I have been using workspace to incorporate the Firebase Auth functionality in my application. I am using Xcode 15.0.1 and Firebase 10.18.0. I have included the screenshot for that as well. In which you can see that I have typed fs and g on two separate lines and it should show me the error but it's now. Also I have commented out the import of Firebase so it should also display me the error that Auth.auth() is unidentified function.
I have tried restarting my Xcode and mac as well.
Authentication Services
RSS for tagImprove the experience of users when they enter credentials to establish their identity using Authentication Services.
Posts under Authentication Services tag
95 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation.
If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client."
What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device?
Also, is there a plan to ever make those flags to be set to false in a future iOS release?
Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?
I am trying to implement a third party passkey credential provider and I have been able to successfully setup the project for that. Below is a sample code which I am using -
let passkeyRegistrationCredential = ASPasskeyRegistrationCredential(relyingParty: self.request?.credentialIdentity.serviceIdentifier.identifier ?? "", clientDataHash: self.request?.clientDataHash ?? Data(), credentialID: Data(credentialId), attestationObject: Data(attestationBytes)
self.extensionContext.completeRegistrationRequest(using: passkeyRegistrationCredential)
The attestationBytes object that I am generating and sending back to RP seems to work only if I set the "fmt" to "none", which basically requires "attStmt" to be sent as an empty value as per WebAuthn spec - https://www.w3.org/TR/webauthn-2/#sctn-none-attestation
When trying to set the "fmt" to "packed" in attestation object and creating a self signed "attStmt" consisting of "alg" and "sig" key-values referring - https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation, it does not seem to work. The RP throws an error. I do not have "x5c" object as that supposedly is not mandatory in case of self attestation. I have "authData" also as part of the response properly setup.
Is it not possible to use packed attestation or am I missing something in creating the attestation object? Also, does Apple modify the response being sent in the background before sending to RP if packed fmt is used?
After upgrading iOS from 17 to 17.1, the list of passkeys registered to the ASCredentialIdentityStore is not displayed in the Safari QuickType bar. (Google Chrome browser is ok)
Hello everybody,
I'm trying to implement passkey provider for iOS device.
I'm in the register phase of the passkey.
Let's say this is my code to register request, what am I doing wrong?:
import SwiftCBOR
class CredentialProviderViewController: ASCredentialProviderViewController {
.
.
.
func generatePublicKeyCborEncoded() -> Data {
let privateKey = P256.Signing.PrivateKey()
let publicKey = privateKey.publicKey.x963Representation
let decoded: [CBOR: CBOR] = [
CBOR.init(integerLiteral: 1): CBOR.init(integerLiteral: 2),
CBOR.init(integerLiteral: 3): CBOR.init(integerLiteral: -7),
CBOR.init(integerLiteral: -1): CBOR.init(integerLiteral: 1),
CBOR.init(integerLiteral: -2): CBOR.byteString(publicKey[1..<33].map { $0 }),
CBOR.init(integerLiteral: -3): CBOR.byteString(publicKey[33..<65].map { $0 })
]
return Data(CBOR.encode(decoded))
}
@IBAction func onRegister(_ sender: UIButton) {
NSLog("onRegister called 1")
guard let request = newRegistrationRequest as? ASPasskeyCredentialRequest else {return}
let attObj: Data = generatePublicKeyCborEncoded()
let passkey: ASPasskeyRegistrationCredential = ASPasskeyRegistrationCredential(
relyingParty: request.credentialIdentity.serviceIdentifier.identifier,
clientDataHash: request.clientDataHash,
credentialID: Data([67, 92, 125, 254, 60, 232, 238, 248, 14, 107, 245, 21, 85, 130, 40, 54],
attestationObject: attObj
)
extensionContext.completeRegistrationRequest(using: passkey){ endedWell in
NSLog("onRegister called \(endedWell ? "" : "not") ended well")
}
}
}
Hi community!
I'm on the hunt for alternatives to digital onboarding and NFC reader libraries on iOS (and maybe on Android too). Do any of you know of alternatives to: https://github.com/AndyQ/NFCPassportReader
They should be compatible with ICAO Doc 9303 MRTD - https://www.icao.int/publications/pages/publication.aspx?docnum=9303
Your insights and suggestions mean a lot! Thanks!
Description:
NFCPassportReader - This package handles reading an NFC Enabled passport using iOS 13 CoreNFC APIS
Version 2 (and the main branch) now uses Swift Async/Await for communication. If you need an earlier version, please use 1.1.9 or below!
Supported features:
Basic Access Control (BAC)
Secure Messaging
Reads DG1 (MRZ data) and DG2 (Image) in both JPEG and JPEG2000 formats, DG7, DG11, DG12, DG14 and DG15 (also SOD and COM datagroups)
Passive Authentication
Active Authentication
Chip Authentication (ECDH DES and AES keys tested, DH DES AES keys implemented ad should work but currently not tested)
PACE - currently only Generic Mapping (GM) supported
Ability to dump passport stream and read it back in
Uses Async/Await
I developed an app that implements autofill extension with ASCredentialProviderViewController to provide passkeys.
while it works smoothly on internal connections (e.g. register to webauthn.io on the same device where my app is installed), it fails when i'm scanning QR code on another device.
I suspect it's a problem with the flags of the passkey attestation object as the only difference between the 2 requests (internal and hybrid) I've found is that the userVerificationPreference is changed from preferred (internal) to required (hybrid).
i sent those flags (both on hybrid and internal connection):
binary rep: 01011101
decimal rep: 93
is anyone has a clue what goes wrong?
I am working on two applications that provide complementary functionality - one is a main app with authentication flow and the other handles additional functionalities within my service.
I would like to publish these as separate apps on the App Store but allow them to share data through an App Group, specifically to enable sign-in state to carry across.
The flow would be:
Main app authenticates the user and saves an authentication token to the shared App Group container
Second app launches and checks the container for this token. If present, it signs the user in automatically.
In this way the Main app handles all login functionality which enables certain features in the other app(s) when logged in state is present.
My questions are:
Would this violate any App Store guidelines around app functionality distribution or data sharing?
I intend to provide a technical rationale during review on why two apps are necessary. Would Apple allow such an implementation?
What best practices should I follow when submitting for app review approval?
It would be great to hear thoughts around the viability of this app architecture. Please let me know if further technical details are needed as well.
Looking forward to community feedback on whether Apple permits apps sharing sensitive data via App Group specifically for identity management.
Reference: guideline 2.5.2
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps. Educational apps designed to teach, develop, or allow students to test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the app completely viewable and editable by the user.
https://developer.apple.com/documentation/xcode/configuring-app-groups
Hi, I am using flutter MSAL SSO with flutter_inappwebview and azure_flutter_authentication package to login to the app.
let viewController: UIViewController = UIViewController.keyViewController!
let webviewParameters = MSALWebviewParameters(authPresentationViewController: viewController)
webviewParameters.webviewType = .default
I am trying to open another application in webview by using flutter_inappwebview, so that there will be a silent log in using MSAL SSO option in iOS device. But its not working
InAppWebView(
key: webViewKey,
initialUrlRequest: URLRequest(url: Uri.parse(widget.url)),
initialOptions: options,
pullToRefreshController: pullToRefreshController,
onWebViewCreated: (controller) {
webViewController = controller;
},
onLoadStart: (controller, url) {
logger.d("printing webview controller type: " +
controller.runtimeType.toString());
setState(() {
this.url = url.toString();
urlController.text = this.url;
isLoading = false;
});
},
androidOnPermissionRequest:
(controller, origin, resources) async {
return PermissionRequestResponse(
resources: resources,
action: PermissionRequestResponseAction.GRANT);
},
shouldOverrideUrlLoading:
(controller, navigationAction) async {
var uri = navigationAction.request.url!;
if (![
"http",
"https",
"file",
"chrome",
"data",
"javascript",
"about"
].contains(uri.scheme)) {
if (await canLaunch(url)) {
// Launch the App
await launch(
url,
);
// and cancel the request
return NavigationActionPolicy.CANCEL;
}
}
return NavigationActionPolicy.ALLOW;
},
onLoadStop: (controller, url) async {
pullToRefreshController?.endRefreshing();
setState(() {
this.url = url.toString();
urlController.text = this.url;
});
},
onLoadError: (controller, url, code, message) {
pullToRefreshController?.endRefreshing();
},
onProgressChanged: (controller, progress) {
if (progress == 100) {
pullToRefreshController?.endRefreshing();
}
setState(() {
this.progress = progress / 100;
urlController.text = this.url;
});
},
onUpdateVisitedHistory: (controller, url, androidIsReload) {
setState(() {
this.url = url.toString();
urlController.text = this.url;
});
},
onConsoleMessage: (controller, consoleMessage) {
print(consoleMessage);
},
),
How to should I pass the login session from swift code to inappwebview in flutter? Please help me with this. I really appreciate it. Its working fine with android devices. The problem is from iOS devices.
Hey Apple team (and eskimo 🙏),
Our FinTech app uses iCloud Keychain shared web credentials to store a secure encryption password in iCloud Keychain.
Some of our new users seem to run into an issue where the app fails to successfully create a shared web credential.
All users are required to have the following two settings enabled:
Settings --> Passwords --> Password Options --> Autofill from iCloud Passwords & Keychain
Settings --> Apple D - -> iCloud - -> Passwords and Keychain --> 'Sync this iPhone'
The issue appears to resolve itself when the user restarts their iPhone. We've had this bug 3 times now and would like to understand the root cause.
We have a couple hypotheses:
iOS is failing to verify that the domain for the shared web credential is valid via <domain>/.well-known/apple-app-site-association (and then restarting triggers reverification)
Users were on a version of iOS where it was bugged (and then restarting finally completed an update to a new version). We've verified that the bug happened on 17.0.2 with one user (until they updated and it fixed itself)
Hey community! I have an idea of social network for VisionOS. I'm trying to figure out the best approach to implement authentication flow for the users. I'm looking into Auth0 Package, but facing some issues with platform compatibility. Are there any recommendations?
I have auth0 in iOS app and that works just fine. I use webAuth() method and during migration to VisionOS I got the next error: "Module 'Auth0' has no member named 'webAuth'". I discovered the source code a little bit and found the next condition in "Auth0" file that are not passing: #if WEB_AUTH_PLATFORM. That should be the root cause why error occues on compilation stage. I tried to apply the flag "-DWEB_AUTH_PLATFORM" to "Swift Compiler - Custom Flags", but it didn't help. Are there any tweaks that I can apply to my project and make it work?
I would be happy if someone provide any relevant information. Thank you!
Garritt,
Kudos for leadership on making Apple PassKeys a reality.
would like to consult with Apple security/privacy/authentication teams about new anon/auth tools for web security and device logins generally. concepts are shared in uspto pending patent app 17/572336, for which notice of allowance has issued.
thanks,
timo
founder and seo
PoKos Communications Corp.
603.491.9792 (m)
If my app utilizes ASWebAuthenticationSession or SFSafariViewController, do I need to add all potential tracking domains that users may access within the session?
There is virtually no way to limit the URLs or domains that users can access within the ASWebAuthenticationSession or SFSafariViewController, so how can I know all the potential domains?
We extended the ASCredentialProviderViewController in our app to provide passkeys and everything seems to be working fine (from the user's perspective).
But we are curious why
prepareCredentialListForServiceIdentifiers:requestParameters:
is never called.
Since:
Passkey credentials seem only to be used / offered when added to the ASCredentialIdentityStore.
We duplicated a passkey in our app for about 15 times and all passkeys for the same service were still offered by the credential chooser from iOS and not in our app (via "prepareCredentialListForServiceIdentifiers:requestParameters:").
we believe that in the current versions of iOS "prepareCredentialListForServiceIdentifiers:requestParameters:" is not used.
It would be nice to get some clarification since it currently seems not possible to test the implementation of this method!
Xcode 15.2, iOS 17.2
I have a piece of code that displays videos. It has been working for at least 6 months. Suddenly only the first video played. The following videos would only play audio with the video being frozen at the first frame. I noticed that SwiftUI would start to instantiate multiple instances of my player observable class instead of just one.
After chasing the problem for most of a day I found that if I completely removed every piece of code referencing AuthenticationServices then everything would work fine again.
Even if I add the following piece of code which is not used or called in any way. Then SwiftUI will start to act weird.
func configure(_ request: ASAuthorizationAppleIDRequest) {
request.requestedScopes = [.fullName, .email]
}
If I comment out request.requestedScopes = [.fullName, .email] everything works fine.
The SignInWithApple is configured and works fine if I enable the code.
Any suggestions on how to solve or any work arounds would be highly appreciated.
How do we find such info as attestationPreference through the prepareInterface() API? Is there a way to access ASAuthorizationPublicKeyCredentialRegistrationRequest? I don't seem to see how we can achieve this through ASPasskeyCredentialRequest in prepareInterface(forPasskeyRegistration:) for iOS.
A more broader question is: do we even have access to the WebAuthn extensions in third-party passkey manager?
Thanks,
Joshua
The below code used to compile for iOS 16.0 and above when using Xcode 15.2. Now it seems that ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.excludeCredentials is only available on iOS 17.4 an above in Xcode 15.3? Is there any reason that's the case?
let request = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: id).createCredentialRegistrationRequest(challenge: challengeData, name: name, userID: userIDData)
// ERROR: 'excludedCredentials' is only available in iOS 17.4 or newer
request.excludedCredentials = registrationOptions.excludeCredentials
I'm working my way through adding passkey support to my app. At app launch, I'd like to test to see if the user has already created a passkey for the service, and if not, immediately present the account creation UI.
Is there an API call I can make to see if the user already has a credential? From the examples I’ve found, it seems I should just try to sign in, and I’ll get an error callback if there are no stored credentials. Is that right?
I’m looking to see if anybody else has noticed that iOS 17.4 seems to have broken password autofill for associated domains.
Meaning if I open my app to the login page (web view) it recognizes the associated domains and they password in my keychain.
If I tap on my user name my keychain is unlocked with biometrics (FaceID) and I’m returned to the page, but the user name and password field is not filed in.
This just started happening in iOS 17.4 (17.3.1 works fine for example).
Interestingly, if you choose the 🔑 icon on the right side of the keyboard and then choose your credentials you get a blank page until you tap in a text field then the username and password show up.
I have filled out a bug report with Apple, but in the mean time I was curious if anybody else has seen this or have a solution.
I would like implement certificate based authentication using MSCA as authenticator and along with 2FA as otp/push.
Same I have achieve using authorization plugin where as first factor as user name and password and for second factor it going to my server for otp varification.
In this case I would like to go to MACS for primary as certificate authentication and after that I would like to go to my server for second factor.