Hey Folks,
I'm currently building an SDK that will manage the creation and authentication of the passkeys for my users, and this SDK can be integrated on 3rd party apps that are out of my direct control.
The scenario of when this SDK will be used is like when you have an app that you can link your account with LinkedIn, to get some info about you there and need to log in with your Linkedin account. So, the app itself that is consuming the SDK can have a passkey, and this "link account" feature (SDK) will also manage its passkey creation and authentication.
Based on this I have a couple of questions:
-
Can I grant only grant the associated domains/webcredentials entitlements to my SDK, such that the SDK is the only part allowed to create or access my passkeys but the app that consumes that SDK can only call the functionality exposed by the SDK, and not directly have the privileges to create and access my passkeys nor my iCloud Keychain?
-
If 1 is not possible, what other options do I have? I imagine that if I give to access these 3rd party apps that consume my SDK to my associated domain webcredentials, I also will give them permission to them, to create passkeys in my name, using my RPID, and this is a really insecure scenario, so a no go.
May you folks help me to understand the best course of action in this scenario? Thanks!
