如何在Android应用程序中实现WebAuthn? [英] How to implement WebAuthn in an Android App?

问题描述

我打算使用WebAuthn进行身份验证，如演示站点 https://webauthn.io 所示.

I'm intending to use WebAuthn for authentication, as shown at the demo site https://webauthn.io

事实证明，Android的WebView(及其iOS对应版本)未实现此功能，并且明确声明不会发生这种情况.人们正在使用Chrome Tab来推荐他们.

Turns out that Android's WebView (and its iOS counterpart) does not implement this and it is explicitly stated that this won't be happen. One is getting referred to use a Chrome Tab.

但是我要做的是在移动设备上(即在App内)不使用任何HTML/JavaScript.在应用程序中，我想使用类似于Firebase的Java库，但它确实提供了使用通过WebAuthn设置的相同帐户的方法，或通过应用程序上的库设置帐户的方法，以后可以访问该库在浏览器中使用WebAuthn.

But what I want to do is not to use any HTML/JavaScript for this when on a mobile device, that is, inside the App. In the app I would like to use a Java library similar to Firebase but which does provide the means to use the same account which got set up via WebAuthn, or to set up an account via the library on the App which can then later be accessed in a Browser by using WebAuthn.

我遇到了AppAuth https://github.com/openid/AppAuth-Android，不确定是否与WebAuthn有关.

I have come across AppAuth https://github.com/openid/AppAuth-Android and am unsure if this is related to WebAuthn.

我的目标是使用无密码和无电子邮件的身份验证系统，以便用户通过WebAuthn在Web上使用它，并使他们的应用程序代表他们通过库访问后端.一种不需要有人在Facebook，Google或任何其他提供商处拥有用户帐户的系统.

My goal is to use a password- and email-less authentication system in order for users to use it on the Web via WebAuthn as well have their App access the backend via the library on their behalf. A system that doesn't require someone to have a user account at Facebook, Google or any other provider.

我想避免在Android App中使用类似Chrome Tab的变通方法，应该全部使用Java处理，并通过Fragments与用户互动.

I would want to avoid using a workaround like a Chrome Tab in the Android App, it should all be handled in Java and the user interaction via Fragments.

我有哪些选择? FIDO2是否能够提供提供此功能所需的全部功能?它与OAuth 2.0有何关系?

Which are my options? Is FIDO2 capable of offering all that is needed to provide this? How does it relate to OAuth 2.0?

推荐答案

WebAuthn是浏览器的标准，这意味着它只能在当今的浏览器中实现.在Android上，确实仅限于ChromeCustomTabs的浏览器.在iOS上，内部Web视图中可能允许使用它-但仍在Web组件中.

WebAuthn is a standard for browsers, which means it can only be implemented in browsers as of today. On Android, it's indeed restricted to the browser of ChromeCustomTabs. On iOS, it may be allowed in internal webviews - but still in a web component.

无法使其与本机UI一起使用，特别是因为WebAuthn身份验证绑定到URI(本机移动应用程序UI中没有此URI).

There is no way to have it working with the native UI, especially because WebAuthn authentication is bound to an URI (which there isn't in a native mobile application UI).

WebAuthn和OAuth2不相关. OAuth2是一种API访问控制协议:您首先使用 web流(在某些特殊情况下除外)在授权服务器上获取令牌，这通常涉及身份验证和授权过程，然后使用这些访问令牌在验证它们的API上. WebAuthn是一种身份验证方案:初始注册后，用户可以使用身份验证器进行身份验证，而无需输入密码.

WebAuthn and OAuth2 are not related. OAuth2 is a API access control protocol: you first get tokens on the authorization server using a web flow (except in some special cases), which typically involves an authentication and authorization process, and then consume these access tokens on an API that verifies them. WebAuthn is an authentication scheme: after initial enrolment, a user can authenticate with an authenticator without presenting a password.

这两件事相关的唯一方法是，WebAuthn可以用作OAuth2身份验证过程中的身份验证方案(而不是密码，通过电子邮件或SMS发送的OTP，推送通知...).

The only way these two things are related is that WebAuthn can be used as an authentication scheme in the OAuth2 authentication process (instead of a password, an OTP sent by email or SMS, a push notification...).

如果您希望在同一移动设备上的本机应用程序和某些Web应用程序之间进行单一身份验证过程，则方法是拥有一个独特的中央身份验证服务，该服务将处理身份验证和SSO(单点登录) -在).这样可以防止用户拥有多个帐户，注册和身份验证过程.

If you want to have single authentication process between your native application and some of your web applications on the same mobile device, the way to go is to have a unique, central authentication service which will deal with authentication and SSO (Single Sign-On). It prevents a user from having multiple accounts, registration and authentication processes.

为此，您的本机移动应用程序也必须使用它-因此要使用Web身份验证. AppAuth是一个允许执行此操作的库，并且使用OAuth2协议(因此提供了OAuth2访问令牌来访问API).由于您的本机应用程序内部没有数据，但是需要在某个地方(可能是API)检索数据，所以这可能就是您想要的.但据我所知，您无法使用片段来实现SSO，因为任何非ChromeCustomeTab组件都会不在应用程序外部共享Cookie.

To do that, your native mobile application has to use it too - and therefore use web authentication. AppAuth is a library that allows doing such a thing, and uses the OAuth2 protocol (and therefore provides with OAuth2 access tokens, to access APIs). Since your native application has no data within itself, but needs to retrieve data somewhere (probably an API), that might be what you want. But you can't achieve SSO with fragments as far as I know, because any non-ChromeCustomeTab component will not share cookies outside of the application.

这篇关于如何在Android应用程序中实现WebAuthn?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！