fix(auth): Fix passkey usage on Android < 13 devices (#3039)

Author: mattcreaser

aws-auth-cognito/build.gradle.kts

@@ -41,6 +41,7 @@ dependencies {
     implementation(libs.androidx.security)
     implementation(libs.androidx.browser)
     implementation(libs.androidx.credentials)
+    implementation(libs.androidx.credentials.play.services)
 
     implementation(libs.aws.http)
     implementation(libs.aws.cognitoidentity)

aws-auth-cognito/src/main/java/com/amplifyframework/auth/cognito/exceptions/webauthn/WebAuthnNotSupportedException.kt

@@ -19,9 +19,15 @@ package com.amplifyframework.auth.cognito.exceptions.webauthn
  * Exception that is thrown because WebAuthn is not supported on the device. This indicates that either the device
  * did not ship with WebAuthn support, or that your application is missing a required dependency or service.
  */
-class WebAuthnNotSupportedException internal constructor(cause: Throwable?) :
-    WebAuthnFailedException(
-        message = "WebAuthn is not supported on this device",
-        recoverySuggestion = TODO_RECOVERY_SUGGESTION,
-        cause = cause
-    )
+class WebAuthnNotSupportedException internal constructor(
+    message: String,
+    cause: Throwable? = null
+) : WebAuthnFailedException(
+    message = message,
+    recoverySuggestion = TODO_RECOVERY_SUGGESTION,
+    cause = cause
+) {
+    internal constructor(
+        cause: Throwable?
+    ) : this(message = "WebAuthn is not supported on this device", cause = cause)
+}

aws-auth-cognito/src/main/java/com/amplifyframework/auth/cognito/helpers/WebAuthnHelper.kt

@@ -17,6 +17,7 @@ package com.amplifyframework.auth.cognito.helpers
 
 import android.app.Activity
 import android.content.Context
+import android.os.Build
 import androidx.credentials.CreateCredentialResponse
 import androidx.credentials.CreatePublicKeyCredentialRequest
 import androidx.credentials.CreatePublicKeyCredentialResponse
@@ -75,22 +76,26 @@ internal class WebAuthnHelper(
     }
 
     suspend fun createCredential(requestJson: String, callingActivity: Activity): String {
-        try {
-            // Create the request for CredentialManager
-            val request = CreatePublicKeyCredentialRequest(requestJson)
-
-            // Create the credential
-            logger.verbose("Prompting user to create a PassKey")
-            val result: CreateCredentialResponse = credentialManager.createCredential(callingActivity, request)
-
-            // Extract the Public Key registration response. This is what we send to Cognito.
-            val publicKeyResult = result as? CreatePublicKeyCredentialResponse ?: throw WebAuthnFailedException(
-                "Android created wrong credential type",
-                AmplifyException.REPORT_BUG_TO_AWS_SUGGESTION
-            )
-            return publicKeyResult.registrationResponseJson
-        } catch (e: CreateCredentialException) {
-            throw e.toAuthException()
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) {
+            try {
+                // Create the request for CredentialManager
+                val request = CreatePublicKeyCredentialRequest(requestJson)
+
+                // Create the credential
+                logger.verbose("Prompting user to create a PassKey")
+                val result: CreateCredentialResponse = credentialManager.createCredential(callingActivity, request)
+
+                // Extract the Public Key registration response. This is what we send to Cognito.
+                val publicKeyResult = result as? CreatePublicKeyCredentialResponse ?: throw WebAuthnFailedException(
+                    "Android created wrong credential type",
+                    AmplifyException.REPORT_BUG_TO_AWS_SUGGESTION
+                )
+                return publicKeyResult.registrationResponseJson
+            } catch (e: CreateCredentialException) {
+                throw e.toAuthException()
+            }
+        } else {
+            throw WebAuthnNotSupportedException("Passkeys are only supported on API 28 and above")
         }
     }
 

build.gradle.kts

@@ -191,6 +191,11 @@ fun Project.configureAndroid() {
 
         dependencies {
             add("coreLibraryDesugaring", libs.android.desugartools)
+            constraints {
+                add("implementation", libs.androidx.annotation.experimental) {
+                    because("Fixes a lint bug with RequiresOptIn")
+                }
+            }
         }
     }
 }

gradle/libs.versions.toml

@@ -2,6 +2,7 @@
 agp = "8.4.0"
 androidx-activity = "1.2.0"
 androidx-annotation = "1.9.1"
+androidx-annotation-experimental = "1.4.1"
 androidx-appcompat = "1.2.0"
 androidx-browser = "1.4.0"
 androidx-concurrent = "1.1.0"
@@ -57,11 +58,13 @@ turbine = "1.1.0"
 android-desugartools = { module = "com.android.tools:desugar_jdk_libs", version.ref = "desugar" }
 androidx-activity = { module = "androidx.activity:activity", version.ref = "androidx-activity" }
 androidx-annotation = { module = "androidx.annotation:annotation", version.ref = "androidx-annotation" }
+androidx-annotation-experimental = { module = "androidx.annotation:annotation-experimental", version.ref = "androidx-annotation-experimental" }
 androidx-appcompat = { module = "androidx.appcompat:appcompat", version.ref="androidx-appcompat" }
 androidx-browser = { module = "androidx.browser:browser", version.ref = "androidx-browser" }
 androidx-core = { module = "androidx.core:core", version.ref = "androidx-core" }
 androidx-core-ktx = { module = "androidx.core:core-ktx", version.ref = "androidx-core" }
 androidx-credentials = { module = "androidx.credentials:credentials", version.ref="androidx-credentials" }
+androidx-credentials-play-services = { module = "androidx.credentials:credentials-play-services-auth", version.ref="androidx-credentials" }
 androidx-junit-ktx = { module = "androidx.test.ext:junit-ktx", version.ref = "junit-ktx" }
 androidx-lifecycle-runtime = { module = "androidx.lifecycle:lifecycle-runtime", version.ref = "androidx-lifecycle" }
 androidx-nav-fragment = { module = "androidx.navigation:navigation-fragment", version.ref = "navigation" }