Post not yet marked as solved
Hey Folks,
I'm currently building an SDK that will manage the creation and authentication of the passkeys for my users, and this SDK can be integrated on 3rd party apps that are out of my direct control.
The scenario of when this SDK will be used is like when you have an app that you can link your account with LinkedIn, to get some info about you there and need to log in with your Linkedin account. So, the app itself that is consuming the SDK can have a passkey, and this "link account" feature (SDK) will also manage its passkey creation and authentication.
Based on this I have a couple of questions:
Can I grant only grant the associated domains/webcredentials entitlements to my SDK, such that the SDK is the only part allowed to create or access my passkeys but the app that consumes that SDK can only call the functionality exposed by the SDK, and not directly have the privileges to create and access my passkeys nor my iCloud Keychain?
If 1 is not possible, what other options do I have? I imagine that if I give to access these 3rd party apps that consume my SDK to my associated domain webcredentials, I also will give them permission to them, to create passkeys in my name, using my RPID, and this is a really insecure scenario, so a no go.
May you folks help me to understand the best course of action in this scenario?
Thanks!
Post not yet marked as solved
I am using passkey for my app, but the user can register over and over again with the same device, so it's too bad for us and we cannot find a way to limit one user only register one account, we cannot get the device id or any unique identifier just like phone number. so how to solve it?
Post not yet marked as solved
Hi everyone!
Will iOS platform authenticator have support for PRF passkeys extension?
https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension
As far as I know current implementation doesn't as we don't have access to private part of generated keys to perform some crypto operations
Post not yet marked as solved
How do I sign into icloud with the new passkey for the apple ID that came with iOS 17?
Post not yet marked as solved
On a iPhone, I have registered 2 different passkeys for 2 different users(Lets say user A and user B) for a domain example.com. Now at the time of authentication I am able to use Passkeys of user A to authenticate user B with authentication challenge fetched from server. This should not be allowed. As per documentation, I can see ASAuthorizationPlatformPublicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge) only accepts challenge value and does not accept any user ID. How can I verify the user details/info while authenticating with Passkey.
Post not yet marked as solved
The attestationObject contains the user's new public key to store and use for subsequent sign-ins.
According to the description, in the passkey authorization success callback, the attestationObject contains the public key, can the client decode the attestationObject and obtain the public key? If possible, can you help provide the relevant API?
public func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
switch authorization.credential {
case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
// The attestationObject contains the user's new public key to store and use for subsequent sign-ins.
credentialRegistration.attestationObject
default: break
}
}
Post not yet marked as solved
Hi everyone, I guess this is a long shot but I thought I might ask. Is it possible for app clips to invoke Passkey Auth? In this example I'm designing a POC for a checkout flow where the 3DS challenge is triggering the Bank App Clip and allows the user to authenticate using passkey. Much appreciated!
Post not yet marked as solved
I understand that during the CTAP process with a Passkey, a key agreement takes place when scanning the QR code and sending Bluetooth advertisements. Is the Diffie-Hellman algorithm used for the key agreement during this process?
Post not yet marked as solved
For MacOS user accounts, can Passkey be used to login to desktop systems (i.e systems wo biometrics authentication; iMac, Mac mini, Studio, Pro ) accounts?
If not available, is this part of the future roadmap?
Post not yet marked as solved
I keep getting the following error when trying to run Passkey sign in on macOS.
Told not to present authorization sheet: Error
Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1
"(null)"
The same piece of code is working as expected on iOS.
Some more info:
The association file and entitlements are correct and validated as everything is working on iOS.
The app is built on SwiftUI and use the same codebase for macOS and iOS
Validated that the presentation anchor is also correct on macOS because other SSO login works with the same presentation anchor.
Not sure where the problem is. Followed https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/ to get the integration.
We are working on implementing FIDO2 with passkeys and its works fine in the consumer with Apple ID. On the Enterprise level we can't able to make it because corp device don't have option to enable Apple ID and its disabled by MDM as per policy.
is there any alternate approach where corp device can use FIDO authentication without using Apple ID?
thanks
I'm implementing passkeys by following the example from the Food Truck sample project. I have nearly everything working, but there's one problem. I'm using the AuthorizationController environment value and passing that to my login and register functions, but when I call authorizationController.performAutoFillAssistedRequest, I don't see or know of any way to cancel it, so if the user tries to type in their username instead of use the autofill suggestion, the second (non-autofill) request throws the error, The operation couldn’t be completed. Request already in progress for specified application identifier. I know that ASAuthorizationController has a cancel() function, but is there any way to do this with AuthorizationController?
Post not yet marked as solved
Hi.
I'm trying to develop a passkey app connected with a Webauthn server.
There is a problem in the process of creating the Attestation Object.
Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port.
In the WebAuthn specification, the RPID should not include the port number.
(https://www.w3.org/TR/webauthn-2/#relying-party-identifier)
When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked.
But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port.
Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443?
I checked the post, but there is no more feedback, so I'm asking a question.
(https://developer.apple.com/forums/thread/730028)
Post not yet marked as solved
Hi,
Is it possible to use top level domain registered passkey(example.com) to authenticate against the subdomains (my.example.com)?
Post not yet marked as solved
I initiated the Passkey CTAP process after establishing an internet connection on my smartphone (authentication device) using Wi-Fi. Once the client PC and the smartphone established a TCP connection and were in the midst of the CTAP process, I attempted to switch the internet connection to a different Wi-Fi network or transition to mobile data. As a result, I was unable to log in with the Passkey. (There was no observable change on the client PC screen; it did not transition to a success/failure screen, leading me to believe that no packets were transmitted.) I initially thought that performing a network handover after the TCP connection might have caused the connection to be severed, resulting in the absence of packet transmission.
However, I discovered that if I established the authentication device's internet connection using mobile data and then, in the middle of the CTAP process, turned off the mobile data to automatically switch back to Wi-Fi, the Passkey login process succeeded.
What is the reason behind this outcome? Can you explain the technical factors that contribute to this behavior?
Post not yet marked as solved
As the description in the demo, if there is no credentials, will receive the same error code (ASAuthorizationErrorCanceled) as if the user canceled.
In this case, Is there a way to distinguish whether the error is canceled by the user or no credentials?
if authorizationError.code == .canceled {
// Either the system doesn't find any credentials and the request ends silently, or the user cancels the request.
// This is a good time to show a traditional login form, or ask the user to create an account.
} else {
// Another ASAuthorization error.
// Note: The userInfo dictionary contains useful information.
logger.error("Error: \((error as NSError).userInfo)")
}
}
I'm trying to implement passkeys in my app. I successfully get to the dialog in iOS simulator to register with a Passkey and I can also read the result and see all the right things in credentialRegistration.rawClientDataJSON. The one thing that's not working is when decoding the rawAttestationObject (which should be CBOR as I understand), I find all data defined in the spec (aaguid, credentialIdLength, credentialId) except for the credentialPublicKey! The rawAttestationObject basically ends after the credentialId. I see this both when decoding the rawAttestationObject manually as well as when using WebAuthn libraries on the server, which will give me an "Unexpected end of CBOR data" error.
Any ideas why the rawAttestationObject does not contain the public key?
For reference, here is the initialization of the Passkey request:
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.domain)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(challenge: challenge, name: name, userID: userID)
let authController = ASAuthorizationController(authorizationRequests: [ registrationRequest ])
authController.performRequests()
And here is how I handle the result:
case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
let rawAttestationObject = credentialRegistration.rawAttestationObject!.base64EncodedString()
let credentialID = credentialRegistration.credentialID.base64EncodedString()
let rawClientDataJSON = credentialRegistration.rawClientDataJSON.base64EncodedString()
let response: PasskeysResponse = [
"attestationObject": rawAttestationObject,
"credentialId": credentialID,
"clientDataJson": rawClientDataJSON,
]
Here is an example for a decoded attestation object:
{
"rpIdHash": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYmW4=",
"flags": {
"userPresent": false,
"userVerified": false,
"backupEligibility": true,
"backupState": true,
"attestedCredentialData": true,
"extensionData": false
},
"signCount": 425116148,
"aaguid": "20318e2d-77fa-f54d-bed7-ba15ccd3fade",
"credentialId": "1B1KJf6uYF0AAAAAAAAAAAAAAAAAAAAAAAAAAAAUQW65BAqkeKqu97vbc0Se5R1F3Y+lAQIDJiABIVggtdSX2ZAHsBxU4ja1xP6hCZGUXgUCb6Ipau3stU8rrz4iWCBwhOBWOgwT4yKRnU1hA11thC8+CvjmrCkfq//648cwHg==",
"credentialPublicKey": ""
}
As you can see, it looks all good except for the "credentialPublicKey": "" part.
Post not yet marked as solved
We are trying to implement the new feature that was introduced in iOS 17, Passkeys Autofill Provider.
We've created a new 'AutoFill Credential Provider' target and embedded it into our host app.
We've implemented the 'CredentialProviderViewController,' which is inherited from 'ASCredentialProviderViewController.'
When we go to 'https://webauthn.io' to trigger the passkeys view, everything is working as expected when we press 'Register.'
The function 'override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest)' is called, but...
We know that we need to call 'self.extensionContext.completeRegistrationRequest(using:)' but we don't know how to construct the response.
We didn't find any examples or explanations of how to use this API. Can someone help us with this?
Thank you.
Post not yet marked as solved
When passkey authentication failed, we need to use corresponding logic to handle user cancellation and no credential error respectively.
Does Apple have a plan to use different errorcodes to distinguish these two types of errors?
refer to : https://developer.apple.com/forums/thread/735867?answerId=762182022#762182022
Post not yet marked as solved
Hello,
I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn.
But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem?
(The app is installed on the iPhone with iOS 17)
