text/x-phabricator-request
Details | Review

I have tried to test the support for Passkeys on the latest Firefox Build. More specifically I'm interested in the support for Third Party Password Managers.

Scenario:

  1. Make sure a third party password manager is set up as an autofill provider and passkey provider in the system (Phone Settings).
  2. Open the Firefox browser.
  3. Navigate to https://webauthn.io
  4. Try to register a passkey.

Expectations:

  • The CredentialManager calls the default Credential provider (third party password manager) and allows to generate a passkey.

What happened:

  • The Google Password Manager appears.

However, if I try to authenticate with a passkey, then the proper credential provider is invoked.

I have been able to replicate this behaviour with many password managers (Proton Pass, 1Password...)
Tested in Firefox Stable 128 and Firefox Beta 128.0b9, both in an Android 14 emulator, a Pixel 7a with Android 14, and on a Samsung Galaxy A14 with Android 14.

Blocks: 1862132
Flags: needinfo?(m_kato)

Current implementation is that we use Credential manager when "Discoverable Credential" is required. Default of webauthn.io is preferred.

Flags: needinfo?(m_kato)

The severity field is not set for this bug.
:jschanck, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jschanck)

(In reply to Makoto Kato [:m_kato] from comment #3)

Current implementation is that we use Credential manager when "Discoverable Credential" is required. Default of webauthn.io is preferred.

When it's set to preferred, I get the "old" dialog which only supports Google Password Manager and not third-party applications. I assume this is a bug, and that preferred should use the Credential Manager the same way as if it is set to required?

I try to test about this.

  1. Maybe this checker need to change from !authenticatorSelection.getString("residentKey", "").equals("required") to authenticatorSelection.getString("residentKey", "").equals("discouraged")
    https://hg.mozilla.org/integration/autoland/file/7095d3bca694f62a308c408848f706b7a1e9a8d2/mobile/android/geckoview/src/main/java/org/mozilla/gecko/WebAuthnCredentialManager.java#l139

  2. In Chromium, it will have two default provider.
    https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/webauthn/android/java/src/org/chromium/components/webauthn/cred_man/GpmCredManRequestDecorator.java#58

Assignee: nobody → jschanck
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(jschanck)

@m_kato why are you only using Credential Manager when residentKey is set to required instead of always attempting to use it and falling back to GMS if it is not available?

Flags: needinfo?(m_kato)

When implementing CM support, most 3rd party providers aren't available yet. So I didn't know whether these providers supported "preferred".
(First version of some credential managers crashes with some unknown parameters. So I thought it was better to disable without required.) But I guess that we can allow CM even if "preferred" now.

Flags: needinfo?(m_kato)

Do you remember which versions were affected by this issue?

Flags: needinfo?(m_kato)

Although I don't know why you ask version (Android? Firefox?), I doesn't have strong reason not to allow "preferred" for credential manager provider support.

Flags: needinfo?(m_kato)

(And when we had implemented credential manager support in GeckoView, Chrome's support was completed yet. But Chrome supports it now. So I think that 3rd party provider has better credential manager support.)

Assignee: jschanck → michel
No longer blocks: 1862132
Depends on: 1951658, 1900848, 1870436
Depends on: 1862132
Depends on: 1954760
No longer depends on: 1870436, 1900848, 1954760, 1862132, 1951658
Summary: Passkey registration not working on Android → Can't create a passkey in a password manager on Android if resident key is not required
Blocks: 1954787
Severity: -- → S3
Priority: -- → P3
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/19d5b3f77f42 Also use Credential Manager on Android when RK is preferred. r=jschanck,m_kato,geckoview-reviewers

https://hg.mozilla.org/mozilla-central/rev/19d5b3f77f42

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
QA Whiteboard: [qa-triage-done-c140/b139]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: