Rejecting Asserted Origin from App When Creating Credential

Question

I copied the code from the codelab to create and save credentials.

However, I got the below error when calling credentialManager.createCredential(activity, request):

[FetchAllowlistedOriginOperation] rejecting asserted origin from app 'com.myapp.test', with fingerprint(s)
    13:3A:39:D2:B9:48:1A:2C:B3:A5..., because it is not in the list of trusted browsers. [CONTEXT service_id=68 ]
[createCredential] CreateCredentialException: Credential save error
    androidx.credentials.exceptions.CreateCredentialNoCreateOptionException: No create options available.
    at androidx.credentials.CredentialProviderFrameworkImpl.convertToJetpackCreateException$credentials_release(CredentialProviderFrameworkImpl.kt:302)
    at androidx.credentials.CredentialProviderFrameworkImpl$onCreateCredential$outcome$1.onError(CredentialProviderFrameworkImpl.kt:201)
    at androidx.credentials.CredentialProviderFrameworkImpl$onCreateCredential$outcome$1.onError(CredentialProviderFrameworkImpl.kt:187)
    at android.credentials.CredentialManager$CreateCredentialTransport.lambda$onError$2(CredentialManager.java:752)
    at android.credentials.CredentialManager$CreateCredentialTransport.$r8$lambda$8NwBIrbcK6SvF9Mra_qL_8hhFMU(Unknown Source:0)
    at android.credentials.CredentialManager$CreateCredentialTransport$$ExternalSyntheticLambda0.run(Unknown Source:6)
    at androidx.credentials.CredentialManager$$ExternalSyntheticLambda0.execute(Unknown Source:0)
    at android.credentials.CredentialManager$CreateCredentialTransport.onError(CredentialManager.java:751)
    at android.credentials.ICreateCredentialCallback$Stub.onTransact(ICreateCredentialCallback.java:123)
    at android.os.Binder.execTransactInternal(Binder.java:1344)
    at android.os.Binder.execTransact(Binder.java:1275)

This is my assetlinks.json:

[
    {
        "relation": [
            "delegate_permission/common.handle_all_urls",
            "delegate_permission/common.get_login_creds"
        ],
        "target": {
            "namespace": "web",
            "site": "https://myapp.test.com"
        }
    },
    {
        "relation": [
            "delegate_permission/common.handle_all_urls",
            "delegate_permission/common.get_login_creds"
        ],
        "target": {
            "namespace": "android_app",
            "package_name": "com.myapp.test",
            "sha256_cert_fingerprints": [
                "62:8D:D4:12:94..."
            ]
        }
    }
]

I can successfully created a passkey device in Google and created a credential (screen lock) which can be seen in "Password Manager" in "Manage your Google Account" before. And then I did some changes and tests. And I rolled back my code. However, createCredential does not work anymore.

Notice that fingerprint (13:3A:39:D2:B9:48:1A:2C:B3:A5...) in the error is different from the fingerprint (62:8D:D4:12:94...) in my assetlinks.json.

Answer 1

After some tests, I found that I can resolve this error by removing origin parameter when calling CreatePublicKeyCredentialRequest to create CreatePublicKeyCredentialRequest for createCredential.

Originally, I used the below code:

val request = CreatePublicKeyCredentialRequest(
    requestJson = pubKeyCredCreatOptionsString,
    origin = BuildConfig.APP_LINK_URL,
)

And then I used the below code to fix the error:

val request = CreatePublicKeyCredentialRequest(
    requestJson = pubKeyCredCreatOptionsString
)

Now I can get the passkey prompt like this:

However, App cannot show credential selector and got another error:

[DigitalAssetsAssociationChecker] JSON Object doesn't have linked key
[Fido2RequestController] The incoming request cannot be validated
[Fido2RequestController] The incoming request cannot be validated
[FidoApiImpl] pauseSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
[FidoApiImpl] finishSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
[createCredential] CreateCredentialException: Credential save error 
    androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException: The incoming request cannot be validated
    at androidx.credentials.exceptions.publickeycredential.DomExceptionUtils$Companion.generateException(DomExceptionUtils.kt:144)
    at androidx.credentials.exceptions.publickeycredential.DomExceptionUtils$Companion.access$generateException(DomExceptionUtils.kt:57)
    at androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialDomException$Companion.createFrom(CreatePublicKeyCredentialDomException.kt:118)
    at androidx.credentials.exceptions.publickeycredential.CreatePublicKeyCredentialException$Companion.createFrom(CreatePublicKeyCredentialException.kt:51)
    at androidx.credentials.CredentialProviderFrameworkImpl.convertToJetpackCreateException$credentials_release(CredentialProviderFrameworkImpl.kt:315)
    at androidx.credentials.CredentialProviderFrameworkImpl$onCreateCredential$outcome$1.onError(CredentialProviderFrameworkImpl.kt:201)
    at androidx.credentials.CredentialProviderFrameworkImpl$onCreateCredential$outcome$1.onError(CredentialProviderFrameworkImpl.kt:187)
    at android.credentials.CredentialManager$CreateCredentialTransport.lambda$onError$2(CredentialManager.java:752)
    at android.credentials.CredentialManager$CreateCredentialTransport.$r8$lambda$8NwBIrbcK6SvF9Mra_qL_8hhFMU(Unknown Source:0)
    at android.credentials.CredentialManager$CreateCredentialTransport$$ExternalSyntheticLambda0.run(Unknown Source:6)
    at androidx.credentials.CredentialManager$$ExternalSyntheticLambda0.execute(Unknown Source:0)
    at android.credentials.CredentialManager$CreateCredentialTransport.onError(CredentialManager.java:751)
    at android.credentials.ICreateCredentialCallback$Stub.onTransact(ICreateCredentialCallback.java:123)
    at android.os.Binder.execTransactInternal(Binder.java:1344)
    at android.os.Binder.execTransact(Binder.java:1275)