Enable passkey support in browser for internal builds #6550
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CDRussell
force-pushed
the
feature/craig/passkey_support_internal_builds
branch
2 times, most recently
from
5add8e8 to
f9e4f14
Compare
CDRussell
commented
Aug 11, 2025
| @@ -2,6 +2,8 @@ | |||
| <manifest xmlns:android="http://schemas.android.com/apk/res/android" | |||
| package="com.duckduckgo.autofill.impl"> | |||
|
|
|||
| <uses-permission android:name="android.permission.CREDENTIAL_MANAGER_SET_ORIGIN" /> | |||
There was a problem hiding this comment.
this is required for browsers as we're a special kind of app that is looking to interact with passkeys based on URLs (origins) rather than app package IDs. Google has us listed as an app with privileges to do this (most general apps cannot).
CDRussell
force-pushed
the
feature/craig/passkey_support_internal_builds
branch
from
f9e4f14 to
09d87ca
Compare
mikescamell
reviewed
Aug 13, 2025
app/src/main/java/com/duckduckgo/app/browser/BrowserTabFragment.kt
Outdated
Show resolved
Hide resolved
mikescamell
approved these changes
Aug 13, 2025
CDRussell
force-pushed
the
feature/craig/passkey_support_internal_builds
branch
from
09d87ca to
0e9aa4f
Compare
0nko
pushed a commit
that referenced
this pull request
Aug 15, 2025
Task/Issue URL: https://app.asana.com/1/137249556945/project/1203822806345703/task/1211006058270758?focus=true ### Description Enables `passkey` support for `internal` builds. - Currently the browser reports to websites that passkeys are unavailable - With this change, we add support for passkeys that can be used to log in and register on websites. We do not store passkeys in our app, but instead allow integration with the system's passkey provider (Google Password Manager, Samsung Pass etc...) It's `internal` only to give us some time to see if it brings issues, get internal feedback etc... ℹ️ Passkey support depends on which certificate is used to sign the app. As a browser we have been granted a special exemption for using APIs around origin but that relies on certificate hash matches. As such, to test this out in development you will need to [Set up debug code signing to use whitelisted certificate](https://app.asana.com/1/137249556945/task/1208295420929846?focus=true) ### Steps to test this PR - Ensure you are testing on an up-to-date version of `WebView` and Android API. - If using an emulator, for best results use one with Google Play installed. #### Verify browser shows as supported - [x] Follow instructions in [Set up debug code signing to use whitelisted certificate](https://app.asana.com/1/137249556945/task/1208295420929846?focus=true) - [x] Install from this branch - [x] Visit https://webauthn.io; verify you **do not see** a message saying browser is unsupported. (if you do, ping me) #### Verify you can create a new `passkey` - [x] Enter username (e.g., `chicken`) and tap `Register`; verify you are prompted to create a passkey. - [x] do it. (you might be prompted to set up device password if not already set up) - [x] Verify you see a `success` message. Tap the `Try it again` button to return. #### Verify you can login when username already selected - [x] Ensure your username is still filled in (e.g., `chicken`) and tap the `Authenticate` button - [x] Verify you see the `You're logged in` page. Tap the `Try it again` button to return #### Create a 2nd passkey for this website - [x] Enter another username (e.g., `horse`) and tap `Register` button. Accept the prompt to create a new passkey. - [x] Clear out the username field so it's empty - [x] Tap on `Authenticate` button and verify you see a list of passkeys and that selecting one lets you log in Co-authored-by: Craig Russell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Task/Issue URL: https://app.asana.com/1/137249556945/project/1203822806345703/task/1211006058270758?focus=true
Description
Enables
passkeysupport forinternalbuilds.It's
internalonly to give us some time to see if it brings issues, get internal feedback etc...ℹ️ Passkey support depends on which certificate is used to sign the app. As a browser we have been granted a special exemption for using APIs around origin but that relies on certificate hash matches. As such, to test this out in development you will need to Set up debug code signing to use whitelisted certificate
Steps to test this PR
WebViewand Android API.Verify browser shows as supported
Verify you can create a new
passkeychicken) and tapRegister; verify you are prompted to create a passkey.successmessage. Tap theTry it againbutton to return.Verify you can login when username already selected
chicken) and tap theAuthenticatebuttonYou're logged inpage. Tap theTry it againbutton to returnCreate a 2nd passkey for this website
horse) and tapRegisterbutton. Accept the prompt to create a new passkey.Authenticatebutton and verify you see a list of passkeys and that selecting one lets you log in