WKWebView and WebAuthn seems broken in iOS 15.4. Did something change?

WKWebView and WebAuthn seems broken in iOS 15.4. Did something change, are they broken?

To explain in more detail, when attempting to use a WebAuthn enabled web application in previous versions of iOS, the browser (WKWebView) reports "Not Supported".

Trying the same in iOS 15.4, both simulator and device does not report "Not supported" and attempting a WebAuthn challenge gets stuck. Additionally, it seems not respect timeout times.

An easy example is to run a simple test app with a WebView, load "https://webauthn.io/" and see the results. (See attachments). This has been tested in more vendors as well with similar results. I am posting here some results from webauthn.io that clearly demonstrate the behaviour change without any other moving parts.

This causes multiple authentication issues on some 3rd party apps, when the authentication journeys include WebAuthn challenges. Is there a bug in WKWebViews, is that intended and if so how is someone supposed to get around that?

Please let me know if you need code samples or for me to raise a bug report.

Thanks in advance, George Bafaloukas

Up vote post of bafaloukasios Down vote post of bafaloukasios
2.9k views
Posted by
bafaloukasios
Reply
Add a Comment

Replies

I recently ran into some issues using WebAuthn in the context of WKWebView and happened to run across the answer to your question. I ran into this while investigating this bug: https://bugs.webkit.org/show_bug.cgi?id=237380a

Per comments from WebKit devs on that bug, WebAuthn is not supported in WKWebView unless your app specifically has the Web Browser entitlement in which case it is then enabled.

Also, if you invoke WebAuthn-related functions like navigator.credentials.create() or window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() there is a bug where the promise returned from those methods in a WKWebView context on iOS never resolves.

I ended up working around it by executing the initial isUserVerifyingPlatformAuthenticatorAvailable() in a Promise.race() with a timeout so that I could at least determine that WebAuthn was not supported in that context.

Hope this helps, Kevin Flanagan

Posted by
psgkflanagan
Up vote reply of psgkflanagan Down vote reply of psgkflanagan
Add a Comment