I tried to use Passkeys with our own FIDO-Server, but i encountered a problem.
After the user confirmed the authenticationRequest created with createCredentialAssertionRequest
you get a ASAuthorizationPlatformPublicKeyCredentialAssertion
. When i send the contents of it to our sever it fails, because it doesn't known which credential public key it should use to verify the signature.
The browser webauthn API returns something like this:
{
"id": "...",
"rawId": "...",
"type": "public-key",
"response": {
"authenticatorData": "...",
"clientDataJSON": "...",
"signature": "...",
"userHandle": "..."
}
}
where id
is the credential id used to sign the challenge, which our FIDO-Server can use to look up the public-key in its database.
With the current state of the iOS API our server would need to look up all public keys for the user and then try one by one in order to verify the signature.
So my question is, am i missing something? Or is this intended behaviour?