With Authhub SDK, FIDO Registration flow does not get pop-up to complete its registration, but FIDO2_ERROR_EXTRA instead.
search cancel

With Authhub SDK, FIDO Registration flow does not get pop-up to complete its registration, but FIDO2_ERROR_EXTRA instead.

book

Article ID: 257076

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

With cordova Android 11, customer could not get FIDO registration pop-up as it expected, though we do see FIDO registration API was called, and request data (device name, etc.) was submitted.

The request seems never returned.

While debugging within Android 11, found error something like:

W/Bundle: Key FIDO2_ERROR_EXTRA expected String but value was a [B.  The default value <null> was returned.

W/Bundle: Attempt to cast generated internal exception:

    java.lang.ClassCastException: byte[] cannot be cast to java.lang.String

        at android.os.BaseBundle.getString(BaseBundle.java:1377)

        at com.metlife.Fido.onActivityResult(Fido.java:158)

        at org.apache.cordova.CordovaInterfaceImpl.onActivityResult(CordovaInterfaceImpl.java:160)

        at org.apache.cordova.CordovaActivity.onActivityResult(CordovaActivity.java:375)

        at android.app.Activity.dispatchActivityResult(Activity.java:8938)

        at android.app.ActivityThread.deliverResults(ActivityThread.java:6000)

        at android.app.ActivityThread.handleSendResult(ActivityThread.java:6046)

        at android.app.servertransaction.ActivityResultItem.execute(ActivityResultItem.java:67)

        at android.app.servertransaction.ActivityTransactionItem.execute(ActivityTransactionItem.java:45)

        at android.app.servertransaction.TransactionExecutor.executeCallbacks(TransactionExecutor.java:135)

        at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:95)

        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2571)

        at android.os.Handler.dispatchMessage(Handler.java:106)

        at android.os.Looper.loopOnce(Looper.java:226)

        at android.os.Looper.loop(Looper.java:313)

        at android.app.ActivityThread.main(ActivityThread.java:8741)

        at java.lang.reflect.Method.invoke(Native Method)

        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:571)

        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1067)

Broadcom and customer have verified together that authhub server url /.well-known/assetlinks.json was responding correctly.

Environment

Release : Authhub server 1.0.2937, drop8, released 2022.Jun.01

Authhub Android SDK v2.1 

Cause

Further custom code debugging is required in order to find out more about FIDO2_ERROR_EXTRA.

With Broadcom engineering's help, the underlining error for FIDO2_ERROR_EXTRA is this:

security_err 18, "the incoming request can not be validated."

According to Broadcom engineering, this error will often come when the FIDO request was not properly signed with correct certificate.  

If customer was building the Android 11 project locally, and there was no keystore file association with the project built, then FIDO request may not even be signed at all, hence failed at validation stage by authhub server.

Resolution

FIDO registration using Authhub Android SDK v2.1 is a REST API request that is required to be signed with correct matching certificate, so it can be validation by authhub server.

When building the Android project, customer must locate and include the proper keystore file, so that FIDO registration request will be signed correctly when submitted. 

Customer confirmed the resolution.