abergs

public async Task<IActionResult> TokenVerify(string token)
{
    var httpClient = new HttpClient();
    // use the Passwordless extension functions
    var result = await httpClient.VerifyPasswordlessToken(new VerifyTokenParameters(Configuration.ApiSecret, token));
    if (result.Success)
    {
        Response.Cookies.Append("User", result.Username);
    }

abergs

We are encountering an issue where if we try to supply our own Client JSON response, then somewhere between our code and the browser, the clientDataJSON bytes will have been replaced, causing the signature verification performed by the RP to fail.

Our questions are:

• Is the clientDataJSON override intentional?
• If we go straight for the authenticator, will the Android OS still implement the necessary Client protections (e.g. checking origin vs rpId)?

We provide our own JSON like this:

var getRequest = PendingIntentHandler.RetrieveProviderGetCredentialRequest(Intent);