Post not yet marked as solved
We registered Certified Fido2 devices in Apple ID as security keys, registration performed without any problem. First logs in logs out iterations worked also without problem. Then after a while, one of the key started to be rejected, with the attached screenshot., with "failed to verify security key" and "error description not available". The second identical key still function correctly.
We were unable to reproduce the problem on demand, the problem simply just seem to appear randomely. Although the second Fido2 device still works, there is a therotical possibility to be locked out of the account.
The only difference we could identify with other Fido2 devices is that is prioritise ECC algorithm (-7) compared to other Fido2 devices that priorise RSA (-257)
If ECC is not supported, then it should reject the Fido2 device at registration.
How to properly contact Apple to solve this relatively serious issue ?
Post not yet marked as solved
Hey Folks,
I'm currently building an SDK that will manage the creation and authentication of the passkeys for my users, and this SDK can be integrated on 3rd party apps that are out of my direct control.
The scenario of when this SDK will be used is like when you have an app that you can link your account with LinkedIn, to get some info about you there and need to log in with your Linkedin account. So, the app itself that is consuming the SDK can have a passkey, and this "link account" feature (SDK) will also manage its passkey creation and authentication.
Based on this I have a couple of questions:
Can I grant only grant the associated domains/webcredentials entitlements to my SDK, such that the SDK is the only part allowed to create or access my passkeys but the app that consumes that SDK can only call the functionality exposed by the SDK, and not directly have the privileges to create and access my passkeys nor my iCloud Keychain?
If 1 is not possible, what other options do I have? I imagine that if I give to access these 3rd party apps that consume my SDK to my associated domain webcredentials, I also will give them permission to them, to create passkeys in my name, using my RPID, and this is a really insecure scenario, so a no go.
May you folks help me to understand the best course of action in this scenario?
Thanks!
Post not yet marked as solved
We have been trying to implement OAuth 2.0 SAML Bearer Assertion authentication in our enterprise iOS application. We are not receiving the SAML Assertion id response in WKWEBVIEW. Can you please kindly confirm whether OAuth 2.0 SAML Bearer Assertion possible in NATIVE iOS development. Please suggest how this can be achieved in iOS native development.
Post not yet marked as solved
On a iPhone, I have registered 2 different passkeys for 2 different users(Lets say user A and user B) for a domain example.com. Now at the time of authentication I am able to use Passkeys of user A to authenticate user B with authentication challenge fetched from server. This should not be allowed. As per documentation, I can see ASAuthorizationPlatformPublicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge) only accepts challenge value and does not accept any user ID. How can I verify the user details/info while authenticating with Passkey.
Hello.
Does WKWebView on Mac support FIDO2(webauthn)?
We need to implement this in our app and ASWebAuthenticationSession API comes up in searches all the time as the only solution. Is this still the case?
From my experiments ASWebAuthenticationSession on Mac doesn't provide best user experience - too much fiddling and odd behavior for an end user.
F.e. user needs to click Open button from the browser window to pass token to the very same app which initiated the window and this is not very logical considering all the efforts to setup applink.
Would appreciate an advice.
Post not yet marked as solved
Whenever user try to login,
it automatically uses hidden email for some reason.
Therefore existing users from mobile app can't access web :(
Anyone having this issue? How do I solve this?
Post not yet marked as solved
I keep getting the following error when trying to run Passkey sign in on macOS.
Told not to present authorization sheet: Error
Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1
"(null)"
The same piece of code is working as expected on iOS.
Some more info:
The association file and entitlements are correct and validated as everything is working on iOS.
The app is built on SwiftUI and use the same codebase for macOS and iOS
Validated that the presentation anchor is also correct on macOS because other SSO login works with the same presentation anchor.
Not sure where the problem is. Followed https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/ to get the integration.
We are working on implementing FIDO2 with passkeys and its works fine in the consumer with Apple ID. On the Enterprise level we can't able to make it because corp device don't have option to enable Apple ID and its disabled by MDM as per policy.
is there any alternate approach where corp device can use FIDO authentication without using Apple ID?
thanks
I'm implementing passkeys by following the example from the Food Truck sample project. I have nearly everything working, but there's one problem. I'm using the AuthorizationController environment value and passing that to my login and register functions, but when I call authorizationController.performAutoFillAssistedRequest, I don't see or know of any way to cancel it, so if the user tries to type in their username instead of use the autofill suggestion, the second (non-autofill) request throws the error, The operation couldn’t be completed. Request already in progress for specified application identifier. I know that ASAuthorizationController has a cancel() function, but is there any way to do this with AuthorizationController?
Post not yet marked as solved
Hi.
I'm trying to develop a passkey app connected with a Webauthn server.
There is a problem in the process of creating the Attestation Object.
Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port.
In the WebAuthn specification, the RPID should not include the port number.
(https://www.w3.org/TR/webauthn-2/#relying-party-identifier)
When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked.
But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port.
Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443?
I checked the post, but there is no more feedback, so I'm asking a question.
(https://developer.apple.com/forums/thread/730028)
Post not yet marked as solved
What policy does apply to me as I have a working application that serves contents based on their chosen location or place which does not require any login but for some super users I will open webview where they can authenticate themself and view/change thee only do I still need to provide test credential and any policy that apply to me related to data and privacy as the content will be also shown via webview and my app only served to US region.
I'm trying to implement passkeys in my app. I successfully get to the dialog in iOS simulator to register with a Passkey and I can also read the result and see all the right things in credentialRegistration.rawClientDataJSON. The one thing that's not working is when decoding the rawAttestationObject (which should be CBOR as I understand), I find all data defined in the spec (aaguid, credentialIdLength, credentialId) except for the credentialPublicKey! The rawAttestationObject basically ends after the credentialId. I see this both when decoding the rawAttestationObject manually as well as when using WebAuthn libraries on the server, which will give me an "Unexpected end of CBOR data" error.
Any ideas why the rawAttestationObject does not contain the public key?
For reference, here is the initialization of the Passkey request:
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.domain)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(challenge: challenge, name: name, userID: userID)
let authController = ASAuthorizationController(authorizationRequests: [ registrationRequest ])
authController.performRequests()
And here is how I handle the result:
case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
let rawAttestationObject = credentialRegistration.rawAttestationObject!.base64EncodedString()
let credentialID = credentialRegistration.credentialID.base64EncodedString()
let rawClientDataJSON = credentialRegistration.rawClientDataJSON.base64EncodedString()
let response: PasskeysResponse = [
"attestationObject": rawAttestationObject,
"credentialId": credentialID,
"clientDataJson": rawClientDataJSON,
]
Here is an example for a decoded attestation object:
{
"rpIdHash": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYmW4=",
"flags": {
"userPresent": false,
"userVerified": false,
"backupEligibility": true,
"backupState": true,
"attestedCredentialData": true,
"extensionData": false
},
"signCount": 425116148,
"aaguid": "20318e2d-77fa-f54d-bed7-ba15ccd3fade",
"credentialId": "1B1KJf6uYF0AAAAAAAAAAAAAAAAAAAAAAAAAAAAUQW65BAqkeKqu97vbc0Se5R1F3Y+lAQIDJiABIVggtdSX2ZAHsBxU4ja1xP6hCZGUXgUCb6Ipau3stU8rrz4iWCBwhOBWOgwT4yKRnU1hA11thC8+CvjmrCkfq//648cwHg==",
"credentialPublicKey": ""
}
As you can see, it looks all good except for the "credentialPublicKey": "" part.
Post not yet marked as solved
Hi Team,
Is it possible to access the user's birthday and gender when they login with Apple option?
I've checked Apple Authentication Services framework but found nothing about it. The only information we can access is user's name and email.
However, I received a review note saying that this information is already provided by the Apple Authentication Services framework.
Please kindly share the solution or tell me what should I do to resolve this issue.
Cheers,
Vanto
Post not yet marked as solved
When we call ASWebAuthenticationSession with preferEphemeral = false macOS generates this dialog with a meaningless "(null)". This looks very odd and scary for a normal person. Why it shows "null" and can we control this to make it meaningful at least?
Post not yet marked as solved
My App just uses Phone Number Authentication only . There is no Email/Password , Google , FaceBook, Apple or any other Social Authentication.
So i just wanted to ask that will my app be accepted by Appstore based on Appstore Guidelines as I am not using Apple Authentication & only using Phone Number Authentication.
Your help will mean a lot.
Post not yet marked as solved
Hello,
I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn.
But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem?
(The app is installed on the iPhone with iOS 17)
Post not yet marked as solved
Hi,
I have a problem with associated domains developing Passkeys app.
Adding alternate mode(developer mode) to Associated Domains Entitlement, it works fine.
But in non developer mode, CDN doesn't seem to read the AASA file.
AASA file's path is: https://(host).(rootdomain)/.well-known/apple-app-site-associtation
I checked the TLS certificate conditions and all conditions are met.
https://support.apple.com/en-us/HT213464
https://support.apple.com/en-us/HT210176
https://support.apple.com/en-us/102028
Is there another reason why it only works in developer mode?
Thanks for your reply.
I tried to use preferImmediatelyAvailableCredentials option in my sign in via Passkey process and expected to see this logic:
If passkey isn’t available (for some reason, for example, user deleted it) the sign up modal sheet appears. But instead of this I got ‘Choose how you’d like in sign in’ sheet. As I understand, preferImmediatelyAvailableCredentials should allow me to fallback to sign up and skip this step but it doesn’t.
My code is:
func signIn(credId: String) {
currentAuthController?.cancel()
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challengeData)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: challengeData)
if let data = Data(base64urlEncoded: credId) {
let cred = ASAuthorizationPlatformPublicKeyCredentialDescriptor(credentialID: data)
assertionRequest.allowedCredentials = [cred]
}
let requests = [assertionRequest, securityKeyRequest]
let authController = ASAuthorizationController(authorizationRequests: requests)
authController.delegate = self
authController.presentationContextProvider = self
currentAuthController = authController
authController.performRequests(options: .preferImmediatelyAvailableCredentials)
}
Post not yet marked as solved
I just wrote code for our app to use ASWebAuthenticationSession for 3rd-party authentication (in particular, YUBIKEYS WOOHOO). Our app registers a URI scheme of x-com-kithrup for launch services events, so I used x-com-kithrup-yubi for ASWebAUthenticationSession.
Only, I didn't change the back end, so it still redirects to x-com-kithrup://success on a successful login. And... ASWebAuthenticationSession is still calling the handler when it gets a URL with the x-com-kithrup URI, instead of the x-com-kithrup-yubi URI scheme.
Post not yet marked as solved
Dear developers,
In case I want to start building healthcare marketplace app (pharmacies, medical equipments and labs) where every users can search for specific medicine, some Medical equipment and lab test can get a list of pharmacies, labs who provide those products/service. Having said that what could be the best sign in option for (pharmacists, labs, physicians, people/users) on phone number or E-mail or any sign in option that will fit who want to join healthcare app? I want your though guys here as I am trying to have a universal healthcare app that can connect all healthcare people/product/service with people.
Thanks in advance for any advice
