Post not yet marked as solved
Hello! We are trying to add passkeys support to our iOS application. Following this documentation Supporting Passkeys, we get the following error: authorizationController(controller:didCompleteWithError:): The operation couldn’t be completed. Application with identifier X is not associated with domain X. We have the associated domains configured, and an AASA tool shows that everything is correctly set up, and the identifier is associated with the domain. We are using Xcode 15. Any idea on how to solve this problem is greatly appreciated!
I have many questions about iOS passkey. I'm using my app extension to implement something similar to an iCloud passkey authenticator. I securely store my self-generated keys in the Secure Enclave (SE). I'd like to know how to make the extension execute the prepareInterfaceToProvideCredentialForRequest method instead of provideCredentialWithoutUserInteractionForIdentity. I need to display a UI to obtain my key. Please provide assistance. Thank you.
Post not yet marked as solved
Hi, I am currently implementing the ability to allow users to add a Passkey to their account by using the webuathn api. My current issue is that I would like to identify what type of device/authenticator the user has used to create their passkey so that we can automatically set a nickname for the passkey for the user to help the user experience (E.g. if a user has setup a passkey on an Apple device, we would auto set the nickname as iCloud Keychain so its clear to the user that the passkey is not specific to just the device they set it up on).
After some reading, it seems like when trying to create a new passkey via an Apple device, it will not send a populated attestation with any sort of attestation statement, aaguid, fmt etc... and this is what I have been seeing in my testing of my implementation.
My question is, instead of using an aaguid, is there an alternative way to identify that the user has created a passkey via iCloud Keychain? I can see that when creating a passkey to my Google account via my iPhone/Macbook, they seem to be able to identify when a passkey is created on an Apple Device and labels it automatically as ("iCloud Keychain") and this applies to both doing it via platform and cross-platform. I essentially want to be able to achieve this but I'm not sure how this can be done.
Post not yet marked as solved
Hi Everyone,
Context:
I'm working on allowing my app to log in using passkeys/security keys.
It all works great on a device but it doesn't when I try to log in using the simulator.
Problem:
On the simulator, I can go until the simulator presents the QR code so another device can sign the challenge but the device can't establish a connection with the simulator. I'm assuming the connection can't be established because the simulator does not support Bluetooth, which is a requirement for passkeys.
Question
I'm bound to only develop on a real device from now on? Or is there a way to make passkeys work with the simulator?
Thanks in advance!
Screenshots
Simulator
Device
Post not yet marked as solved
There is no excludedCredentials parameter on the platform authenticator creation interface of Native API. ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.
The excludedCredentials parameter is used to prevent the inconsistency between the public keys managed on RP and the private keys managed on authenticator. In particular, a passkey is created for each RPID and user_id. If a user tries to re-register a passkey with the same RPID and user_id, the existing passkey will be overwritten. But there is no way for RP to detect it. This can be confusing for the user as they might see multiple credentials on the RP, but only one on the authenticator.
By the way, there is the excludedCredentials parameter on the security key interface. ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest
I’d like to know if there is a way to specify excludedCredentials on the platform authenticator interface also like the security key interface. Or, is there any way to prevent the credential inconsistency between RP and platform authenticator?
Post not yet marked as solved
what could be the reason that we after saving and deleting the same list of [ASPasskeyCredentialIdentity], the credential still show up in the OS UI (quick type bar or when tapping the password key icon on top of the keyboard).
does that mean the remove operation fail? but our log indicate that the removeCredentialIdentities completion closure succeed without error.
and for the ASPasskeyCredentialIdentity initialization, we fill in the parameters from the same object, so we believe the id parameter shall be the same (which identify the same ASPasskeyCredentialIdentity to be saved and removed)
what could be the reason that it is still showing up in the OS UI? is this a know issue?
Post not yet marked as solved
Hey there I'm facing problem with create passkey .pkpass, the problem is I've to create a passkey using certificate created by macOS then upload on the appstore then import to the key chain then I can create a .pkpass but I wanna create it in my Django server for my customers when ever customer create their digital business card. when I created in my another MacBook where that certificate not imported the .pkpass is not going to create, and if I create it on any way it is not going to open. please help me how I can create it for my each customer on server dynamically.
Post not yet marked as solved
Everything was working well in the beta version of iOS 17 and the registration and login were done correctly. However, after installing the public(release) version of iOS 17, the functions "completeRegistrationRequest" and "completeAssertionRequest" do not work properly and their completion result is false. and I faced the "Operation failed" error in the "webauthn" website. What's wrong?
Post not yet marked as solved
I can't import into keychain. I can't drop and drag. I have it turned on in iCloud. I tried creating a second keychain and it still doesn't work.
Post not yet marked as solved
Hello,
I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn.
But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem?
(The app is installed on the iPhone with iOS 17)
Post not yet marked as solved
Looks like a security flow in ASCredentialProviderViewController
Register a new Passkey on foo.example.com
Now iOS 17 (RC) will suggest and permit to select the Passkey to login in bar.example.com, which is agains specs
From specs:
For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com.
Also looks like a bug, in this method:
func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest)
If I've registered my Passkey for RP foo.example.com and trying to login to bar.example.com (the bug). In ASCredentialRequest.credentialIdentity.serviceIdentifier.identifier is foo.example.com but I am trying to login to bar.example.com, from this we can't understand on what RP is this Passkey used and can't restrict the use of Passkey in case it is used on a wrong RP.
P.S: iCloud Passkeys works as expected.
I suspect this is an issue with Google’s passkey implementation, but it might not be, and if there is a solution I suspect this post will be useful for all other third-party passkey providers encountering the same issue.
I have implemented Passkeys in our password manger using the new APIs introduced in iOS17. Passkey attestation and assertion works as expected with every service we’ve tested that supports Passkeys (I.e Webauthn.io, GitHub, etc). However the only service that doesn‘t work is Google.
I can create a passkey for Google using iCloud Keychain just fine, but for some reason, although my app successfully creates the passkey, Google is rejecting it.
I suspect this is a security measure on Google’s side, but it will be a UX nightmare for users of third-party passkey managers on iOS 17, as they won’t be able to create or sign in with a passkey for Google (which will probably be the number 1 use-case for using passkeys).
When using iCloud Keychain to create a passkey, unlike other services, I noticed that Google actually recognises that I’ve used iCloud Keychain to create the Passkey, and labels the Passkey with “iCloud Keychain”.
Is Apple sending some additional identifying info in their attestation statement that I’m not sending?
If not, how is Google able to identify the passkey provider (in this case “iCloud Keychain”) by name?
Could it be that Google has somehow whitelisted iCloud Keychain for Passkey creation, while disallowing third-party providers?
Assuming it is the latter, unfortunately there is no way to reach out to Google about this. I suspect Apple would need to advocate on the behalf of third-party providers running on apple platforms, that they be allowed to provide passkeys for Google sign in.
Its a shame to hit this type of road block so close to the iOS 17 release candidate.
Post not yet marked as solved
I have two logins for one website, so two different accounts with different email addresses.
For both accounts I have stored a passkey for the login. If I now use the passkey for account 1 and login successfully, account 2 is selected for me the next time I would like to log in and I then have manually to select account 1 in order to log in with it again.
To me it would make much more sense if the system would always use/suggest the last used account/passkey.
My system:
macOS Monterey Version 12.6.8 (21G725)
Safari Version 16.6 (17615.3.12.11.3, 17615)
Post not yet marked as solved
When trying to build an AR app to my Iphone 11 with Xcode (13.2.1) using Mac OS 12.1 the build fails. Codesign wants me to use the Apple Development keychain. No matter which password I use it fails.
Post not yet marked as solved
It appears that this method from ASCredentialProviderViewController is not being called at all. I am unable to trigger it. Ref
func prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters)
I expected it to be triggered when RP has a list of allowCredentials, but I still get:
override func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest)
Am I missing something?
Post not yet marked as solved
Apple's passkeys page at - https://developer.apple.com/passkeys/ now says -
Passkeys can now be synced using external providers
What is that supposed to mean and how it can be implemented? Are there any APIs provided by the iOS SDK for the same?
Post not yet marked as solved
Hi everyone!
Will iOS platform authenticator have support for PRF passkeys extension?
https://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension
As far as I know current implementation doesn't as we don't have access to private part of generated keys to perform some crypto operations
Post not yet marked as solved
We are trying to support Passkey Management in our app with the latest iOS 17 Passkey Autofill.
During this process, we have a few doubts and queries:
First, we have configured the AutoFill extension for external passkey management
Next we used the 'prepareInterface(forPasskeyRegistration:' delegate for passkey generation
We are facing an issue on creating the attestationObject for ‘ASPasskeyRegistrationCredential’. Here, we’re not sure if we need to create the attestationObject [if so any documentation or help regarding this] or is there any API to get the attestationObject which we are missing.
override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) {
let request = registrationRequest as! ASPasskeyCredentialRequest
let passkeyRegistration = ASPasskeyRegistrationCredential(relyingParty:
request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data(UUID().uuidString.utf8), attestationObject: "????")
extensionContext.completeRegistrationRequest(using: passkeyRegistration)
}
Even we have tried passing the hardcoded attestationObject[we used the existing attestationObject received using icloud keychain] , still we got empty ‘ClientDataJSON’ on ‘authorizationController(controller:’ delegate.
Post not yet marked as solved
We are trying to implement the new feature that was introduced in iOS 17, Passkeys Autofill Provider.
We've created a new 'AutoFill Credential Provider' target and embedded it into our host app.
We've implemented the 'CredentialProviderViewController,' which is inherited from 'ASCredentialProviderViewController.'
When we go to 'https://webauthn.io' to trigger the passkeys view, everything is working as expected when we press 'Register.'
The function 'override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest)' is called, but...
We know that we need to call 'self.extensionContext.completeRegistrationRequest(using:)' but we don't know how to construct the response.
We didn't find any examples or explanations of how to use this API. Can someone help us with this?
Thank you.
Post not yet marked as solved
When passkey authentication failed, we need to use corresponding logic to handle user cancellation and no credential error respectively.
Does Apple have a plan to use different errorcodes to distinguish these two types of errors?
refer to : https://developer.apple.com/forums/thread/735867?answerId=762182022#762182022
VladS94.
