Enhance WebAuthn telemetry for passkey registration, Fixes AB#3540659

[p3dr0rv]

The purpose of this PR is to extract additional telemetry (passkey_aaguid and passkey_origin) from successful PasskeyWebListener scenarios. This will help us investigate an error observed in MSAL STS, where the origin is not in the expected format. We want to determine whether this issue is caused by our code or by a malicious app. If it originates from our side, we aim to identify the conditions under which it occurs, such as specific device models, OEMs, or passkey providers.

WebAuthn Passkey Registration & Extraction Enhancements

• Added new methods to WebAuthnJsonUtil for extracting the origin and AAGUID from passkey registration responses, including robust parsing of CBOR-encoded attestation objects and error handling. These utilities help with downstream identity and device management.
• Refactored WebAuthnJsonUtil from a class with a companion object to a singleton object, and updated method signatures for improved clarity and usage. [1] [2] [3] [4]
• Updated imports and usage of constants in WebAuthnJsonUtil to reference individual fields from FidoConstants.Companion, improving code readability and maintainability.

OpenTelemetry Integration

• Added the opentelemetry-extension-kotlin dependency, enabling better integration of OpenTelemetry with Kotlin coroutines and context propagation.
• Refactored PasskeyReplyChannel to accept an OpenTelemetry Context and a coroutine scope for telemetry, allowing asynchronous telemetry recording and improved tracing. [1] [2] [3]
• Added a new getOtelContext() method to AuthorizationActivity for safe access to the OpenTelemetry context extracted from intent extras.

Code Quality & Maintenance

• Improved formatting, parameter naming, and error handling throughout the updated files, including more descriptive documentation for new and existing methods. [1] [2] [3]
• Added parent attribute names for telemetry correlation in PasskeyReplyChannel, supporting more detailed trace and span metadata.

android_spans
| where span_name == "PasskeyWebListener"
| project calling_package_name, DeviceInfo_Model, active_broker_package_name, DeviceInfo_Make, account_type, passkey_aaguid, passkey_origin
|take 1000

calling_package_name	DeviceInfo_Model	active_broker_package_name	DeviceInfo_Make	account_type	passkey_aaguid	passkey_origin
	SM-F926U1	com.microsoft.identity.testuserapp	samsung
com.msft.identity.client.sample.local	SM-F926U1	com.microsoft.identity.testuserapp	samsung	AAD	53414d53-554e-4700-0000-000000000000	android:apk-key-hash:E8lSX1zJMPBZ9G_zpnfxfmfh-d0q2qEYz-2bgNeUKCU
	SM-F926U1	com.microsoft.identity.testuserapp	samsung		53414d53-554e-4700-0000-000000000000	android:apk-key-hash:E8lSX1zJMPBZ9G_zpnfxfmfh-d0q2qEYz-2bgNeUKCU
	SM-F926U1	com.microsoft.identity.testuserapp	samsung		53414d53-554e-4700-0000-000000000000	android:apk-key-hash:E8lSX1zJMPBZ9G_zpnfxfmfh-d0q2qEYz-2bgNeUKCU
	SM-F926U1	com.microsoft.identity.testuserapp	samsung		53414d53-554e-4700-0000-000000000000	android:apk-key-hash:E8lSX1zJMPBZ9G_zpnfxfmfh-d0q2qEYz-2bgNeUKCU

AB#3540659

related PR: https://github.com/identity-authnz-teams/ad-accounts-for-android/pull/107

[github-actions]

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

[p3dr0rv]

@copilot REVIEW

[Copilot]

@p3dr0rv I've opened a new pull request, #3019, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Enhances passkey/WebAuthn registration telemetry by introducing new OpenTelemetry attributes (origin, AAGUID) and plumbing extraction logic from WebAuthn registration responses into the passkey reply path.

Changes:

• Added new OTel attribute keys: passkey_origin and passkey_aaguid.
• Added WebAuthn JSON constants and implemented origin/AAGUID extraction helpers (with tests).
• Updated passkey WebView integration to ensure credential operations run on Dispatchers.Main, and added async telemetry enrichment after JS replies.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java	Adds new telemetry attribute keys for origin + AAGUID.
common4j/src/main/com/microsoft/identity/common/java/constants/FidoConstants.kt	Adds WebAuthn registration JSON keys and AAGUID offset/length constants.
common/src/main/java/com/microsoft/identity/common/internal/fido/WebAuthnJsonUtil.kt	Converts util to object and adds extraction helpers for origin + AAGUID from registration response/attestation.
common/src/test/java/com/microsoft/identity/common/internal/fido/WebAuthnJsonUtilTest.kt	Adds unit tests for new origin/AAGUID extraction helpers.
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyWebListener.kt	Updates docs and ensures coroutine scope uses Dispatchers.Main for CredentialManager UI.
common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyReplyChannel.kt	Posts JS reply immediately, then asynchronously enriches telemetry with origin/AAGUID.
common/src/main/java/com/microsoft/identity/common/internal/fido/LegacyFidoActivityResultContract.kt	Updates import to match WebAuthnJsonUtil conversion to object.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.

[github-actions]

✅ Work item link check complete. Description contains link AB#3540659 to an Azure Boards work item.

[github-actions]

❌ Invalid work item number: AB#3540659
. Work item number must be a valid integer.

Click here to learn more.