Password input view is not showing

I am working on Token extension on iOS. Apple documentation say if We throw error with error code "TKError.Code.authenticationNeeded.rawValue" will trigger user authentication. In my TKTokenSessionDelegate class in sign dataToSign function i am throwing this error but my extension is not showing authentication screen. Any Idea what i am missing.

Accepted Reply

I have figured it out. When we add TKTokenOperationConstraint if we assign true it'll not show pin screen i have given none and now i can see Enter Pin screen every time.

Replies

I have figured it out. When we add TKTokenOperationConstraint if we assign true it'll not show pin screen i have given none and now i can see Enter Pin screen every time.

Hello mjza,

Could you tell me please, where do I set TKTokenOperationConstraint? Apple documentation is so poor. Thank you.

In a persistent token the container app is responsible for managing the list of credentials in the token. It does this by setting the keychainItems property on the TKToken.Configuration value. This is an array of TKTokenKeychainItem values. Those values are either:

  • TKTokenKeychainCertificate, representing a certificate, or

  • TKTokenKeychainKey, representing a key

You need to apply a constraint to the key so that the system knows to prompt the user for a PIN. Here’s how I do this:

// Create an item for the private key.  We pass the certificate in here
// so that CTK can infer all of the private key’s details — its type,
// size in bits, and so on — from there.  If we didn’t have the
// certificate, we just had a private key, we could populate that
// ourselves but that’s a lot of work.

let keyItem = TKTokenKeychainKey(
    certificate: identity.certificate,
    objectID: identity.privateKeyObjectID.value
)!

// Tweak the key item’s constraints.  The constraints default to `true
// as NSNumber`, which means that, deep down in the extension’s
// `TokenSession` class, the `tokenSession(_:beginAuthFor:constraint:)`
// method never gets called.  Setting a custom value — it doesn’t really
// matter that the value is as long as it’s not true or false — tells
// the system that it authentication is required and thus it’s OK to
// call that method.

keyItem.constraints![TKTokenOperation.signData.rawValue as NSNumber] = VirtualToken.OperationConstraint.secretsPassword.rawValue

where identity is my own type that has a SecCertificate property holding the certificate [1] and privateKeyObjectID holding the object ID.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] The certificate public key in this certificate matches the private key in the token. This match is what allows the system to form a digital identity, which is what most token clients are looking for.