FORUMS

How to Implement the FIDO SDK

1,030 posts
Thanks Meter: 1,109
 
By XDARoni, XDA Community Manager on 15th June 2020, 02:18 PM
Post Reply Email Thread
If you're developing an app to work on Huawei phones, and you have features that need to be protected by authentication, then Huawei's FIDO SDK might be useful for you.

The FIDO SDK helps you present and verify authentication prompts to your app's users, and supports all sorts of verification methods, including things like NFC Tag and fingerprint scanning. If FIDO is something you want to implement, keep reading, because we're going to talk about how to get set up.

Preparation
First up, make sure you have a Huawei Developer Account. This process can take a couple days, and you'll need one to use this SDK, so be sure to start that as soon as possible. You can sign up at https://developer.huawei.com.

Next, you'll want to obtain the SHA-256 representation of your app's signing key. If you don't have a signing key yet, be sure to create one before continuing. To obtain your signing key's SHA-256, you'll need to use Keytool which is part of the JDK installation. Keytool is a command-line program. If you're on Windows, open CMD. If you're on Linux, open Terminal.
On Windows, you'll need to "cd" into the directory containing the Keytool executable. For example, if you have JDK 1.8 v231 installed, Keytool will be located at the following path:
Code:
Select Code
C:\Program Files\Java\jdk1.8.0_231\bin\
Once you find the directory, "cd" into it:
Code:
Select Code
C: #Make sure you're in the right drive
cd C:\Program Files\Java\jdk1.8.0_231\bin\
Next, you need to find the location of your keystore. Using Android's debug keystore as an example, where the Android SDK is hosted on the "E:" drive in Windows, the path will be as follows:
Code:
Select Code
E:\AndroidSDK\.android\debug.keystore
(Keytool also supports JKS-format keystores.)

Now you're ready to run the command. On Windows, it'll look something like this:
Code:
Select Code
keytool -list -v -keystore E:\AndroidSDK\.android\debug.keystore
On Linux, the command should be similar, just using UNIX-style paths instead.
Enter the keystore password, and the key name (if applicable), and you'll be presented with something similar to the following:


Make note of the SHA256 field.

SDK Setup
Now we're ready to add the Safety Detect SDK to your Android Studio project. Go to your Huawei Developer Console and click the HUAWEI AppGallery tile. Agree to the terms of use if prompted.
Click the "My projects" tile here. If you haven't already added your project to the AppGallery, add it now. You'll be asked for a project name. Make it something descriptive so you know what it's for.


Now, you should be on a screen that looks something like the following:


Click the "Add app" button. Here, you'll need to provide some details about your app, like its name and package name.


Once you click OK, some SDK setup instructions will be displayed. Follow them to get everything added to your project. You'll also need to add the following to the "dependencies" section of your app-level build.gradle file:

Code:
Select Code
implementation 'com.huawei.hms:fido-fido2:4.0.3.300'
If you want to use biometric authentication, include one of the following as well, depending on if you're using AndroidX or not:

Code:
Select Code
implementation 'com.huawei.hms:fido-bioauthn-androidx:4.0.3.300'
implementation 'com.huawei.hms:fido-bioauthn:4.0.3.300'


If you ever need to come back to these instructions, you can always click the "Add SDK" button after "App information" on the "Project setting" page.


Now you should be back on the "Project setting" page. Find the "SHA-256 certificate fingerprint" field under "App information," click the "+" button, and paste your SHA-256.


Now, go to the Manage APIs tab on the "Project setting" page. Scroll down until you find "FIDO" and make sure it's enabled.



Now, if you're using obfuscation in your app, you'll need to whitelist a few things for HMS to work properly.

For ProGuard:
Code:
Select Code
-ignorewarnings
-keepattributes *Annotation*
-keepattributes Exceptions
-keepattributes InnerClasses
-keepattributes Signature
-keepattributes SourceFile,LineNumberTable
-keep class com.hianalytics.android.**{*;}
-keep class com.huawei.updatesdk.**{*;}
-keep class com.huawei.hms.**{*;}
For AndResGuard:
Code:
Select Code
"R.string.hms*",
"R.string.agc*",
"R.string.connect_server_fail_prompt_toast",
"R.string.getting_message_fail_prompt_toast",
"R.string.no_available_network_prompt_toast",
"R.string.third_app_*",
"R.string.upsdk_*",
"R.layout.hms*",
"R.layout.upsdk_*",
"R.drawable.upsdk*",
"R.color.upsdk*",
"R.dimen.upsdk*",
"R.style.upsdk*
That's it! The FIDO SDK should now be available in your project.

Basic Usage
Now that FIDO's all set up, it's time to start using it. We're not going to be talking about the server-side stuff here, just the client-size. If you need help setting up a FIDO server, be sure to check out the instructions for whichever provider you're using.

FIDO2
The following code is a quick sample for getting FIDO2 registration and authentication requests working.

Code:
Select Code
class FIDO2Example : AppCompatActivity() {
    private val client by lazy { Fido2.getFido2Client(this) }

    //https://www.w3.org/TR/webauthn/#credential-id
    //Ideally this should be persisted somewhere.
    private var credentialId: ByteArray? = null

    override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {
        super.onActivityResult(requestCode, resultCode, data)

        if (resultCode != Activity.RESULT_OK) {
            //User may have canceled registration or authentication,
            //or the related process failed. We shouldn't continue.
            return
        }

        when (requestCode) {
            Fido2Client.REGISTRATION_REQUEST -> {
                //Get the response data
                val response = client.getFido2RegistrationResponse(data)

                if (response.isSuccess) {
                    //Registration was successful. Notify user and store data.

                    //Save the credential ID
                    credentialId = response.authenticatorAttestationResponse.credentialId
                } else {
                    //Registration failed. The response data should contain information on why.
                }
            }
            
            Fido2Client.AUTHENTICATION_REQUEST -> {
                //Get the response data
                val response = client.getFido2AuthenticationResponse(data)
                
                if (response.isSuccess) {
                    //Authentication was successful. Allow the user into whatever secure place
                    //this was protecting.
                } else {
                    //Authentication failed. The response data should have information on why.
                }
            }
        }
    }

    //Initiate the user registration process
    fun doRegistration() {
        if (!client.isSupported) {
            //Can't use FIDO2 on this device. Tell the user and return.
            return
        }
        
        val request = createFido2RegistrationRequest()

        client.getRegistrationIntent(request, NativeFido2RegistrationOptions.DEFAULT_OPTIONS,
            object : Fido2IntentCallback {
                override fun onSuccess(intent: Fido2Intent) {
                    //The Intent was successfully created. Run it.
                    //This will start an Activity for a result, so we're going to handle the rest of it
                    //in onActivityResult(). You can use your own request code for this if you want.
                    intent.launchFido2Activity([email protected], Fido2Client.REGISTRATION_REQUEST)
                }

                override fun onFailure(errorCode: Int, errorMsg: CharSequence) {
                    //Unable to get the registration Intent.
                    //Notify user and/or try again.
                }
            }
        )
    }

    //Initiate the user authentication process
    fun doAuthentication() {
        if (credentialId == null) {
            //User isn't registered. Tell them to do so.
            return
        }
        
        if (!client.isSupported) {
            //Can't use FIDO2 on this device. Tell the user and return.
            return
        }
        
        val request = createFido2AuthenticationRequest()
        
        client.getAuthenticationIntent(request, NativeFido2AuthenticationOptions.DEFAULT_OPTIONS,
            object : Fido2IntentCallback {
                override fun onSuccess(intent: Fido2Intent) {
                    //The Intent was successfully created. Run it.
                    //This will start an Activity for a result, so we're going to handle the rest of it
                    //in onActivityResult(). You can use your own request code for this if you want.
                    intent.launchFido2Activity([email protected], Fido2Client.AUTHENTICATION_REQUEST)
                }

                override fun onFailure(errorCode: Int, errorMsg: CharSequence) {
                    //Unable to get the authentication Intent.
                    //Notify user and/or try again.
                }
            }
        )
    }

    //Create the request for registering a new user.
    fun createFido2RegistrationRequest(): Fido2RegistrationRequest {
        //A 16-byte challenge key, usually obtained fro the FIDO server itself
        val challenge = SecureRandom.getSeed(16)

        val builder = PublicKeyCredentialCreationOptions.Builder()
        //More details on a Relying Party: https://www.w3.org/TR/webauthn/#webauthn-relying-party
        builder.setRp(PublicKeyCredentialRpEntity("RELYING_PARTY_ID", "RELYING_PARTY_ID", null))
        //USER is the user being authenticated
        builder.setUser(PublicKeyCredentialUserEntity("USER", "USER".toByteArray()))
        builder.setChallenge(challenge)
        //Can also be INDIRECT or NONE
        builder.setAttestation(AttestationConveyancePreference.DIRECT)
        //An attachment, whether to require a resident key (Boolean), a user verification requirement.
        //More details on this here: https://www.w3.org/TR/webauthn/#dictdef-authenticatorselectioncriteria
        builder.setAuthenticatorSelection(AuthenticatorSelectionCriteria(null, null, null))
        //A list of credential types that the client would like to be created, in order
        //Of most-preferred to least-preferred. The server will attempt to create the most-
        //preferred one first, stepping down the list if it needs to.
        builder.setPubKeyCredParams(arrayListOf(
            PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, Algorithm.ES256),
            PublicKeyCredentialParameters(PublicKeyCredentialType.PUBLIC_KEY, Algorithm.RS256)
        ))
        //How long until this registration request should time out.
        builder.setTimeoutSeconds(60L)

        if (credentialId != null) {
            builder.setExcludeList(arrayListOf(
                PublicKeyCredentialDescriptor(PublicKeyCredentialType.PUBLIC_KEY, credentialId)
            ))
        }

        //If your client supports token binding, make sure to pass the
        //proper TokenBinding instance as the second parameter here.
        //https://www.w3.org/TR/webauthn/#dictdef-tokenbinding
        return Fido2RegistrationRequest(builder.build(), null)
    }

    //Create the request for authenticating a current user.
    fun createFido2AuthenticationRequest(): Fido2AuthenticationRequest {
        //A 16-byte challenge key, usually obtained fro the FIDO server itself
        val challenge = SecureRandom.getSeed(16)

        val allowList = arrayListOf(
            PublicKeyCredentialDescriptor(PublicKeyCredentialType.PUBLIC_KEY, credentialId)
        )

        val builder = PublicKeyCredentialRequestOptions.Builder()
        //More details on a Relying Party: https://www.w3.org/TR/webauthn/#webauthn-relying-party
        builder.setRpId("RELYING_PARTY_ID")
        builder.setChallenge(challenge)
        builder.setAllowList(allowList)
        builder.setTimeoutSeconds(60L)

        //If your client supports token binding, make sure to pass the
        //proper TokenBinding instance as the second parameter here.
        //https://www.w3.org/TR/webauthn/#dictdef-tokenbinding
        return Fido2AuthenticationRequest(builder.build(), null)
    }
}
BioAuthn
BioAuthn is the part of the FIDO SDK that lets you authenticate through biometrics, such as fingerprints and facial recognition.

Here's an example showing a quick implementation. This example is for the AndroidX library, but the implementation is similar for the non-AndroidX version.

Code:
Select Code
class BioAuthnExample : AppCompatActivity() {
    private val bioAuthnManager by lazy { BioAuthnManager(this) }
    private val faceManager by lazy { FaceManager(this) }
    private val authCallback = object : BioAuthnCallback() {
        override fun onAuthSucceeded(result: BioAuthnResult) {
            //Authentication was successful. Let the user in!
        }

        override fun onAuthFailed() {
            //Authentication failed. Sternly scold the user.
        }

        override fun onAuthError(errorId: Int, errorMsg: CharSequence) {
            //There was an error performing the authentication.
            //Tell the user and/or try again.
        }
    }

    fun doFingerprintAuthentication() {
        if (bioAuthnManager.canAuth() != BioAuthnManager.BIO_AUTHN_SUCCESS) {
            //Can't do fingerprint authentication.
            //This would probably be better in a helper function that
            //gets checked before this method is even called.
            return
        }

        val prompt = BioAuthnPrompt(this, ContextCompat.getMainExecutor(this), authCallback)
        val builder = BioAuthnPrompt.PromptInfo.Builder()

        //Tell the user why we need authentication.
        builder.setTitle("SOME DESCRIPTIVE TITLE")
        builder.setSubtitle("SOME DESCRIPTIVE SUBTITLE")
        builder.setDescription("SOME DESCRIPTIVE... DESCRIPTION")

        //Allow the use of biometrics
        //Using biometrics means there will be no negative button on the prompt dialog.
        //The user can choose to enter their PIN/password/pattern instead in this dialog.
        builder.setDeviceCredentialAllowed(true)

        //Actually show the prompt.
        prompt.auth(builder.build())
    }

    fun doFaceAuthentication() {
        if (faceManager.canAuth() != FaceManager.FACE_SUCCESS) {
            //Can't do face authentication.
            //This would probably be better in a helper function that
            //gets checked before this method is even called.
            return
        }

        //Use this to cancel the face authentication if needed.
        val cancellationSignal = CancellationSignal()

        //Do the face authentication.
        //The first parameter is an optional CryptoObject. At this time, it's not
        //recommended to use one.
        //The second parameter is the cancellation signal.
        //The third parameter is a set of optional flags for the request.
        //The fourth parameter is the actual authentication callback.
        //The fifth parameter is the Handler that the callback should be run on
        //(null for main Handler).
        faceManager.auth(null, cancellationSignal, 0, authCallback, null)
    }
}
Conclusion
That's all for the FIDO SDK! If you're using HMS, or you're planning to use HMS, and you want to make authentication inside your app easier for you and users, be sure to check it out.

You can find more details, including the full API reference for the FIDO SDK, on Huawei's developer website. (API Reference)
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes