Hi, When attempting to perform a credential registration, I constantly get the error Application with identifier <...> is not associated with domain <domain> I've verified the following: The file is present on the required URL path https://123.com/.well-known/apple-app-site-association { "webcredentials": { "apps": [ "<PREFIX>.bundleID" ] } } Added the Capabilities to my domain Confirmed that the CA is valid and there are no redirects. Am I missing something? My device is able to properly access the file

The call stack is followed: Incident Identifier: 5DBD18B5-29DD-48E1-8BE5-A648BD4E8CE3 CrashReporter Key: 4006fd6d63831c08be5068429b9892f633d41735 Hardware Model: iPhone12,5 Process: *** Path: /private/var/containers/Bundle/Application/FD114B6F-9C45-4546-9924-082A2CF546B8/***.app/*** Identifier: com.***.*** Version: 2.0.0 (2.0.0.3) AppStoreTools: 13A227 AppVariant: 1:iPhone12,5:13 Code Type: ARM-64 (Native) Role: Unspecified Parent Process: launchd [1] Coalition: com.***.*** [2761] Date/Time: 2021-09-28 14:24:03.8329 +0800 Launch Time: 2021-09-28 14:24:03.5890 +0800 OS Version: iPhone OS 15.0 (19A346) Release Type: User Baseband Version: 3.00.00 Report Version: 104 Exception Type: EXC_GUARD Exception Subtype: GUARD_TYPE_USER Exception Message: namespc 18 reason_code 0x0000000000000002 Exception Codes: 0x6000000000000012, 0x0000000000000002 Exception Note: SIMULATED (this is NOT a crash) Termination Reason: LIBSYSTEM; [2] Thread 3: Crashed 0 libsystem_kernel.dylib 0x1b80a2ae8 os_fault_with_payload + 7382641384 ((null)) 1 libsystem_trace.dylib 0x000000019bd941b4 _os_log_impl_flatten_and_send + 6909673908 ((null)) 2 libsystem_trace.dylib 0x000000019bd90b70 _os_log + 6909660016 ((null)) 3 libsystem_trace.dylib 0x000000019bd98cac _os_log_fault_impl + 6909693100 ((null)) 4 SyncedDefaults 0x1ad034c90 -[SYDRemotePreferencesSource initWithApplicationID:storeID:shared:additionalSource:containerPath:storeType:].cold.1 + 52 5 SyncedDefaults 0x1ad027210 -[SYDRemotePreferencesSource initWithApplicationID:storeID:shared:additionalSource:containerPath:storeType:] + 1400 6 Foundation 0x182ff5d58 -[NSUbiquitousKeyValueStore initWithBundleIdentifier:storeIdentifier:additionalStore:storeType:] + 348 7 Foundation 0x182fd8e84 __41+[NSUbiquitousKeyValueStore defaultStore]_block_invoke + 24 8 libdispatch.dylib 0x000000018140194c _dispatch_client_callout + 6463428940 ((null)) 9 libdispatch.dylib 0x00000001814031d4 _dispatch_once_callout + 6463435220 ((null)) 10 Foundation 0x182fe0668 +[NSUbiquitousKeyValueStore defaultStore] + 64 ... // omit insignificant call stack of the app 14 libdispatch.dylib 0x00000001813ffc00 _dispatch_call_block_and_release + 6463421440 ((null)) 15 libdispatch.dylib 0x000000018140194c _dispatch_client_callout + 6463428940 ((null)) 16 libdispatch.dylib 0x0000000181413064 _dispatch_root_queue_drain + 6463500388 ((null)) 17 libdispatch.dylib 0x0000000181413764 _dispatch_worker_thread2 + 6463502180 ((null)) 18 libsystem_pthread.dylib 0x00000001f12c5170 _pthread_wqthread + 8341180784 ((null)) 19 libsystem_pthread.dylib 0x00000001f12c4f4c start_wqthread + 8341180236 ((null)) What's mean the Exception Note: SIMULATED (this is NOT a crash)? It's not a crash? And then, is it possible a bug in iOS 15？because no crash reports before iOS 15. Thanks.

When trying to build an AR app to my Iphone 11 with Xcode (13.2.1) using Mac OS 12.1 the build fails. Codesign wants me to use the Apple Development keychain. No matter which password I use it fails.

Hi devs!!! Calling createCredentialRegistrationRequestWithChallenge returns the following error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} What can be the potential reason?

Hi, I've been looking at the Shiny PassKey example App. There are the following lines: // The attestationObject contains the user's new public key to store and use for subsequent sign-ins.    let attestationObject = credentialRegistration.rawAttestationObject The attestationObject is raw bytes and certainly doesn't look big enough to contain a public key. I was expecting to see a public key, can anyone confirm if a public key is accessible? The help also says: This object contains the public key. If you request it, it also contains the attestation statement. This statement too, seems slightly wrong, it's an attestation from the get go The help links off to this site: https://www.w3.org/TR/webauthn-2/#attestation-object Can anyone shed any light on this, it's quite confusing

Hey! Is it possible to test passkeys against a locally running server in simulator with self-signed certificate? As far as I can tell, the certificate is trusted on the Simulator and Safari has no trouble communicating with the server or fetching the apple-app-site-association file. The error I'm getting is ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" Error: ["NSLocalizedFailureReason": Application with identifier FAKETEAMID.com.example.apple-samplecode.Shiny is not associated with domain webauthn-api.local] When running the Shiny example app. There is an apple-app-site-association available in https://webauthn-api.local:7001/.well-known/apple-app-site-association: { "webcredentials": { "apps": [ "FAKETEAMID.com.example.apple-samplecode.Shiny" ] } } And in the Associated Domains, I've added: webcredentials:webauthn-api.local:7001?mode=developer I saw here https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains that to use a local server with the apple-app-site-association, one should add ?mode=developer to the entitlement. However, looking at the logs for the server, the simulator does not seem to ever attempt fetching /.well-known/apple-app-site-association file, so the developer mode does not seem to have any effect. Is the developer mode supposed to work with webcredentials service. Documentation linked above doesn't make any exclusions for that.

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: 'Application tried to present modally a view controller <_SFAppAutoFillPasswordViewController: 0x106e22ee0> that is already being presented by <UIKeyboardHiddenViewController_Autofill: 0x106e25a10>.' IOS16(not sure other OS version could reproduce this or not) click on textfield, then keyboard shows(with a key button above), click key button, it crashes randomly.

There is no excludedCredentials parameter on the platform authenticator creation interface of Native API. ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest. The excludedCredentials parameter is used to prevent the inconsistency between the public keys managed on RP and the private keys managed on authenticator. In particular, a passkey is created for each RPID and user_id. If a user tries to re-register a passkey with the same RPID and user_id, the existing passkey will be overwritten. But there is no way for RP to detect it. This can be confusing for the user as they might see multiple credentials on the RP, but only one on the authenticator. By the way, there is the excludedCredentials parameter on the security key interface. ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest I’d like to know if there is a way to specify excludedCredentials on the platform authenticator interface also like the security key interface. Or, is there any way to prevent the credential inconsistency between RP and platform authenticator?

Hello Team, Am dealing with this weird issue implementing passkeys login for our website in iPad and iPhone devices 1) Auto fill use case (iPad safari browser (16.3.1) - this works) a. User successfully registered for passkeys b. Navigates to the login screen c. On Page load, the mediational – credential get requests is initiated d. User selects the passkey autofill and everything works as expected 2) Non auto fill usecase (iPad safari browser (16.3.1) this doesn't work) a. User successfully registered for passkeys b. Navigates to the login screen c. On Page load, the mediational – credential get requests is initiated d. User bypasses the autofill option prompted, **and manually types in the email and clicks on submit** e. Abort controller’s abort signal sent to the mediational get request initially fired f. A new credential.get request is created and brings up the authenticator pop up but also throws am NotAlloweErr in the background. (Appears the second promise is also rejected in the ios devices.) See the same behavior in webauthn.io website.

Hi, I referred to the documentation for reset passkeys - https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys#4047465 , this method createCredentialRegistrationRequest seems to be an instance of ASAuthorizationSecurityKeyPublicKeyCredentialRegistration and returns a registration request of the the type ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest, is this correct? When i tried to integrate the same, it gave "No algorithms specified for ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest" from iOS. So, i tried replacing the registration request with ASAuthorizationPlatformPublicKeyCredentialProvider with same params as expected for createCredentialRegistrationRequest with challenge, username and userId, but it ended up creating one more passkey which I could see in settings. It created new passkey though I expected this to replace existing. is this expected? Also, will this registration request expected to replace ALL passkeys created for this user for this domain or just 1 passkeys matching the user and domain? Please let me know if I missed out anything. Thanks for your help

After I upgrade my iPhone from iOS 16.3 to 16.4, my passkey apps stopped working, including the Shiny app. I only updated the domain and web credentials entitlement from example.com to my domain name, nothing else, and Shiny was working fine on iOS 16.3. After the update, the app is unresponsive when tapping the "sign in" or "Create Account" buttons. In the logs, I see: 2023-04-08 20:35:26.380433+0200 Shiny[843:46331] [Authorization] ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "(null)" 2023-04-08 20:35:26.425071+0200 Shiny[843:46331] Request canceled. The AASA file also didn't change, and lists the correct domain. $ curl https://rp.example.com/.well-known/apple-app-site-association { "webcredentials": { "apps": [ "UVWXYZ1234.com.example.apple-samplecode.ShinyUVWXYZ1234" ] } } where UVWXYZ1234 stands for my TEAMID and is also used as disambiguator. Another app is also no longer working, but instead shows this log message: 2023-04-08 20:48:23.841219+0200 AppName[958:52549] [Authorization] ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)" 2023-04-08 20:48:23.845169+0200 AppName[958:52549] ASAuthorization Error: ["NSLocalizedFailureReason": Application with identifier UVWXYZ1234.com.example.app is not associated with domain rp.example.com] where rp.example.com is my domain name and UVWXYZ1234.com.example.app stands for my app's bundle ID. Both log messages were absent when still running iOS 16.3 Has anything changed in iOS 16.4 that requires an update to these apps? See also FB12105522.

I find myself in the keychain a series of accounts and related pw, normally created at the time, transformed into very long character strings like MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAw**************** The particular feature is that account and relative pw are almost the same, just one character varies (I think) but they are not, of course, the ones I chose. And, just as obviously, they don't work when requested by the sites... The phenomenon is recent, although I remember noticing something like this looking at the pw in my Mac keychains several macOSs ago - I then thought of some form of coding. But seeing these very long strings being proposed automatically when requested by the site, instead of original accounts and pw, worries me ... does anyone have experience of such a thing?

I am using AWS Cloud Services, when I create an EC2 instance Amazon automatically generates a Security Certificate in .pem file extension, it downloads to my computer, when I click it or try and import it to Keychain, there is an error. Terminal commands cannot locate the file. I used Homebrew to try and convert the file to .12, that will not work given the file cannot be located. Any thoughts?

Hi there, we are currently playing around with passkeys and especially with the client side discoverable credentials flow as we don't require any email (or account id) from our users. Our current authentication flow: request challenge from server sign challenge with existing passkey send signed challenge to server server returns auth result and OAuth token to authenticate further requests. Our registration flow in case no passkey exists: request credential registration options from server (includes a UUID which is used to create the passkey as we don't require email/user name from the user create passkey locally upload public key to server After the registration has completed the authentication process will be retried. Let's look at following example: The user has successfully created a passkey for our platform and is able to authenticate against the server. All good so far. For some arbitrary reason the public key on the server gets deleted (possibly by deleting the account, or other reasons). The next time the user tries to authenticate against the platform the authentication is rejected, which is correct. The logical next step would be to register a new passkey. But there is the catch. By registering a new key a new UUID will be requested from the server which will create a new passkey. As we are using the client side discoverable credentials we don't know the user id with which the passkey has been created. The next time the user tries to authenticate he will be prompted with the action sheet to select one of the two existing keys. I would like to know whether there is a way to re-register an existing passkey in order to prevent the key selection step. Additionally, is there any way to customize (use a different userId) the passkey action sheet message? "Do you want to sign in with you saved passkey for '4636bbbf-27fa-4a54-b892-a2aec8b0d68e'?" doesn't help the user a lot, especially when there are multiple keys existing. Thanks for your support!

WebKit PR #9891 added support for the WebAuthn Large Blob extension in the browser. (Hooray!) Does Apple plan to add support for this extension (or similar, such as PRF) in MacOS and iOS platform authenticators? If so, where can we track this? More context: I've been developing with these extensions using other authenticators. After #9891 I hoped my native platform authenticator on Macbook Pro M1 (with Safari Preview Release 170 on Ventura 13.4) might support largeBlob. But after testing it seems I was mistaken. Thanks!

Hi, I am facing an issue with timeout implementation on navigator.credentials.create(). Trying to build an authentication using webauthn. I am doing navigator.credentials.create() upon user specific action(button-click) which then prompts dialog for user to perform biometric gesture. I am passing timeout value in publickey credential request. However noticed that timeout value is not honored on Safari and dialog which is shown to user for biometric gesture stays forever. below is how I am passing timeout "challenge": "testchanllengevalue", "rp": { "name": "test.com" }, "user": { "id": "12345-543212-12345-54321", "name": "NAME", "displayName": "NAME" }, "attestation": "direct", "timeout": 20000, "authenticatorSelection": { "authenticatorAttachment": "platform", "requireResidentKey": false, "userVerification": "required" }, "pubKeyCredParams": [ { "type": "public-key", "alg": -7 }, { "type": "public-key", "alg": -257 } ] } Anyone faced this issue and is there any know workaround for this ? Thanks!

Is there a way to release or generate a secret key when using passkeys? I want to build end-to-end encryption in my app but I also want to deliver a great user experience by leveraging the user's passkey. During authentication I want to also receive a secret that I can use to derive encryption keys. In the future on the web to do this you can leverage the WebAuthn pseudo-random function (PRF) extension. Is there an alternative to this in Authentication Services?

The WWDC23 video on deploying passkeys at Work (https://developer.apple.com/videos/play/wwdc2023/10263/?time=633) talks about a Corporate CA Server signing the Identity Certificate for the passkey, which can be further used during registration with the relying party. Where can I find more information on what protocol and specification this Corporate CA should follow here ? Is this based on protocols such as SCEP/ ACME (or) something else ? Also, where I can find information on what verification this Corporate Server can follow before signing that Identity Cert?

Firstly massive thank you to the Passkeys team at Apple for opening up the APIs to allow third-party password manager apps to save and autofill Passkeys in iOS 17! I wasn't expecting this so soon. Incredible work. I have successfully implemented the new methods on ASCredentialProviderViewController, up to the point where our app's extension is now being presented when a user is prompted to "Create a passkey?". However two things are not entirely clear to me from this point on: When the user chooses our app to create a password by tapping "Continue", the prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) method is called. Should I be handling passkey creation within this method? Really at this point I was expecting prepareInterface(forPasskeyRegistration: to be called instead. Are new passkeys automatically generated and returned by AuthenticationServices during this flow, or is it down to the developer to generate a new passkey here? I ask because the documentation for prepareInterface(forPasskeyRegistration: seems to imply the former, stating: "This method will present your extension's UI for user authentication before creating the passkey." Thanks again.