I'm intending to use WebAuthn for authentication, as shown at the demo site https://webauthn.io
Turns out that Android's WebView (and its iOS counterpart) does not implement this and it is explicitly stated that this won't be happen. One is getting referred to use a Chrome Tab.
But what I want to do is not to use any HTML/JavaScript for this when on a mobile device, that is, inside the App. In the app I would like to use a Java library similar to Firebase but which does provide the means to use the same account which got set up via WebAuthn, or to set up an account via the library on the App which can then later be accessed in a Browser by using WebAuthn.
I have come across AppAuth https://github.com/openid/AppAuth-Android and am unsure if this is related to WebAuthn.
My goal is to use a password- and email-less authentication system in order for users to use it on the Web via WebAuthn as well have their App access the backend via the library on their behalf. A system that doesn't require someone to have a user account at Facebook, Google or any other provider.
I would want to avoid using a workaround like a Chrome Tab in the Android App, it should all be handled in Java and the user interaction via Fragments.
Which are my options? Is FIDO2 capable of offering all that is needed to provide this? How does it relate to OAuth 2.0?
WebAuthn is a standard for browsers, which means it can only be implemented in browsers as of today. On Android, it's indeed restricted to the browser of ChromeCustomTabs. On iOS, it may be allowed in internal webviews - but still in a web component.
There is no way to have it working with the native UI, especially because WebAuthn authentication is bound to an URI (which there isn't in a native mobile application UI).
EDIT: since this answer was given, native FIDO2 support appeared on:
webAuthn.dllIt is still unsupported on iOS as of beginning of 2023.
WebAuthn and OAuth2 are not related. OAuth2 is a API access control protocol: you first get tokens on the authorization server using a web flow (except in some special cases), which typically involves an authentication and authorization process, and then consume these access tokens on an API that verifies them. WebAuthn is an authentication scheme: after initial enrolment, a user can authenticate with an authenticator without presenting a password.
The only way these two things are related is that WebAuthn can be used as an authentication scheme in the OAuth2 authentication process (instead of a password, an OTP sent by email or SMS, a push notification...).
If you want to have single authentication process between your native application and some of your web applications on the same mobile device, the way to go is to have a unique, central authentication service which will deal with authentication and SSO (Single Sign-On). It prevents a user from having multiple accounts, registration and authentication processes.
To do that, your native mobile application has to use it too - and therefore use web authentication. AppAuth is a library that allows doing such a thing, and uses the OAuth2 protocol (and therefore provides with OAuth2 access tokens, to access APIs). Since your native application has no data within itself, but needs to retrieve data somewhere (probably an API), that might be what you want. But you can't achieve SSO with fragments as far as I know, because any non-ChromeCustomeTab component will not share cookies outside of the application.