Skip to content

Add passkey registration support for WebView, Fixes AB#3385532 #2769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
p3dr0rv merged 42 commits into from
Nov 6, 2025
Merged

Add passkey registration support for WebView, Fixes AB#3385532 #2769

p3dr0rv merged 42 commits into from
Nov 6, 2025

Conversation

@p3dr0rv
Copy link
Contributor

@p3dr0rv p3dr0rv commented Sep 23, 2025
edited
Loading

AB#3385532
https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview/pullrequest/20357

This PR implements passkey registration support for MSAL/Broker/OneAuth on Android WebView through a WebMessageListener bridge. It extends the existing authentication-only passkey functionality to include full registration capabilities, leveraging the standard Android Credential Manager.

🎯 Key Features
Protocol Version Update

  • Current: x-ms-PassKeyAuth: 1.0/passkey (authentication only)
  • New: x-ms-PassKeyAuth: 1.1/passkey (registration + authentication)

Passkey and Credential Manager Integration:

  • Added new CredentialManagerHandler class to encapsulate passkey creation and retrieval using the Android Credential Manager API, including version checks and logging. This simplifies and centralizes interactions with the credential APIs.
  • Introduced PasskeyReplyChannel class to standardize communication of WebAuthn responses (success and error) back to JavaScript via JavaScriptReplyProxy, with detailed error mapping to DOMException types per the WebAuthn specification.

Protocol Version Handling:

  • Updated protocol version validation in FidoChallengeField to accept both 1.0 and 1.1 as supported passkey protocol versions, improving compatibility with newer protocol versions.

Dependency Management:

  • Added androidx.webkit:webkit as a dependency to support enhanced WebView and JavaScript interaction features.

Telemetry will be added in following PR

@p3dr0rv p3dr0rv changed the title Add passkey support with CredentialManager and WebView integration [WIP] Add passkey support with CredentialManager and WebView integration Sep 23, 2025
@github-actions
Copy link

github-actions bot commented Sep 23, 2025

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

@p3dr0rv
debug
a43bfef
@p3dr0rv
Log success response in PasskeyWebListener and update JavaScript mess…
a02b892 
…age handling
@p3dr0rv
Merge branch 'dev' into pedroro/passkey-reg-prototype
963d700
@p3dr0rv
Merge branch 'dev' into pedroro/passkey-reg-prototype
7e2e2f3
@p3dr0rv
Enhance WebView message handling and update Gradle configurations
be90629 
- Set project-level archives name in build.gradle
- Improve PasskeyWebListener to set up WebView message listener
- Refactor WebViewAuthorizationFragment to handle console messages with logging levels
- Update request headers management in WebViewAuthorizationFragment for passkey protocol
- Clean up WebViewMessageListener by removing unused default listener
@p3dr0rv
Refactor Passkey protocol handling and enhance WebView integration
ef52c35
@p3dr0rv
Add passkey registration flight control and update WebView header han…
150aea2 
…dling
@p3dr0rv
Refactor PasskeyWebListener and WebViewAuthorizationFragment for impr…
89e0f50 
…oved script handling and logging; add JsScriptRecord for script management; update CommonFlight to disable passkey feature by default.
@p3dr0rv
Refactor CredentialManagerHandler to improve passkey creation and ret…
a6ec873 
…rieval logging; streamline credential request handling.
@p3dr0rv
Refactor imports in CredentialManagerHandler for improved clarity and…
83b9c49 
… organization
@p3dr0rv
Implement Passkey functionality with WebAuthn support
578242c 
- Added PasskeyReplyChannel for communication between JavaScript and native code.
- Updated CredentialManagerHandler to create and retrieve passkeys.
- Enhanced PasskeyWebListener to handle WebAuthn requests and responses.
- Introduced js-bridge.js for JavaScript integration with WebAuthn.
- Created unit tests for PasskeyReplyChannel to ensure correct message formatting and error handling.
- Removed unnecessary logging statements and improved error handling.
@p3dr0rv
Refactor PasskeyReplyChannel and related components for improved erro…
5c8bdbb 
…r handling and message formatting; enhance test coverage for success and error scenarios.
@p3dr0rv
Refactor build.gradle to set project archivesBaseName correctly; upda…
036fd39 
…te Logger class to disable Logcat logging by default; improve logging conditions in Logger.java; ensure proper newline at end of files in CredentialManagerHandler and JsScriptRecord.
@p3dr0rv
Add WebView support for Passkey functionality; update dependencies an…
8304ba5 
…d clean up request headers
@p3dr0rv
Update minified JavaScript code in PasskeyWebListener; add detailed i…
8b31fd0 
…nstructions for modifying js-bridge.js
@p3dr0rv
Merge branch 'dev' into pedroro/passkey-reg-prototype
6f5e568
@p3dr0rv
Refactor request header handling in WebViewAuthorizationFragment; ext…
1fc5328 
…ract Passkey protocol header injection logic into a separate method for improved readability and maintainability.
@p3dr0rv
Update dependencies in build.gradle; replace hardcoded webkit version…
89f6544 
… with project property for better version management.

Refactor FidoChallengeField to support multiple Passkey protocol versions; improve error handling for unsupported versions.
Clean up CredentialManagerHandler by removing unnecessary exception handling; streamline credential creation and retrieval logic.
Add unit tests for PasskeyWebListener; cover message handling, credential flows, and error scenarios.
Add webkitVersion variable in versions.gradle for centralized version management.
@p3dr0rv
Remove passkey feature flight toggle; set passkey registration to dis…
f172ccb 
…abled by default.
@p3dr0rv
Enhance Passkey protocol header handling in WebViewAuthorizationFragm…
d87a5cc 
…ent; streamline logic for injecting headers based on flight feature and broker requests.
@p3dr0rv p3dr0rv changed the title [WIP] Add passkey support with CredentialManager and WebView integration Add passkey registration support with CredentialManager and WebView integration Oct 23, 2025
@p3dr0rv p3dr0rv changed the title Add passkey registration support with CredentialManager and WebView integration Add passkey registration support for WebView Oct 23, 2025
@github-actions
Copy link

github-actions bot commented Oct 23, 2025

✅ Work item link check complete. Description contains link AB#3385532 to an Azure Boards work item.

@github-actions github-actions bot changed the title Add passkey registration support for WebView Add passkey registration support for WebView, Fixes AB#3385532 Oct 23, 2025
@shahzaibj shahzaibj requested a review from Copilot October 29, 2025 16:29
Copilot AI reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 9 comments.

p3dr0rv and others added 10 commits October 29, 2025 09:55
@p3dr0rv
Refactor WebViewAuthorizationFragment for improved code clarity and m…
49c9101 
…aintainability
@p3dr0rv
Update common/src/main/java/com/microsoft/identity/common/internal/pr…
2b1088d 
…oviders/oauth2/PasskeyReplyChannel.kt

Co-authored-by: Copilot <[email protected]>
@p3dr0rv
Update common/src/main/java/com/microsoft/identity/common/internal/fi…
7c0d8ec 
…do/FidoChallengeField.kt

Co-authored-by: Copilot <[email protected]>
@p3dr0rv
Update common/src/main/java/com/microsoft/identity/common/internal/pr…
be46370 
…oviders/oauth2/js-bridge.js

Co-authored-by: Copilot <[email protected]>
@p3dr0rv
update WebViewAuthorizationFragment logging methods for improved privacy
999011b
@p3dr0rv
Add WebAuthn JavaScript bridge and enhance PasskeyWebListener for deb…
12a2d84 
…ugging
@p3dr0rv
Update common/src/main/assets/js-bridge.js
d4c5cf3 
Co-authored-by: Copilot <[email protected]>
@p3dr0rv
Update WebAuthn interface name and modify user verification promise r…
2bf51b7 
…esolution
@p3dr0rv
Merge branch 'dev' into pedroro/passkey-reg-prototype
eda9cca
@p3dr0rv
Enhance JsScriptRecord to validate sovereign cloud URLs and require '…
78a51db 
…fido' in the path for specific cases
@p3dr0rv p3dr0rv added the Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR label Nov 6, 2025
@p3dr0rv p3dr0rv merged commit e447086 into dev Nov 6, 2025
18 of 20 checks passed
@p3dr0rv p3dr0rv deleted the pedroro/passkey-reg-prototype branch November 6, 2025 21:54
p3dr0rv added a commit to AzureAD/microsoft-authentication-library-for-android that referenced this pull request Nov 6, 2025
@p3dr0rv
Add WebAuthn version support in configuration, Fixes AB#3385532 (#2393)
3a20f4a 
[AB#3385532](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3385532)

https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview/pullrequest/20357
### Add WebAuthn Version Support and Passkey Headers

This PR adds support for handling the WebAuthn protocol version in the
app configuration and authentication flow for broker-less scenarios.
also enables testing on WEBVIEW PPE MSA

**Changes:**
- Added a new `webauthn_version` field to
`PublicClientApplicationConfiguration`, including serialization,
accessors, and merge logic, allowing apps to define and retrieve the
WebAuthn version from configuration files.
- Updated `CommandParametersAdapter` to include passkey protocol headers
in authentication requests when WebAuthn is enabled, supported (Android
9+), Authorization agent is Webview and the version is 1.1.
- Updated the test app (`MsalWrapper`) to append the `msaoauth2=true`
parameter to query strings when running in the pre-production
environment with WebAuthn 1.1 enabled, enabling proper testing of
WebAuthn flows.

Related PR:
AzureAD/microsoft-authentication-library-common-for-android#2769

Test
1- create account https://signup.live-int.com/?lic=1
2 - Install msal test app, (ensure no broker is installed)
3 - change config to MSA_WEBVIEW_PPE
4- Click acquire token and complete auth flow (username, password)
5 - User is presented with the option to register a passkey, complete
the flow, and you will end up with a token and a passkey.
6 - try again with no user selected and use the passkey.

---------

Co-authored-by: Copilot <[email protected]>
chaoz-MS added a commit to chaoz-MS/microsoft-authentication-library-common-for-android that referenced this pull request Dec 2, 2025
@chaoz-MS
Revert "Add passkey registration support for WebView, Fixes AB#3385532 (
6d16fd4 
AzureAD#2769)"

This reverts commit e447086.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melissaahn melissaahn melissaahn approved these changes

Copilot code review Copilot Copilot left review comments

@fadidurah fadidurah fadidurah approved these changes

Assignees

No one assigned

Labels

Skip-Consumers-Check Only include this if making a breaking change purposefully, and there is an MSAL/ADAL/Broker PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@p3dr0rv @fadidurah @melissaahn