Bug 1964526 - Fido2 Always try Credential Manager to create key, and fallback to GMS r=geckoview-reviewers,jschanck,m_kato

p1gp1g · makotokato · commit 97b34ffadff5 · 2025-07-30T05:42:07.000Z
Differential Revision: https://phabricator.services.mozilla.com/D247877
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/WebAuthnCredentialManager.java b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/WebAuthnCredentialManager.java
@@ -136,18 +136,11 @@ public static GeckoResult<WebAuthnUtils.MakeCredentialResponse> makeCredential(
       final WebAuthnUtils.WebAuthnPublicCredential[] excludeList,
       final GeckoBundle authenticatorSelection,
       final byte[] clientDataHash) {
-    final Boolean requireResidentKey =
-        authenticatorSelection.getBoolean("requireResidentKey", false);
 
-    final Boolean residentKeyDiscouraged =
-        authenticatorSelection
-            .getString("residentKey", requireResidentKey ? "required" : "discouraged")
-            .equals("discouraged");
-
-    // We only use Credential Manager for Passkeys. If residentKey is discouraged, use GMS FIDO2.
-    if (residentKeyDiscouraged) {
-      return GeckoResult.fromException(new WebAuthnUtils.Exception("NOT_SUPPORTED_ERR"));
-    }
+    // We use Credential Manager first. If it doesn't work, we use GMS FIDO2.
+    // Credential manager may support non-discoverable keys,
+    // Else, following the specifications, `residentKey=discouraged` allows discoverable keys too
+    // but prefer non-discoverable keys
     if (Build.VERSION.SDK_INT < Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
       return GeckoResult.fromException(new WebAuthnUtils.Exception("NOT_SUPPORTED_ERR"));
     }
diff --git a/mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/WebAuthnUtils.java b/mobile/android/geckoview/src/main/java/org/mozilla/gecko/util/WebAuthnUtils.java
@@ -362,7 +362,17 @@ public static JSONObject getJSONObjectForMakeCredential(
     json.put("excludeCredentials", excludeCredentials);
 
     final JSONObject authenticatorSelectionJSON = authenticatorSelection.toJSONObject();
-    authenticatorSelectionJSON.put("requireResidentKey", true);
+    /*
+    dom/webauthn/WebAuthnHandler.cpp: WebAuthnHandler::MakeCredential set `residentKey`
+    to "required" if there is no `residentKey` and `requireResidentKey` is true, and
+    `requireResidentKey` should be true if `residentKey` is "required". So we can retrieve
+    `requireResidentKey`'s value from `residentKey`.
+    `requireResidentKey` is only used if `residentKey` isn't set, so it shouldn't be used by any
+    authenticator that follows the specs.
+     */
+    authenticatorSelectionJSON.put(
+        "requireResidentKey",
+        authenticatorSelection.getString("residentKey", "").equals("required"));
     json.put("authenticatorSelection", authenticatorSelectionJSON);
 
     final JSONObject extensions = new JSONObject();
