I’m currently working on implementing passkey authentication for an Android application, using this documentation: https://developer.android.com/training/sign-in/passkeys#kotlin
For authentication, I’m using the WSO2 identity server, but here’s where I’m doing something different. Instead of the app creating the passkey, the WSO2 identity server does it, and I store the passkey on the device.
Here’s a weird behavior I’m encountering: the app isn’t prompting me for the passkeys registered in the app. Instead, it shows a QR code for signing in with passkeys stored on other devices. After that, I get a GetCredentialCancellationException thrown.
Here are some more details about the process:
-
I set requestJson to:
{
"challenge":"xxxxxxxxxxx",
"allowCredentials":[],
"Timeout":1800000,
"userVerification": "Required",
"rpId":"abc.com"
} -
Both the challenge and rpId come from the WSO2 identity server.
-
I’m not setting a digital assets link, as I’m using a separate
identity server for authentication.
Can anyone help me to debug, what I have done wrong here ?
2
Answers
Note: keys and values in the JSON are case sensitive, so
TimeoutandRequiredare both incorrect.If you haven’t set up the digital asset links, things won’t work so try that first. (I.e. your app will need permission to use credentials from abc.com before things will work.)
It looks like the use still doesn’t have any passkeys registered. Note that the
GetCredentialRequestthere is a parametersetPreferImmediatelyAvailableCredentialsthat set this behavior, by google: