Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passkey creation and use fails with Passkey operation failed because app not found in assets links #4733

Open
1 task
andrearizzini-deciphex opened this issue Feb 17, 2025 · 7 comments
Open
1 task

Passkey creation and use fails with Passkey operation failed because app not found in assets links #4733

andrearizzini-deciphex opened this issue Feb 17, 2025 · 7 comments
Labels
bug

Comments

@andrearizzini-deciphex
Copy link

andrearizzini-deciphex commented Feb 17, 2025
edited
Loading

Steps To Reproduce

I have reproduced this behavior for a number of passkey service, Amazon, Paypal, Google

This is when i try to create a passkey for Amazon

  1. Go to Login in amazon.co.uk
  2. Click on Your Account
  3. Scroll down to Login & Security
  4. Click on PassKey
  5. Click on Add Passkey
  6. A bitwarden popup with a prompt: create passkey to sign in Amazon Shopping
  7. Click on Continue
  8. I get the error bellow: "Passkey operation failed because app not found in assets links"

This is when i try to use a previously saved passkey (created in Ubuntu via Firefox extension)

  1. Go to Login
  2. Bitwarden popup with prompt: Use your saved passkey for Amazon Shopping
  3. Click on Continue
  4. I get the error bellow: "Passkey operation failed because app not found in assets links"

I can create passkey without issue from Ubuntu via Firefox extension. I can use passkey generated across MacOS, Ubuntu, IOS but currently not on my Pixel 8 Pro.

Expected Result

Passkey created an configured correctly.

  1. Can login with the new passkey
  2. Can use other passkeys

Actual Result

Passkey creation fails with error message:
An error has accounted : Passkey operation failed because app not found in assets links`

Screenshots or Videos

No response

Additional Context

Build Version

2025.1.2 (19740)

What server are you connecting to?

US

Self-host Server Version

No response

Environment Details

  • Phone: Pixel 8 Pro,
  • latest update and latest security patch: android 15

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@bitwarden-bot
Copy link

Thank you for your report! We've added this to our internal board for review.
ID: PM-18375

@SaintPatrck
Copy link
Contributor

@andrearizzini-deciphex Are you attempting to create and use the passkeys in the native applications or via a web browser?

@andrearizzini-deciphex
Copy link
Author

andrearizzini-deciphex commented Feb 19, 2025
edited
Loading

@SaintPatrck , you are correct, I'm either trying to create a new passkey in the native application (and getting the error) or using a previously created Passkey (and getting the same error). The passkey i had previously created was with the Bitwarden Browser Extension on Firefox (version: 2024.12.4). These previously created passkey work properly other devices, such as MacOS (via browser extension) and iOS.

If you need any other information, please don't hesitate to ask.

@SaintPatrck
Copy link
Contributor

The issue with PayPal is known and expected. More details about PayPal can be found here.

I've not been able to reproduce the same error with Amazon. Could you capture the Amazon package name for me? To get the package name, long press on the launcher icon then tap App Info. The package name will be displayed at the bottom, below the version name. It should look similar to this...

Image

The same version info from the Google application would also help. I did a quick check against their digital asset links file and noticed that the Google app (package name com.google.android.googlequicksearchbox) is not granted the delegate permissions that are required to support passkeys.

For context, the warning you're seeing is due to missing or invalid digital asset links file. We use data in the passkey request to derive the digital asset link URL. We expect to derive https://{rpId}/.well-known/assetlinks.json where rpId is the party's domain (e.g. google.com or amazon.com). When the application making the passkey request is not found in the digital asset links file, signing info doesn't match, or does not declare the correct permissions we display the error you're seeing. You can manually validate whether the application you're using is listed by navigating to the expected digital asset link file location and searching for an entry with the app package ID. According to this documentation, the digital asset link file must declare both get_login_creds and handle_all_urls permissions for the app in order to support passkeys.

@andrearizzini-deciphex
Copy link
Author

Hi Patrick,

thanks for the prompt reply.

Amazon app version that im using is: Version 30.3.0.100, which is the same as your.
Google app version that im using is: Version 16.5.37.sa.arm64

I never had any issues previously with passkey on Xiaomi Mi 10T Pro (Android 14) and i started to enable it on any services that prompted me. (Create & Use)

What is strange is that when i upgraded to Google Pixel 8 Pro (Android 15), I noticed the issues with passkeys.

Thanks for providing the bug report, i did read through the section of the comments, however i haven't come to your same conclusion. One of the comments mentioned this.

We may migrate to require only get_login_creds for asset link validation in the future. However, until we complete migrating our logic to accept it, delegate_permission/common.handle_all_urls is the required relationship. Therefore, the safest approach is exactly what you are doing, to include both delegate_permission/common.handle_all_urls and delegate_permission/common.get_login_creds.

So what i make of this comment is to include both claims in the assetlinks.json (forward / backward compatible), but only verify delegate_permission/common.handle_all_urls.

What is the version of Bitwarden where the new claim get_login_creds became mandatory?

Best Regards

Andrea

@SaintPatrck
Copy link
Contributor

Hi Andrea,

How about the package names for Amazon and Google? I'm especially interested in the Amazon package name because I clearly see both claims declared in their digital asset links for com.amazon.mShop.android.shopping. 🤔

I checked our first passkey implementation in the MAUI app and it appears we've always required both claims. (src PR).

After re-reading the comment, I see your point. This may be a misunderstanding on our part. Thank you for pointing it out. I've opened a new bug report to hopefully get better clarification. If their response confirms we only need to verify handle_all_urls is present we'll make the appropriate update.

@andrearizzini-deciphex
Copy link
Author

Hi Patrick,

sorry for the late reply, i really appreciate your quick turn arounds.
I wasn't able to get the package name displayed untill i have enabled the developer mode..

So here the package names:
com.amazon.mShop.android.shopping: 30.3.0.100
com.google.android.googlequicksearchbox: 16.5.37.sa.ARM64

Regards

Andrea

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SaintPatrck @bitwarden-bot @andrearizzini-deciphex