Add passkey registration support for WebView, Fixes AB#3385532 #2769
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
p3dr0rv
changed the title
|
❌ Work item link check failed. Description does not contain AB#{ID}. Click here to Learn more. |
- Set project-level archives name in build.gradle - Improve PasskeyWebListener to set up WebView message listener - Refactor WebViewAuthorizationFragment to handle console messages with logging levels - Update request headers management in WebViewAuthorizationFragment for passkey protocol - Clean up WebViewMessageListener by removing unused default listener
…oved script handling and logging; add JsScriptRecord for script management; update CommonFlight to disable passkey feature by default.
…rieval logging; streamline credential request handling.
- Added PasskeyReplyChannel for communication between JavaScript and native code. - Updated CredentialManagerHandler to create and retrieve passkeys. - Enhanced PasskeyWebListener to handle WebAuthn requests and responses. - Introduced js-bridge.js for JavaScript integration with WebAuthn. - Created unit tests for PasskeyReplyChannel to ensure correct message formatting and error handling. - Removed unnecessary logging statements and improved error handling.
…r handling and message formatting; enhance test coverage for success and error scenarios.
…te Logger class to disable Logcat logging by default; improve logging conditions in Logger.java; ensure proper newline at end of files in CredentialManagerHandler and JsScriptRecord.
…d clean up request headers
…nstructions for modifying js-bridge.js
…ract Passkey protocol header injection logic into a separate method for improved readability and maintainability.
… with project property for better version management. Refactor FidoChallengeField to support multiple Passkey protocol versions; improve error handling for unsupported versions. Clean up CredentialManagerHandler by removing unnecessary exception handling; streamline credential creation and retrieval logic. Add unit tests for PasskeyWebListener; cover message handling, credential flows, and error scenarios. Add webkitVersion variable in versions.gradle for centralized version management.
…abled by default.
…ent; streamline logic for injecting headers based on flight feature and broker requests.
p3dr0rv
changed the title
p3dr0rv
changed the title
|
✅ Work item link check complete. Description contains link AB#3385532 to an Azure Boards work item. |
github-actions
bot
changed the title
…dler for improved readability; format code for better clarity.
…ureAD/microsoft-authentication-library-common-for-android into pedroro/passkey-reg-prototype
- Introduced a set of supported passkey protocol versions in FidoConstants. - Updated throwIfInvalidProtocolVersion method to validate against the new set.
There was a problem hiding this comment.
Pull Request Overview
This PR extends the existing passkey authentication functionality to include passkey registration support in Android WebView through a new WebMessageListener bridge. The implementation leverages the Android Credential Manager API and introduces protocol version 1.1 to differentiate between authentication-only (1.0) and authentication+registration (1.1) capabilities. Key changes include new handler classes for credential operations, JavaScript bridge injection for WebAuthn API interception, and flight-controlled feature rollout.
Key changes:
- Introduced protocol version 1.1 for passkey registration alongside existing 1.0 authentication
- Added
CredentialManagerHandler,PasskeyWebListener, andPasskeyReplyChannelclasses to manage WebAuthn flows - Injected JavaScript bridge to intercept
navigator.credentials.create/getcalls in WebView
Reviewed Changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
gradle/versions.gradle |
Added androidx.webkit dependency version |
common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java |
Renamed flight from ENABLE_PASSKEY_FEATURE to ENABLE_PASSKEY_REGISTRATION |
common4j/src/main/com/microsoft/identity/common/java/constants/FidoConstants.kt |
Added protocol version 1.1 constants and supported versions set |
common/src/test/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyWebListenerTest.kt |
Comprehensive unit tests for PasskeyWebListener |
common/src/test/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyReplyChannelTest.kt |
Unit tests for PasskeyReplyChannel error handling |
common/src/main/java/com/microsoft/identity/common/internal/ui/webview/JsScriptRecord.kt |
New record class for managing injected JavaScript scripts |
common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java |
Added onPageStarted override to inject scripts and script management |
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/js-bridge.js |
JavaScript bridge for intercepting WebAuthn API calls |
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java |
Integrated PasskeyWebListener setup and protocol header injection |
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyWebListener.kt |
Core WebMessageListener implementation for WebAuthn flows |
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyReplyChannel.kt |
Channel for communicating WebAuthn responses to JavaScript |
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/CredentialManagerHandler.kt |
Handler for Android Credential Manager API operations |
common/src/main/java/com/microsoft/identity/common/internal/fido/FidoChallengeField.kt |
Updated protocol version validation to support both 1.0 and 1.1 |
common/build.gradle |
Added webkit dependency and increased dependency size limit |
changelog.txt |
Added changelog entry for passkey registration feature |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
…Channel, PasskeyWebListener, and WebViewAuthorizationFragment
|
Assemble consumers will fail because webkit version is not defined in those libraries yet. |
melissaahn
approved these changes
Oct 24, 2025
common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java
Outdated
Show resolved
Hide resolved
...va/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java
Outdated
Show resolved
Hide resolved
.../src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyWebListener.kt
Show resolved
Hide resolved
...src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyReplyChannel.kt
Show resolved
Hide resolved
melissaahn
reviewed
Oct 24, 2025
common/src/main/assets/js-bridge.js
Outdated
| window.PublicKeyCredential = (function () { }); | ||
| window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable = | ||
| function () { | ||
| return Promise.resolve(false); |
There was a problem hiding this comment.
Just double checking my understanding: this part controls if the passkey option is visible correct? By always returning false here, this ensures that we can control the visibility with webauthn=1 instead?
There was a problem hiding this comment.
This JS method basically tells the webpage whether the current device has a built-in (platform) authenticator — like a fingerprint sensor, Face ID, or passkey support, so this by default is false in WebView is false, https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential/isUserVerifyingPlatformAuthenticatorAvailable_static.
In our case, since we’re implementing the credential manager integration, we could actually return true. I believe ESTS skips this validation, which is why it worked before, but it makes more sense to explicitly return true here.
I will double check with Suresh
…ving error handling, and updating WebView authorization logic
...va/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java
Show resolved
Hide resolved
...src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyReplyChannel.kt
Outdated
Show resolved
Hide resolved
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
...va/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java
Show resolved
Hide resolved
.../src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyWebListener.kt
Outdated
Show resolved
Hide resolved
common/src/main/java/com/microsoft/identity/common/internal/fido/FidoChallengeField.kt
Outdated
Show resolved
Hide resolved
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/js-bridge.js
Outdated
Show resolved
Hide resolved
…oviders/oauth2/PasskeyReplyChannel.kt Co-authored-by: Copilot <[email protected]>
…do/FidoChallengeField.kt Co-authored-by: Copilot <[email protected]>
…oviders/oauth2/js-bridge.js Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AB#3385532
https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview/pullrequest/20357
This PR implements passkey registration support for MSAL/Broker/OneAuth on Android WebView through a WebMessageListener bridge. It extends the existing authentication-only passkey functionality to include full registration capabilities, leveraging the standard Android Credential Manager.
🎯 Key Features
Protocol Version Update
Passkey and Credential Manager Integration:
CredentialManagerHandlerclass to encapsulate passkey creation and retrieval using the Android Credential Manager API, including version checks and logging. This simplifies and centralizes interactions with the credential APIs.PasskeyReplyChannelclass to standardize communication of WebAuthn responses (success and error) back to JavaScript viaJavaScriptReplyProxy, with detailed error mapping to DOMException types per the WebAuthn specification.Protocol Version Handling:
FidoChallengeFieldto accept both1.0and1.1as supported passkey protocol versions, improving compatibility with newer protocol versions.Dependency Management:
androidx.webkit:webkitas a dependency to support enhanced WebView and JavaScript interaction features.