request direct attestation does not work

[anaselhajjaji]

Hello

If I change in the method router.post('/registerRequest') to force the attestation to direct let attestation = 'direct';
I added in the router.post('/registerResponse') the following code: console.log(registrationInfo.aaguid);
the result is: 00000000-0000-0000-0000-000000000000

I think the attestation statement is not retrieved even if we ask for it... Can you tell why this happens?
Is it a limitation of the FIDO2 API for Android?

Thank you.

[agektmr]

That is odd. Can you point me to the server?

[agektmr]

You probably changed the line: https://github.com/googlecodelabs/fido2-codelab/blob/master/libs/auth.js#L245
But this will be overwritten by the request from the client: https://github.com/googlecodelabs/fido2-codelab/blob/master/android/app/src/main/java/com/example/android/fido2/api/AuthApi.kt#L130
and
https://github.com/googlecodelabs/fido2-codelab/blob/master/libs/auth.js#L263

[anaselhajjaji]

Thank your for your answer.

I noticed that even if the backend returns direct attestation in registration options, Android code ignores that (see: https://github.com/googlecodelabs/fido2-codelab/blob/master/android/app/src/main/java/com/example/android/fido2/api/AuthApi.kt#L312)

I made some changes on Android app only (see here: https://github.com/anaselhajjaji/fido2-codelab/pull/1/files) and when debugging I saw android-safetynet returned but there is an issue on backend code about certificate verification, hopefully I'll try to find some time to fix the backend as well.

See: