ForgeRock Developer Experience

Register a WebAuthn device

To register a WebAuthn device on receipt of a WebAuthnRegistrationCallback from the server, use the register() method.

Optionally, use the deviceName parameter to assign a name to the device to help the user identify it.

  • Java

  • Kotlin

WebAuthnRegistrationCallback callback =
    node.getCallback(WebAuthnRegistrationCallback.class);

callback.register(requireContext(), deviceName, node, new FRListener<Void>() {
    @Override
    public void onSuccess(Void result) {
        // Registration is successful
        // Continue the journey by calling next()
    }

    @Override
    public void onException(Exception e) {
        // An error occurred during the registration process
        // Continue the journey by calling next()
    }
});
fun WebAuthnRegistrationCallback(
    callback: WebAuthnRegistrationCallback,
    node: Node,
    onCompleted: () -> Unit
) {

    val context = LocalContext.current
    var deviceName by remember { mutableStateOf(Build.MODEL) }

    try {
        callback.register(context, deviceName, node)
        // Registration is successful
        currentOnCompleted()
    } catch (e: CancellationException) {
        // User cancelled registration
    } catch (e: Exception) {
        // An error occurred during the registration process
        currentOnCompleted()
    }
}

Passkey support

The ForgeRock SDK for Android supports passkeys when the app is running on Android P or later. For more information on passkeys, refer to Passkey support on Android and Chrome.

If the WebAuthn Registration node has the Username to device option enabled and the app is running on Android P or later, then the SDK sets the RESIDENT_KEY_REQUIRED flag and enables passkeys for WebAuthn.

In this case, the user is asked to create a new passkey on their device and is required to perform biometric authentication to confirm. The device syncs the generated passkey to the user’s Google Account for use on their supported devices.

android create passkey en
Figure 1. Creating a new passkey on Android

If the device is not running Android P or later, the SDK sets the RESIDENT_KEY_DISCOURAGED flag, meaning passkeys are not used nor synchronized to the Google Account.

For more information about resident keys and client-side discoverable credentials, refer to ResidentKeyRequirement in the Google developer documentation.

Override passkey support

You can use the setResidentKeyRequirement() method to override the automatic behavior. For example, if you do not want to use passkeys on Android P devices, you might use the following code:

callback.setResidentKeyRequirement(ResidentKeyRequirement.RESIDENT_KEY_DISCOURAGED)
Copyright © 2010-2023 ForgeRock, all rights reserved.