Github

πŸ“ƒDigitial Asset Linking

Link your Android App to your website

For Credential Manager to work to the best of its ability, it's suggested that you set up your Digitial Asset Linking.

The official Android Documentation on this topic is misleading as it states Digital Asset Linking is required for Passkeys to work, however, it seems that they can work sometimes without it. It is also suggested that you only set it up if using password-based login and not passkeys, which directly contradicts their previous statement. In practice, it is recommended to just fully setup Digital Asset Linking

What Is Digital Asset Linking

Digital Asset Linking is a mechanism in Android that allows apps and websites to verify their connectivity and common ownership. By creating a JSON file in a specific location on your web server, you can declare that your app and website are linked. This enables shared permissions and functionalities, such as enabling your app to handle specific types of links that are used on your website. It's a crucial step to ensure seamless user experiences across platforms and enhances security by confirming app and web relationships.

Defining Your Digital Asset Linking JSON File

Below is an example assetlinks.json file that is available on my domain for the example app of this package to work.

[
  {
    "relation" : [
      "delegate_permission/common.handle_all_urls",
      "delegate_permission/common.get_login_creds"
    ],
    "target": {
      "namespace": "android_app",
      "package_name": "androidcredentialmanager.example",
      "sha256_cert_fingerprints" : [
        "FA:C6:17:45:DC:09:03:78:6F:B9:ED:E6:2A:96:2B:39:9F:73:48:F0:BB:6F:89:9B:83:32:66:75:91:03:3B:9C"
      ]
    }
  }
]

Let's break down what this JSON file does.

  1. We define relation at the start. This tells Android what should be linked between your app and your website. In our case, we want to link the credentials and also to handle all the urls.

  2. Next, we have target. Here only the package_name and the sha256_cert_fingerprints have importance to us. The package name is the name of your Android app identifier and sha256_cert_fingerprints can be generated by running the below command.

keytool -list -v -keystore <path to key> -alias <alias> -storepass <store password> -keypass <key password>

Hosting your DigitalAsset.json file

Host the Digital Assets Link JSON file at the following location on the sign-in domain:

https://domain[:optional_port]/.well-known/assetlinks.json

For example, if your sign-in domain is signin.example.com, host the JSON file at https://signin.example.com/.well-known/assetlinks.json.

The MIME type for the Digital Assets Link file needs to be JSON. Make sure the server sends a Content-Type: application/json header in the response.

PreviousInstallationNextOverview

Last updated