FIDO2 APIs for Native Android Applications
Ideem's FIDO2 Authenticator interfaces can be used to integrate with an existing Relying Party infrastructure. A Relying Party server is responsible for managing the storage of credential_ids and public keys associated with enrollments, generating challenges, and verifying signed challenges.
These interfaces allow you to determine if a user has already been enrolled (cryptographically bound to the device), create an enrollment if they have not, or verify them. FIDO2 Authenticator WebAuthn functions can be used to provide a silent second factor after strong authentication, as well as reverification when needed for transactions requiring step up authentication.
Interface Definitions
Getting the version number of the SDK library: FIDO2Client.versionString
To retrieve the version number of the SDK library use the class property FIDO2Client.versionString. It will return the version number in semantic versioning format, major.minor.patch.
Kotlin
Retrieving Enrollment Status: FIDO2Client.webauthnRetrieve()
There are two versions of this method: one for retrieving credentials for the current user, and another for retrieving credentials for a specific user.
For Current User
The webauthnRetrieve method checks if the current user has previously registered credentials on this device and retrieves the enrollment status.
Usage
client.webauthnRetrieve { response ->
if (response != null) {
val rawId = response.getString("rawId")
// Handle retrieved attestation data
} else {
Log.e("FIDO2ClientViewModel", "Error retrieving attestation data")
}
}
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
completion | (JSONObject?) -> Unit | A callback function that handles the completion of the retrieval. |
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
response | JSONObject? | The retrieved enrollment status (attestation data) as a JSON object, or null if not found. |
For Specific User
The webauthnRetrieve method with a user parameter checks if a specific user has previously registered credentials on this device and retrieves the enrollment status.
Usage
val userId = "user123" // Unique identifier for the user
client.webauthnRetrieve(userId) { response ->
if (response != null) {
val rawId = response.getString("rawId")
// Handle retrieved attestation data for specific user
} else {
Log.e("FIDO2ClientViewModel", "Error retrieving attestation data for user: $userId")
}
}
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
user | String | The user ID for which to retrieve credentials. |
completion | (JSONObject?) -> Unit | A callback function that handles the completion of the retrieval. |
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
response | JSONObject? | The retrieved enrollment status (attestation data) as a JSON object, or null if not found. |
Enrolling (Attestation): FIDO2Client.webauthnCreate()
The webauthnCreate method initiates the creation of a new credential object using the specified PublicKeyCredentialCreationOptions. The generated credential object can be stored securely for future authentication.
The response follows the PublicKeyCredential format from the WebAuthn standard.
Refer to Mozilla's online documentation on PublicKeyCredentialCreationOptions or to the W3C standard Options for Credential Creation. For response format, see the W3C standard PublicKeyCredential interface.
Usage
client.webauthnCreate(optionsJsonObject) { result, metadata, error ->
if (result != null) {
val rawId = result.getString("rawId")
// Handle successful creation, store or use the rawId
} else if (error != null) {
Log.e("FIDO2ClientViewModel", "Error during creation: ${error.localizedMessage}")
}
}
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
options | JSONObject | A JSON object representing PublicKeyCredentialCreationOptions. |
completion | (JSONObject?, Map<String, String>?, ZSMError?) -> Unit | A callback function that handles the completion of the operation. |
Returns
The callback function returns the following parameters:
| Parameter Name | Data Type | Description |
|---|---|---|
result | JSONObject? | The attestation data generated during credential creation as a JSON object. |
metadata | Map<String, String>? | Additional metadata associated with the creation process. |
error | ZSMError? | Error object in case of failure; otherwise, null. |
Verifying (Assertion): FIDO2Client.webauthnGet()
The webauthnGet method retrieves a credential object based on the specified PublicKeyCredentialRequestOptions. This object can be used to authenticate the user.
The response follows the AuthenticatorAssertionResponse format from the WebAuthn standard.
Refer to Mozilla's online documentation on PublicKeyCredentialRequestOptions or to the W3C standard Options for Assertion Generation. For response format, see the W3C standard AuthenticatorAssertionResponse interface.
Usage
client.webauthnGet(optionsJsonObject) { result, metadata, error ->
if (result != null) {
// Handle successful assertion
} else if (error != null) {
Log.e("FIDO2ClientViewModel", "Error during assertion: ${error.localizedMessage}")
}
}
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
options | JSONObject | A JSON object representing PublicKeyCredentialRequestOptions. |
completion | (JSONObject?, Map<String, String>?, ZSMError?) -> Unit | A callback function that handles the completion of the operation. |
Returns
The callback function returns the following parameters:
| Parameter Name | Data Type | Description |
|---|---|---|
result | JSONObject? | The assertion data generated during credential verification as a JSON object. |
metadata | Map<String, String>? | Additional metadata associated with the request process. |
error | ZSMError? | Error object in case of failure; otherwise, null. |
Unbind: FIDO2Client.unbind()
There are two versions of this method: one for removing all FIDO2 credentials for the current user, and another for removing credentials for a specific user.
For Current User
The unbind method removes all FIDO2 credentials and state for the current user from the device.
Usage
client.unbind { success ->
if (success) {
Log.d("FIDO2ClientViewModel", "Successfully unbind FIDO2 state for current user")
} else {
Log.e("FIDO2ClientViewModel", "Failed to unbind FIDO2 state")
}
}
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
completion | (Boolean) -> Unit | A callback function that handles the completion of the unbind operation. |
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
success | Boolean | Indicates whether the unbind operation was successful. |
For Specific User
The unbind method with a user parameter removes FIDO2 credentials and state for a specific user from the device.
Usage
val userId = "user123" // Unique identifier for the user
client.unbind(userId) { success ->
if (success) {
Log.d("FIDO2ClientViewModel", "Successfully unbind FIDO2 state for user: $userId")
} else {
Log.e("FIDO2ClientViewModel", "Failed to unbind FIDO2 state for user: $userId")
}
}
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
user | String | The user ID for which to remove credentials. |
completion | (Boolean) -> Unit | A callback function that handles the completion of the unbind operation. |
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
success | Boolean | Indicates whether the unbind operation was successful. |
Java
Retrieving Enrollment Status: FIDO2Client.webauthnRetrieve()
There are two versions of this method: one for retrieving credentials for the current user, and another for retrieving credentials for a specific user.
For Current User
The webauthnRetrieve method checks if the current user has previously registered credentials on this device and retrieves the enrollment status.
Usage
client.webauthnRetrieve(response -> {
if (response != null) {
try {
String rawId = response.getString("rawId");
// Handle retrieved attestation data
} catch (JSONException e) {
Log.e("FIDO2ClientViewModel", "Error parsing JSON response: " + e.getMessage());
}
} else {
Log.e("FIDO2ClientViewModel", "Error retrieving attestation data");
}
});
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
completion | WebAuthnRetrieveCompletionHandler | A callback interface that handles the completion of the retrieval. |
The WebAuthnRetrieveCompletionHandler interface has a single method:
void onComplete(JSONObject result);
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
result | JSONObject? | The retrieved enrollment status (attestation data) as a JSON object, or null if not found. |
For Specific User
The webauthnRetrieve method with a user parameter checks if a specific user has previously registered credentials on this device and retrieves the enrollment status.
Usage
String userId = "user123"; // Unique identifier for the user
client.webauthnRetrieve(userId, response -> {
if (response != null) {
try {
String rawId = response.getString("rawId");
// Handle retrieved attestation data for specific user
} catch (JSONException e) {
Log.e("FIDO2ClientViewModel", "Error parsing JSON response: " + e.getMessage());
}
} else {
Log.e("FIDO2ClientViewModel", "Error retrieving attestation data for user: " + userId);
}
});
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
user | String | The user ID for which to retrieve credentials. |
completion | WebAuthnRetrieveCompletionHandler | A callback interface that handles the completion of the retrieval. |
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
result | JSONObject? | The retrieved enrollment status (attestation data) as a JSON object, or null if not found. |
Enrolling (Attestation): FIDO2Client.webauthnCreate()
The webauthnCreate method initiates the creation of a new credential object using the specified PublicKeyCredentialCreationOptions. The generated credential object can be stored securely for future authentication.
Refer to Mozilla's PublicKeyCredentialCreationOptions documentation or the W3C Options for Credential Creation.
Usage
client.webauthnCreate(optionsJsonObject, (result, metadata, error) -> {
if (result != null) {
try {
String rawId = result.getString("rawId");
// Handle successful creation, store or use the rawId
} catch (JSONException e) {
Log.e("FIDO2ClientViewModel", "Error parsing JSON response: " + e.getMessage());
}
} else if (error != null) {
Log.e("FIDO2ClientViewModel", "Error during creation: " + error.getLocalizedMessage());
}
});
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
options | JSONObject | A JSON object representing PublicKeyCredentialCreationOptions. |
completion | WebAuthnCompletionHandler | A callback interface that handles the completion of the operation. |
The WebAuthnCompletionHandler interface has a single method:
void onComplete(JSONObject result, Map<String, String> metadata, ZSMError error);
Returns
The callback function returns the following parameters:
| Parameter Name | Data Type | Description |
|---|---|---|
result | JSONObject? | The attestation data generated during credential creation as a JSON object. |
metadata | Map<String, String>? | Additional metadata associated with the creation process. |
error | ZSMError? | Error object in case of failure; otherwise, null. |
Verifying (Assertion): FIDO2Client.webauthnGet()
The webauthnGet method retrieves a credential object based on the specified PublicKeyCredentialRequestOptions. This object can be used to authenticate the user.
Refer to Mozilla's PublicKeyCredentialRequestOptions documentation or the W3C Options for Assertion Generation.
Usage
client.webauthnGet(optionsJsonObject, (result, metadata, error) -> {
if (result != null) {
// Handle successful assertion
} else if (error != null) {
Log.e("FIDO2ClientViewModel", "Error during assertion: " + error.getLocalizedMessage());
}
});
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
options | JSONObject | A JSON object representing PublicKeyCredentialRequestOptions. |
completion | WebAuthnCompletionHandler | A callback interface that handles the completion of the operation. |
Returns
The callback function returns the following parameters:
| Parameter Name | Data Type | Description |
|---|---|---|
result | JSONObject? | The assertion data generated during credential verification as a JSON object. |
metadata | Map<String, String>? | Additional metadata associated with the request process. |
error | ZSMError? | Error object in case of failure; otherwise, null. |
Unbind: FIDO2Client.unbind()
There are two versions of this method: one for removing all FIDO2 credentials for the current user, and another for removing credentials for a specific user.
For Current User
The unbind method removes all FIDO2 credentials and state for the current user from the device.
Usage
client.unbind(success -> {
if (success) {
Log.d("FIDO2ClientViewModel", "Successfully unbound FIDO2 state for current user");
} else {
Log.e("FIDO2ClientViewModel", "Failed to unbind FIDO2 state");
}
});
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
completion | BooleanCompletionHandler | A callback interface that handles the completion of the unbind operation. |
The BooleanCompletionHandler interface has a single method:
void onComplete(boolean success);
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
success | boolean | Indicates whether the unbind operation was successful. |
For Specific User
The unbind method with a user parameter removes FIDO2 credentials and state for a specific user from the device.
Usage
String userId = "user123"; // Unique identifier for the user
client.unbind(userId, success -> {
if (success) {
Log.d("FIDO2ClientViewModel", "Successfully unbound FIDO2 state for user: " + userId);
} else {
Log.e("FIDO2ClientViewModel", "Failed to unbind FIDO2 state for user: " + userId);
}
});
Parameters
| Parameter Name | Data Type | Description |
|---|---|---|
user | String | The user ID for which to remove credentials. |
completion | BooleanCompletionHandler | A callback interface that handles the completion of the unbind operation. |
Returns
The callback function returns the following parameter:
| Parameter Name | Data Type | Description |
|---|---|---|
success | boolean | Indicates whether the unbind operation was successful. |