Assigned
Status Update
No update yet.
Comments
bl...@google.com
Automated by Blunderbuss job android-credential-manager-autoassigner for config android_credman_config for component 1301097.
Description
Version used: The above document as last updated on 2024-05-28 UTC. Code from the examples
How to reproduce: I create a passkey in the device inside our app (WebView). I can the create another one. The second invocation of the create has as an effect to substitute the existing credential in the authenticator with a new one. On the server side (RP) we have an additional credential. Of course only the newer works. Debugging the app, at the CredentialManagerHander createPasskey (
It seems that the injected javascript does not parse correctly these values. (The injected javascript:
Devices/Android versions reproduced on:
It is in a bug in the javascript code that acts as a bridge between Webview and the Credentials Manager
How I fixed it:
I fixed the double registration error, by adding to the injected javascript (encode.js) at the "create" function this code:
if (temppk.hasOwnProperty('excludeCredentials')) {
const excludeCredentials = temppk.excludeCredentials;
// Map over each item in the excludeCredentials array and check if it's a public key credential
temppk.excludeCredentials = excludeCredentials.map((item, index) => {
if (item.hasOwnProperty('id')) {
// If it's an object with a rawId property, just encode its value as Base64
} else if (item.hasOwnProperty('type')){
item.type = item.type;
}
return item;
});
}
this checks the values of the excludeCredentials and encodes the id to base64. So the javascript bridge passes correctly the excludedCredentials to Credential manager. To integrate this fix, minify the updated encode.js and set it at the PasskeyWebListener.kt as the INJECTED_VAL
kind regards,
Sakis