fido2_Android中FIDO2 API上的POC

fido2

认证方式 (Authentication)

A few days back I had to make an Android POC on FIDO Protocol and when I started browsing about it, I had not got much of any help from the official documentation and due to which it took more time than I had excepted.

几天前，我不得不制作一个基于FIDO协议的Android POC，当我开始浏览它时，我并没有从官方文档中获得太多帮助，因此，它花了比我更多的时间。

So, I am writing this blog to simply things which caught me back when I was developing this.

所以，我写这个博客的目的只是为了让我在开发它时回想起来。

What you will get in this blog?

您将在此博客中获得什么？

• A basic idea how FIDO Authentication works.
  FIDO身份验证如何工作的基本概念。
• Much explanation about why things are not working.
  关于为什么事情不起作用的很多解释。
• And, some surprise in the end 🤩
  而且，最终有些意外surprise

What you will not get in this blog?

您在此博客中不会得到什么？

• Working of FIDO server.
  FIDO服务器的工作。

Why use FIDO Authentication?

为什么要使用FIDO身份验证？

Because it is easy and most secured way authenticate right now.

因为它现在很容易且最安全的方式进行身份验证。

Working of FIDO Authentication

FIDO身份验证的工作

We will try to understand this in steps :

我们将尝试逐步了解这一点：

1. You ask FIDO server to register your account.
   您要求FIDO服务器注册您的帐户。
2. In return of that request, it sends you a challenge ( an encrypted string ) which your Android mobile phone authenticator will decode and give you a response.
   作为请求的返回，它向您发送一个质询(一个加密的字符串)，您的Android手机身份验证器将对该质询进行解码并给您答复。

An authenticator can your phone’s PIN, Fingerprint, Face unlock etc.

身份验证者可以使用您手机的PIN码，指纹，面部解锁等。

3. The authenticator generates user credentials. A user credential has both a public and a private key component. The public key is shared with your service, while the private key is kept secret by the authenticator.

3.验证者生成用户 凭证 。 用户凭证同时具有公共和私有密钥组件。 公钥与您的服务共享，而私钥由身份验证者保密。

4. Now, the response is shared is sent to the FIDO server. It will check whether is correct or not by using the public key.

4.现在，共享的响应被发送到FIDO服务器。 它将使用公钥检查是否正确。

5. If it is correct then, it will register the account.

5.如果正确，它将注册该帐户。

POC

POC

The above link is of Google Codelab. You can find the sample app in it.

上面的链接来自Google Codelab。 您可以在其中找到示例应用程序。

Now, if there is already a demo project provided by Google then why am I writing this blog?

现在，如果Google已经提供了一个演示项目，那我为什么还要撰写此博客？

Because there is a lot which I was getting while I was playing with the app and there was no sign of it in the documentation. So, to clear those I am writing this :)

因为我在使用该应用程序时获得了很多东西，并且在文档中没有任何迹象。 所以，清除那些我在写这个:)

Have a look at the app and try to understand what is happening.

看看该应用程序，并尝试了解正在发生的事情。

Errors

失误

There are 3 errors which I faced :

我遇到了3个错误：

1. “The incoming request cannot be validated”.

   “传入的请求无法验证”。

• One reason for this is the wrong ANDROID_PACKAGENAME in .env file on glitch or in assetlinks.json file on server.
  原因之一是故障上的.env文件中或服务器上的assetlinks.json文件中的ANDROID_PACKAGENAME错误。

.env screen

.env屏幕

• If you put wrong Android package name in this then the same is copied to assetlinks.json file which is generated automatically by the glitch.

  如果您在其中输入了错误的Android软件包名称，则该名称会被复制到assetglits.json文件中，该文件会由故障自动生成。

• If you are using multiple apps with a single project then check out bonus part.
  如果您在一个项目中使用多个应用程序，请查看奖励部分。

2. “Cancelled”

2. “已取消”

• The one reason for this is when you try to sign in to the account by using different Mobile phone from the one you have used during the sign up time.
  原因之一是您尝试使用与注册期间使用的手机不同的手机登录该帐户。
• The logic behind this can be the wrong private key. Every time you sign up, there is private key which Authenticator keeps and which also decode the challenge string.
  其背后的逻辑可能是错误的私钥。 每次注册时，都有一个身份验证器保留的私钥，它还会对质询字符串进行解码。
• So, when you use a different mobile phone the authenticator also changes with which your private key also changes. I think this can be the reason behind it.
  因此，当您使用其他手机时，身份验证器也会更改，您的私钥也会随之更改。 我认为这可能是其背后的原因。

3. “One of the excluded credential exist on the local device”

3. “排除的凭证之一存在于本地设备上”

• This is still a mystery. I want your help in solving this. If you find out anything about solving it, please share it in the comment section.
  这仍然是一个谜。 在解决这个问题上，我需要您的帮助。 如果您发现有关解决问题的任何信息，请在评论部分中分享。
• The hint can be — It saves the account details when I used authenticator multiple times to decode the challenge string.
  提示可以是-当我多次使用身份验证器对质询字符串进行解码时，它将保存帐户详细信息。
• Clearing storage and uninstalling app didn't help.
  清除存储并卸载应用程序无济于事。

Bonus

奖金

Now, with this setup you can use single android app with a single glitch project. To use multiple apps with a single glitch project, you have to add some thing in server.js on glitch site.

现在，通过此设置，您可以将单个Android应用程序与单个故障项目一起使用。 要在单个故障项目中使用多个应用程序，必须在故障站点上的server.js中添加一些内容。

There is something like this in your server.js :

您的server.js中有这样的内容：

initial

初始

This you have change to :

您将其更改为：

final

最后

Why did we did what we did?

为什么我们做了我们所做的？

Because by adding this in the server.js file it also gets add up in the assetlinks.json and our app is linked with assetlinks.json file.

因为在server.js文件中添加这一点，也得到在assetlinks.json加起来和我们的应用程序与assetlinks.json文件链接。

So, assetlinks.json is really important. If anything goes wrong in it then everything goes off in your app.

因此， assetlinks.json非常重要。 如果其中有任何错误，那么您的应用程序中的所有内容都会消失。

This is all from my side.

这都是我的意思。

If there is anything I missed. Please comment below.

如果有什么我想念的。 请在下面发表评论。

Thank you for reading.

感谢您的阅读。

Happy Coding.

编码愉快。

翻译自: https://medium.com/swlh/poc-on-fido2-api-in-android-55026b15d51c

fido2