Authenticate users with WebView

This document describes how to integrate the Credential Manager API with an Android app that uses WebView. Credential Manager is supported natively in the android.webkit.WebView library in version 1.12.0 and later.

Prerequisites

To use Credential Manager in WebView, add the following dependencies to your app module's build script:

dependencies {
  implementation("androidx.credentials:credentials:1.6.0-beta02")   
  implementation("androidx.credentials:credentials-play-services-auth:1.6.0-beta02")
  implementation("androidx.webkit:webkit:1.14.0")
}

You will also need to associate your app with a website that your app owns using digital asset linking. For more information, see adding digital asset linking.

Use the WebKit library

To use the WebKit library, check for feature support, and then enable support by calling setWebAuthenticationSupport():

class WebViewActivity : ComponentActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContent {
            val url = "https://passkeys-codelab.glitch.me/"
            AndroidView(
                factory = { context ->
                    WebView(context).apply {
                        settings.javaScriptEnabled = true

                        webViewClient = WebViewClientImpl()
                    }
                },
                update = { webView ->
                    run {
                        webView.loadUrl(url)
                        if (WebViewFeature.isFeatureSupported(WebViewFeature.WEB_AUTHENTICATION)) {
                            WebSettingsCompat.setWebAuthenticationSupport(
                                webView.settings,
                                WebSettingsCompat.WEB_AUTHENTICATION_SUPPORT_FOR_APP,
                            )
                            // Check if getWebauthenticationSupport may have been disabled by the WebView.
                            Log.e(
                                "WebViewPasskeyDemo",
                                "getWebAuthenticationSupport result: " + WebSettingsCompat.getWebAuthenticationSupport(
                                    webView.settings
                                ),
                            )
                        } else {
                            Log.e("WebViewPasskeyDemo", "WebView does not support passkeys.")
                        }
                    }
                },
            )
        }
    }
}

Web integration

To learn how to build Web integration see Create a passkey for passwordless logins. You can also reference the demo site source.

Testing and deployment

Test the entire flow thoroughly in a controlled environment to verify proper communication between the Android app, the web page, and the backend.

Deploy the integrated solution to production, verifying that the backend can handle incoming registration and authentication requests. The backend code should generate initial JSON for registration (create) and authentication (get) processes. It should also handle validation and verification of the responses received from the web page.

Verify the implementation corresponds to the UX recommendations.