Passkey against local server with self-signed certificate

Hey!

Is it possible to test passkeys against a locally running server in simulator with self-signed certificate? As far as I can tell, the certificate is trusted on the Simulator and Safari has no trouble communicating with the server or fetching the apple-app-site-association file.

The error I'm getting is

ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
Error: ["NSLocalizedFailureReason": Application with identifier FAKETEAMID.com.example.apple-samplecode.Shiny is not associated with domain webauthn-api.local]

When running the Shiny example app. There is an apple-app-site-association available in https://webauthn-api.local:7001/.well-known/apple-app-site-association:

{
  "webcredentials": {
    "apps": [ "FAKETEAMID.com.example.apple-samplecode.Shiny" ]
  }
}

And in the Associated Domains, I've added:

webcredentials:webauthn-api.local:7001?mode=developer

I saw here https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains that to use a local server with the apple-app-site-association, one should add ?mode=developer to the entitlement.

However, looking at the logs for the server, the simulator does not seem to ever attempt fetching /.well-known/apple-app-site-association file, so the developer mode does not seem to have any effect. Is the developer mode supposed to work with webcredentials service. Documentation linked above doesn't make any exclusions for that.

Up vote post of mikko-nylen Down vote post of mikko-nylen
3.4k views
Posted by
mikko-nylen
Reply

  • Did you solve this? I am having the same problem. The server logs don't show the app ever went there.

    louie_keystructure
Add a Comment

Replies

Did you ever figure this out?

Posted by
alevy97
Up vote reply of alevy97 Down vote reply of alevy97
Add a Comment

Same problem here. I am using the example app shinny. In associated domains I am using my full domain sub.mydomain.com for example. So I have this webcredentials:sub.mydomain.com?mode=developer

I can get https://sub.mydomain.com/.well-known/apple-app-site-association from my server so that works.

Both my server and the phone are on the same subnet, but not reachable from the internet.

I don't see the request logged at my server, which I expect I should. So the app is not hitting my server. But the documentation says it should???

Posted by
louie_keystructure
Up vote reply of louie_keystructure Down vote reply of louie_keystructure

  • Did you figure this out, I'm having the same issue. Also, did you have to do anything else in your server other then place the file in .well-known folder?

    sbs1208
Add a Comment

The documentation is far less helpful than one would like. Here's what I've found to work so far.

  1. The apple-app-site-association file must reside on a publicly accessible web server with a valid TLS certificate. (see https://jaanus.com/universal-links/).
  2. I specified 'web credentials:mydomain.com?mode=developer' in Associated Domains in the Signing & Capabilities tab in Xcode.
  3. On the iOS device, enable Associated Domains for development. This is found under Settings > Developer > Universal Links: Associated Domains Development
  4. On the Apple Developer website, I have added an identifier for my application with 'Associated Domains' enabled to the Certificates, Identifiers & Profiles list of identifiers.
Posted by
JerryCarter
Up vote reply of JerryCarter Down vote reply of JerryCarter
Add a Comment

I was stuck on the same issue for a long time but finally could resolve it by doing tunnelling with ngrok.com. Ngrok helped me provide a temporary domain with an SSL setup which made everything so clean

Posted by
pankajhotwani
Post not yet marked as solved Up vote reply of pankajhotwani Down vote reply of pankajhotwani
Add a Comment

I struggled with this one for a while too. I was eventually able to get passkeys working in the simulator using locally generated certificates. Here are a few things I did differently to you (but I'm not 100% sure which one would make the difference in your case),

  • hosting the server on port 443 (and not including the port in Associated Domains settings in Xcode)
  • generating a Root CA and leaf certificate chain, and trusting the generated Root CA in the simulator
Posted by
jdoxey
Up vote reply of jdoxey Down vote reply of jdoxey
Add a Comment

I face an issue like that, it was due to the fact that I didn't turn on any of the password manager in settings.

Posted by
khantzawko
Up vote reply of khantzawko Down vote reply of khantzawko
Add a Comment