Add WebAuthn / passkey client + Auth0 / Firebase passkey helpers

.github/workflows/identity-stack.yml

@@ -26,19 +26,25 @@ on:
     branches: [ master ]
     paths:
       - 'CodenameOne/src/com/codename1/io/oidc/**'
+      - 'CodenameOne/src/com/codename1/io/webauthn/**'
       - 'CodenameOne/src/com/codename1/io/Oauth2.java'
       - 'CodenameOne/src/com/codename1/io/AccessToken.java'
       - 'CodenameOne/src/com/codename1/social/**'
       - 'Ports/iOSPort/nativeSources/CN1OidcBrowser.*'
       - 'Ports/iOSPort/nativeSources/CN1AppleSignIn.*'
+      - 'Ports/iOSPort/nativeSources/CN1WebAuthn.*'
+      - 'Ports/iOSPort/nativeSources/CodenameOne_GLViewController.h'
       - 'Ports/iOSPort/src/com/codename1/io/oidc/**'
+      - 'Ports/iOSPort/src/com/codename1/io/webauthn/**'
       - 'Ports/iOSPort/src/com/codename1/social/AppleSignInNativeImpl.java'
       - 'Ports/iOSPort/src/com/codename1/impl/ios/IOSNative.java'
       - 'Ports/Android/src/com/codename1/io/oidc/**'
+      - 'Ports/Android/src/com/codename1/io/webauthn/**'
       - 'Ports/Android/src/com/codename1/social/AppleSignInNativeImpl.java'
       - 'maven/codenameone-maven-plugin/src/main/java/com/codename1/builders/IPhoneBuilder.java'
       - 'maven/codenameone-maven-plugin/src/main/java/com/codename1/builders/AndroidGradleBuilder.java'
       - 'maven/core-unittests/src/test/java/com/codename1/io/oidc/**'
+      - 'maven/core-unittests/src/test/java/com/codename1/io/webauthn/**'
       - 'maven/core-unittests/src/test/java/com/codename1/io/Oauth2*'
       - 'maven/core-unittests/src/test/java/com/codename1/social/**'
       - 'Samples/samples/UniversalSignInDemo/**'
@@ -48,18 +54,23 @@ on:
     branches: [ master ]
     paths:
       - 'CodenameOne/src/com/codename1/io/oidc/**'
+      - 'CodenameOne/src/com/codename1/io/webauthn/**'
       - 'CodenameOne/src/com/codename1/io/Oauth2.java'
       - 'CodenameOne/src/com/codename1/social/**'
       - 'Ports/iOSPort/nativeSources/CN1OidcBrowser.*'
       - 'Ports/iOSPort/nativeSources/CN1AppleSignIn.*'
+      - 'Ports/iOSPort/nativeSources/CN1WebAuthn.*'
       - 'Ports/iOSPort/src/com/codename1/io/oidc/**'
+      - 'Ports/iOSPort/src/com/codename1/io/webauthn/**'
       - 'Ports/iOSPort/src/com/codename1/social/AppleSignInNativeImpl.java'
       - 'Ports/iOSPort/src/com/codename1/impl/ios/IOSNative.java'
       - 'Ports/Android/src/com/codename1/io/oidc/**'
+      - 'Ports/Android/src/com/codename1/io/webauthn/**'
       - 'Ports/Android/src/com/codename1/social/AppleSignInNativeImpl.java'
       - 'maven/codenameone-maven-plugin/src/main/java/com/codename1/builders/IPhoneBuilder.java'
       - 'maven/codenameone-maven-plugin/src/main/java/com/codename1/builders/AndroidGradleBuilder.java'
       - 'maven/core-unittests/src/test/java/com/codename1/io/oidc/**'
+      - 'maven/core-unittests/src/test/java/com/codename1/io/webauthn/**'
       - 'Samples/samples/UniversalSignInDemo/**'
       - '.github/workflows/identity-stack.yml'
 
@@ -120,7 +131,7 @@ jobs:
               -P unittests \
               -pl core-unittests -am \
               test \
-              -Dtest='OidcCoreTest,Oauth2Test,Oauth2RefreshTokenRequestTest,GoogleConnectTest,FacebookConnectTest,LoginTest,Login1Test,LoginExtrasTest' \
+              -Dtest='OidcCoreTest,WebAuthnCoreTest,Oauth2Test,Oauth2RefreshTokenRequestTest,GoogleConnectTest,FacebookConnectTest,LoginTest,Login1Test,LoginExtrasTest' \
               -Dsurefire.failIfNoSpecifiedTests=false
 
       - name: Compile Maven plugin (verifies IPhoneBuilder + AndroidGradleBuilder scanner edits)
@@ -162,11 +173,12 @@ jobs:
           LISTING="$(unzip -l "${BUNDLE}")"
           for required in \
               com/codename1/io/oidc/OidcBrowserNativeImpl.java \
+              com/codename1/io/webauthn/WebAuthnNativeImpl.java \
               com/codename1/social/AppleSignInNativeImpl.java; do
             if ! grep -qF "${required}" <<<"${LISTING}"; then
               echo "::error::${required} missing from android_port_sources.jar"
-              echo "Bundle listing (oidc / social entries):"
-              grep -E "oidc|social" <<<"${LISTING}" || true
+              echo "Bundle listing (oidc / webauthn / social entries):"
+              grep -E "oidc|webauthn|social" <<<"${LISTING}" || true
               exit 1
             fi
           done
@@ -213,6 +225,7 @@ jobs:
             CodenameOne/src/com/codename1/social/Auth0Connect.java
             CodenameOne/src/com/codename1/social/FirebaseAuth.java
             CodenameOne/src/com/codename1/social/MicrosoftConnect.java
+            CodenameOne/src/com/codename1/io/webauthn
           )
           # `|| true` is intentional: grep -E exits 1 when there are zero
           # matches, which is the success case.
@@ -281,7 +294,7 @@ jobs:
           for label in stubs full; do
             extra=""
             if [ "$label" = full ]; then
-              extra="-DCN1_INCLUDE_OIDC -DCN1_INCLUDE_APPLESIGNIN"
+              extra="-DCN1_INCLUDE_OIDC -DCN1_INCLUDE_APPLESIGNIN -DCN1_INCLUDE_WEBAUTHN"
             fi
             echo "::group::clang $label"
             xcrun --sdk iphoneos clang \
@@ -295,6 +308,7 @@ jobs:
                 -DNEW_CODENAME_ONE_VM=1 \
                 $extra \
                 CN1OidcBrowser.m \
-                CN1AppleSignIn.m
+                CN1AppleSignIn.m \
+                CN1WebAuthn.m
             echo "::endgroup::"
           done

CodenameOne/src/com/codename1/io/webauthn/PublicKeyCredential.java

@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2012-2026, Codename One and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Codename One designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Codename One through http://www.codenameone.com/ if you
+ * need additional information or have any questions.
+ */
+package com.codename1.io.webauthn;
+
+import com.codename1.io.JSONParser;
+import com.codename1.util.regex.StringReader;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+/// The authenticator's response to a passkey ceremony -- either a registration
+/// (`type=public-key`, `response.attestationObject` present) or an assertion
+/// (`response.signature` + `response.authenticatorData` present).
+///
+/// Immutable. The most common usage is to call [#toJson()] and POST the result
+/// to your relying-party server, which then runs full signature / origin /
+/// counter verification using a server-side library. Do not try to verify the
+/// attestation or assertion on the device -- that is the relying party's
+/// responsibility.
+///
+/// @since 7.0.245
+public final class PublicKeyCredential {
+
+    /// Credential type -- always `"public-key"` for WebAuthn.
+    public static final String TYPE_PUBLIC_KEY = "public-key";
+
+    private final String json;
+    private final Map<String, Object> parsed;
+    private final boolean registration;
+
+    private PublicKeyCredential(String json, Map<String, Object> parsed, boolean registration) {
+        this.json = json;
+        this.parsed = parsed == null
+                ? Collections.<String, Object>emptyMap()
+                : Collections.unmodifiableMap(new HashMap<String, Object>(parsed));
+        this.registration = registration;
+    }
+
+    /// Parses a RegistrationResponseJSON / AuthenticationResponseJSON document
+    /// returned by the native authenticator.
+    public static PublicKeyCredential fromJson(String json) {
+        if (json == null) {
+            throw new IllegalArgumentException("json must not be null");
+        }
+        Map<String, Object> parsed;
+        try {
+            parsed = new JSONParser().parseJSON(new StringReader(json));
+        } catch (IOException ioe) {
+            throw new IllegalArgumentException("Invalid response JSON: " + ioe.getMessage(), ioe);
+        }
+        if (parsed == null || parsed.isEmpty()) {
+            throw new IllegalArgumentException("Response JSON is empty or unparseable");
+        }
+        Object response = parsed.get("response");
+        boolean registration = false;
+        if (response instanceof Map) {
+            registration = ((Map<?, ?>) response).get("attestationObject") != null;
+        }
+        return new PublicKeyCredential(json, parsed, registration);
+    }
+
+    /// Returns the original JSON. POST this back to your relying-party server
+    /// verbatim.
+    public String toJson() {
+        return json;
+    }
+
+    /// Read-only view of the parsed JSON.
+    public Map<String, Object> asMap() {
+        return parsed;
+    }
+
+    /// `id` -- the credential identifier, base64url-encoded. Stable across
+    /// ceremonies for the same authenticator + relying party pair, so this
+    /// is what you store on the server.
+    public String getId() {
+        Object id = parsed.get("id");
+        return id == null ? null : id.toString();
+    }
+
+    /// `rawId` -- the same identifier as a base64url-encoded byte array.
+    public String getRawId() {
+        Object id = parsed.get("rawId");
+        return id == null ? null : id.toString();
+    }
+
+    /// `authenticatorAttachment` -- `"platform"` if a built-in authenticator
+    /// (Face ID / Touch ID, Android biometrics) handled the request,
+    /// `"cross-platform"` for a hardware key, or `null` if the OS did not
+    /// report it.
+    public String getAuthenticatorAttachment() {
+        Object a = parsed.get("authenticatorAttachment");
+        return a == null ? null : a.toString();
+    }
+
+    /// `true` if this is a registration (create) response. `false` for an
+    /// assertion (get) response.
+    public boolean isRegistration() {
+        return registration;
+    }
+
+    /// `response.clientDataJSON`, base64url-encoded. Decoded server-side and
+    /// checked against the original challenge / origin.
+    public String getClientDataJSON() {
+        Object r = parsed.get("response");
+        if (r instanceof Map) {
+            Object v = ((Map<?, ?>) r).get("clientDataJSON");
+            return v == null ? null : v.toString();
+        }
+        return null;
+    }
+
+    /// `response.attestationObject` for a registration response,
+    /// base64url-encoded. `null` on an assertion response.
+    public String getAttestationObject() {
+        Object r = parsed.get("response");
+        if (r instanceof Map) {
+            Object v = ((Map<?, ?>) r).get("attestationObject");
+            return v == null ? null : v.toString();
+        }
+        return null;
+    }
+
+    /// `response.signature` for an assertion response, base64url-encoded.
+    /// `null` on a registration response.
+    public String getSignature() {
+        Object r = parsed.get("response");
+        if (r instanceof Map) {
+            Object v = ((Map<?, ?>) r).get("signature");
+            return v == null ? null : v.toString();
+        }
+        return null;
+    }
+
+    /// `response.userHandle` for an assertion response, base64url-encoded.
+    /// Matches the `user.id` from the registration ceremony.
+    public String getUserHandle() {
+        Object r = parsed.get("response");
+        if (r instanceof Map) {
+            Object v = ((Map<?, ?>) r).get("userHandle");
+            return v == null ? null : v.toString();
+        }
+        return null;
+    }
+}