The incoming request cannot be validated

[Will5]

I am trying to implement FIDO2 on Android, and I am testing using the CredentialManager sample and code lab. However, when I click on "Sign Up with passkey", I get the following exception:

Auth com.google.credentialmanager.sample E createPasskey failed with exception: The incoming request cannot be validated

The Documentation suggests "The app's package ID is not registered with your server. Validate this in your server-side integration." However, I have the assetlinks.json hosted on my domain, and I have used the following tools to verify:

• https://developers.google.com/digital-asset-links/tools/generator
• https://digitalassetlinks.googleapis.com/v1/statements:list?source.web.site=${SOURCE_WEB_SITE}&relation=delegate_permission/common.handle_all_urls

The asset links looks like this:

[
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target" : {
      "namespace" : "web",
      "site" : "${SITE}"
    }
  },
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target" : {
      "namespace" : "android_app",
      "package_name" : "com.google.credentialmanager.sample",
      "sha256_cert_fingerprints" : [
        "${SHA256_CERT_FINGERPRINT}"
      ]
    }
  }
]

Any thoughts or suggestions?

[niharika2810]

Hi

We do have a codelab for FIDO2, mostly the same steps and asset linking, did you try that as well? Also, are you still facing the issue?

https://codelabs.developers.google.com/codelabs/fido2-for-android

[niharika2810]

Also, throguh the codelab, to verify, you could once try same glitch me server and check if you are able to replicate or if there is some other issue.

[SumitProgrammer5955]

After spending two days finally i got the answer of your question.

Step 1: First add your release SHA256 key with your package name into assetlinks.json file and upload it your rp (realing party website) /.well-known path

Step 2: Change your build varint to release build.

Step 3: Most important step is to add build flavour inside signInConfig block in build.gradle file like this

signingConfigs {
debug {

}
release {
    storeFile file('../my_keystore.keystore')
    storePassword 'password'
    keyAlias 'password'
    keyPassword 'password'
}

}
step 4 : Inside buildTypes block asscess your release file flavour

buildTypes {
release {
signingConfig signingConfigs.release
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
Now you are good to go. this steps will work on both Fido2 and CredentialManager api android

[niharika2810]

Hey, closing this. let me know if there's any other issue here :)

[ctechdev]

@SumitProgrammer5955 I didn't quite understand if you had the problem only in debug or if it also works with the SHA256 debug key. I'm having the same problem but still in development I have the app only in debug mode.

[ckgal]

Hi All, i have followed through the following but still getting "The incoming request cannot be validated":

• added assetlinks.json to server
• tested using https://developers.google.com/digital-asset-links/tools/generator

Anyone has any idea or suggestions?