Canceling registration modal throws ConstraintError [271863184]

Fixed

Bug

Status Update

No update yet.

Description

va...@shopify.com

created issue #1

Mar 7, 2023 12:04AM

Component used: Credentials

Version used: 1.0.0-alpha03

Devices/Android versions reproduced on: Huawei P30 Pro (VOG-L29)

I have multiple Google accounts on my phone. After triggering the passkey registration modal, I pressed the "Cancel" button and I got a CreatePublicKeyCredentialDomException with ConstraintError instead of the expected CreateCredentialCancellationException

Here are some logs (PasskeyUtils is from my application):

03-06 18:59:09.005 19307 19307 I Fido    : [AuthenticateChimeraActivity] FIDO2 operation is called from com.shopify.arrive.debug [CONTEXT service_id=287 ]
03-06 18:59:09.007 19307 19307 I Fido    : [AuthenticateViewModel] Determining the attachment [CONTEXT service_id=287 ]
03-06 18:59:09.017 19307 19307 I Fido    : [AuthenticateChimeraActivity] onAttachmentUpdate [CONTEXT service_id=287 ]
03-06 18:59:09.018 19307 19385 I Fido    : [AuthenticateViewModel] StrongBox not needed. [CONTEXT service_id=287 ]
03-06 18:59:09.020 19307 19307 I Fido    : [AuthenticateChimeraActivity] Using default UserVerifier. [CONTEXT service_id=287 ]
03-06 18:59:09.023 19307 19307 I Fido    : [StringStoreKeyHandleCache] initU2fDeviceCache
03-06 18:59:09.023 19307 19307 I Fido    : [FidoApiImpl] updateTransaction is called for resume
03-06 18:59:09.099  1508  5553 I ActivityManager: Process com.huawei.skytone (pid 25789) has died: svcb SVC
03-06 18:59:09.099  1508  5553 W ActivityManager: Scheduling restart of crashed service com.huawei.skytone/com.huawei.android.vsim.service.VSimService in 1000ms
03-06 18:59:09.248 19307 19384 I Fido    : [RegistrationRequestHandler] Registering key via credential store.
03-06 18:59:09.304 19307 19307 I Fido    : [PasskeysCreationFragment] PasskeysCreationFragment is shown [CONTEXT service_id=287 ]
03-06 18:59:10.897 19307 19384 I Fido    : [RequestController] Timeout Runnable is removed, and timer is stopped.
03-06 18:59:10.901 19307 19384 I Fido    : [RequestController] Timeout Runnable is removed, and timer is stopped.
03-06 18:59:10.915 19307 19307 I Fido    : [FidoApiImpl] updateTransaction is called for pause
03-06 18:59:10.915 19307 19307 E Fido    : [FidoApiImpl] pauseSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
03-06 18:59:10.957 31580 31580 D PasskeyUtils: error:androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException: Unable to get sync account.
03-06 18:59:10.957 31580 31580 D PasskeyUtils: domError:androidx.credentials.exceptions.domerrors.ConstraintError@8d8d7a9
03-06 18:59:10.979 19307 19307 I Fido    : [FidoApiImpl] updateTransaction is called for stop
03-06 18:59:10.979 19307 19307 E Fido    : [FidoApiImpl] finishSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.

Comments

he...@google.com <he...@google.com> #2Mar 7, 2023 12:43AM

Reassigned to he...@google.com.

A lot of thanks Varoot for the detailed bug report!

I am able to reproduce this issue and confirm it is a bug. When the user taps out or dismisses the dialog in any other way, you should expect to receive the CreateCredentialCancellationException instead.

Working on a fix now and will report back on when it will be relased.

ap...@google.com <ap...@google.com> #3Mar 7, 2023 05:07AM

Project: platform/frameworks/support
Branch: androidx-main

commit 30bc433be253e025de208514abf083c9c18e6fba
Author: Helen Qin <helenqin@google.com>
Date: Tue Mar 07 02:46:46 2023

Properly report the user cancellation error.

For passkey registration flow, user cancellation was improperly reported
as a ConstraintError. Now it should report
CreateCredentialCancellationException.

Bug: 271863184
Test: unit tested and locally verified.
Change-Id: I9ff3448a98cd8df945b2589f0b8ab64d636d2b09

M credentials/credentials-play-services-auth/src/main/java/androidx/credentials/playservices/controllers/CreatePublicKeyCredential/PublicKeyCredentialControllerUtility.kt

https://android-review.googlesource.com/2472961

he...@google.com <he...@google.com> #4Mar 7, 2023 07:37PM

Marked as fixed.

Hey!

The fix is complete and is on track to go into the next release (ETA March 22nd).

In the meantime, to try this out you can use a snapshot SDK from https://androidx.dev/. Any buildId >= 9700081 works. Here's an example of using the 9700081 snapshot:

Step 1: Add the following maven url line to your build.gradle file.

allprojects {
    repositories {
        google()
        jcenter()
        maven { url 'https://androidx.dev/snapshots/builds/9700081/artifacts/repository' }
    }
}

Step 2: Depend on the snapshot version artifact:

dependencies {
    def work_version = '1.0.0-SNAPSHOT'
    implementation "androidx.credentials:credentials-play-services-auth:$work_version"
    ...
}

pr...@google.com <pr...@google.com> #5Mar 22, 2023 08:23PM

The following release(s) address this bug.It is possible this bug has only been partially addressed:

androidx.credentials:credentials-play-services-auth:1.0.0-alpha05

sh...@gmail.com <sh...@gmail.com> #6Mar 23, 2023 07:52AM

I'm thinking that the issue still exists in 1.0.0-alpha05. FYI, I have a single Google account on the device.
The same error 'CreatePublicKeyCredentialDomException' is thrown with weird error message (errorMessage) - "Unable to get sync account."

va...@shopify.com <va...@shopify.com> #7Mar 25, 2023 12:57AM

I also confirm that the issue still exists in 1.0.0-alpha05

va...@shopify.com <va...@shopify.com> #8Apr 4, 2023 05:20PM

I think the error type changed from ConstraintError to NotAllowedError for alpha05, but still not CreateCredentialCancellationException as expected.

he...@google.com <he...@google.com> #9Apr 4, 2023 09:26PM

It's possible that ConstraintError is thrown once the passkey flow is started. This is according to the webauthn spec:

"If the user does not consent, return an error code equivalent to "NotAllowedError" and terminate the operation."

"If the user exercises a user agent user-interface option to cancel the process" ... "Throw a "NotAllowedError" DOMException."

Therefore, for a passkey request, you should be ready to handle both the CancellationException and the PublicKeyCredentialException(ConstraintError) as a signal for user cancellation.

va...@shopify.com <va...@shopify.com> #10Apr 4, 2023 10:01PM

Therefore, for a passkey request, you should be ready to handle both the CancellationException and the PublicKeyCredentialException(ConstraintError) as a signal for user cancellation.

You mean NotAllowedError?

he...@google.com <he...@google.com> #11Apr 4, 2023 10:02PM

Oops good catch. Yes by ConstraintError I meant NotAllowedError