Android Passkey Authentication Fails with "Origin parameter in client data doesn't match. clientData origin was android:apk-key-hash:Y-gtK..."

Last Updated:

Okta Identity Engine
SDKs & Libraries

Overview

The Android Application Passkey Authentication fails with the following error.

 

Origin parameter in client data doesn't match. clientData origin was android:apk-key-hash:Y-gtKqohF93lJsCNzyfKXOHDWx5iSWUc6QNKdhNPnjw

 

Applies To

  • Okta Identity Engine (OIE)
  • Android
  • Passkey Authentication
  • 3rd Party Android Password Managers

Cause

Android Platforms allow the use of third party Password Managers. Some Password Managers might construct the ClientData with an optional androidPackageName using an unexpected value.

Solution

Google Password Manager sets androidPackageName to the Applications package.

{
  "type":"webauthn.get",
  "challenge":"WlI...",
  "origin":"android:apk-key-hash:Y-gtKqohF93lJsCNzyfKXOHDWx5iSWUc6QNKdhNPnjw",
  "crossOrigin":false,
  "androidPackageName":"com.okta.idx.android"
}

 

If a third Party Password Manager sets androidPackageName to the Key Hash.

{
  "type":"webauthn.get",
  "challenge":"WlI...",
  "origin":"android:apk-key-hash:Y-gtKqohF93lJsCNzyfKXOHDWx5iSWUc6QNKdhNPnjw",
  "crossOrigin":false,
  "androidPackageName":"android:apk-key-hash:Y-gtKqohF93lJsCNzyfKXOHDWx5iSWUc6QNKdhNPnjw"
}


Then, Okta will return the error Origin parameter in client data doesn't match. clientData origin was android:apk-key-hash:Y-gtKqohF93lJsCNzyfKXOHDWx5iSWUc6QNKdhNPnjw.

 

To workaround this, add a second Associated Domains entry in the /.well-known/assetlinks.json file for the Okta Custom Domain
The entry should copy the exact values of this application's existing entry, except change the package_name attribute to be the full android:apk-key-hash value.

[
    {
        "relation": [
            "delegate_permission/common.handle_all_urls",
            "delegate_permission/common.get_login_creds"
        ],
        "target": {
            "namespace": "android_app",
            "package_name": "com.okta.idx.android",
            "sha256_cert_fingerprints": [
                "63:E8:2D:..."
            ]
        }
    },
    {
        "relation": [
            "delegate_permission/common.handle_all_urls",
            "delegate_permission/common.get_login_creds"
        ],
        "target": {
            "namespace": "android_app",
            "package_name": "android:apk-key-hash:Y-gtKqohF93lJsCNzyfKXOHDWx5iSWUc6QNKdhNPnjw",
            "sha256_cert_fingerprints": [
                "63:E8:2D:..."
            ]
        }
    }
]

 

 

Related References

 

Recommended content

No recommended content found...
Still looking for help?