Unable to use AuthenticationServices - Security Key Authentication Using Physical Keys

Hi, so I'm trying to use security key authentication using physical keys via the native APIs documented on Apple's developer website but am running into errors I don't understand. The application runs on MacOS.

The application is signed with an entitlement that contains the associated domain like so:

	<key>com.apple.developer.associated-domains</key>
	<array>
		<string>webcredentials:example.com?mode=developer</string>
	</array>

I have tried with and without ?mode=developer.

Here is the error I get:

{"error":"The operation couldn’t be completed. The calling process does not have an application identifier. Make sure it is properly configured."}

My application identifier is also configured in the .entitlements file.

Here is a rough overview of what I'm trying to do (basically, the auth server I'm contacting provides a challenge, and I want to create an assertion and send it back for verification). Trying to replicate the example from the official docs.


  let options = try! JSONDecoder().decode(Request.self, from: options.data(using: .utf8)!).publicKey

  let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
  let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)

  let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
  let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)

  securityKeyRequest.userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference(rawValue: options.userVerification ?? "preferred")

  securityKeyRequest.allowedCredentials = []
  for credential in (options.allowCredentials ?? []) {
    let id = credential.id.decodeBase64Url()!
    let transports = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport.allSupported
    let descriptor = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor(credentialID: id, transports: transports)
    securityKeyRequest.allowedCredentials.append(descriptor)
  }
  securityKeyRequest.allowedCredentials = []

  let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])

  return run(authController: authController)

Happy to provide more context if necessary. Thanks in advance!

Up vote post of ardi Down vote post of ardi
745 views
Posted by
ardi
Reply
Add a Comment

Accepted Reply

Thanks @garrett-davidson ! After setting up the entitlements correctly it looks like I can reach the authentication server but I get rejected even saying that my app is not associated with the domain:

response: {"error":"The operation couldn’t be completed. Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com"}

log stream | grep fido2 shows the following when I try to send the request:


2023-10-16 10:45:01.552607+0100 0xc24e6    Default     0x19c851             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.1, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.561926+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.465, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, accessing={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, },

2023-10-16 10:45:01.561981+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2

2023-10-16 10:45:01.595107+0100 0xc216c    Default     0x0                  376    0    launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0x13c13c 31142 com.meta.fido2macos

2023-10-16 10:45:01.602683+0100 0xbfa8f    Default     0x194061             930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos token: 930000004e pid: 994

2023-10-16 10:45:01.654756+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos token: 1c00000023 pid: 31142

2023-10-16 10:45:01.671192+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos token: 1f00000020 pid: 31142

2023-10-16 10:45:01.777840+0100 0xc2317    Error       0x19c858             404    0    tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement

2023-10-16 10:45:01.777950+0100 0xc2317    Default     0x19c858             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.819327+0100 0xc1337    Default     0x19c857             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment

2023-10-16 10:45:01.819743+0100 0xc1337    Error       0x1940f1             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com

The app is listed in https://internalfb.com/.well-known/apple-app-site-association so I don't understand why it is not associated.

My provisioning profile:

$ security cms -D -i ~/Downloads/fido2macos_Local_Development_VZPNUT84NZ.mobileprovision | xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -

<dict>	
				<key>com.apple.developer.associated-domains</key>

		<string>*</string>

				

				<key>com.apple.application-identifier</key>

		<string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string>

				

				<key>keychain-access-groups</key>

		<array>

				<string>V9WTTPBFK9.*</string>

		</array>

				

				<key>com.apple.developer.team-identifier</key>

		<string>V9WTTPBFK9</string>



	</dict>

Codesign output for the built artifact:


$ codesign -d --entitlements - --xml  /Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app | xmllint --xpath "/plist/dict" -
Executable=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
<dict><key>com.apple.application-identifier</key><string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string><key>com.apple.developer.associated-domains</key><array><string>webcredentials:internalfb.com</string><string>webcredentials:www.internalfb.com</string></array><key>com.apple.developer.team-identifier</key><string>V9WTTPBFK9</string></dict>
Posted by
ardi
Up vote reply of ardi Down vote reply of ardi
Post marked as solved

  • just noticed that I accidentally marked this as accepted answer and can't revert :) still unresolved

    ardi

  • I just answered that same question here :)

    garrett-davidson
Add a Comment

Replies

The application identifier (and entitlements in general) are part of your application's code signature. If your project is configured to not be code signed, or to use ad-hoc code signing, then your entitlements are not actually being applied. Double check that your app is being signed correctly and that you have the com.apple.application-identifier entitlement getting applied to your built app.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson

  • Can you provide some guidance as to how I can check that the signature is correct and that the above entitlement is applied to the app? Thanks.

    ardi

  • The codesign command can be used for things like verifying code signatures and checking entitlements. For example:

    Verify that an app is signed correctly:

    codesign -vvv --deep .../Build/Products/Debug/MyCoolApp.app/`

    Check the entitlements of a signed app:

    codesign -d --entitlements - --xml .../Build/Products/Debug/MyCoolApp.app/
    garrett-davidson

  • Thanks @garrett-davidson , I replied below with more details because of the character limit.

    ardi
Add a Comment

Thanks @garrett-davidson ! After setting up the entitlements correctly it looks like I can reach the authentication server but I get rejected even saying that my app is not associated with the domain:

response: {"error":"The operation couldn’t be completed. Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com"}

log stream | grep fido2 shows the following when I try to send the request:


2023-10-16 10:45:01.552607+0100 0xc24e6    Default     0x19c851             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.1, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.561926+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.465, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, accessing={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, },

2023-10-16 10:45:01.561981+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2

2023-10-16 10:45:01.595107+0100 0xc216c    Default     0x0                  376    0    launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0x13c13c 31142 com.meta.fido2macos

2023-10-16 10:45:01.602683+0100 0xbfa8f    Default     0x194061             930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos token: 930000004e pid: 994

2023-10-16 10:45:01.654756+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos token: 1c00000023 pid: 31142

2023-10-16 10:45:01.671192+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos token: 1f00000020 pid: 31142

2023-10-16 10:45:01.777840+0100 0xc2317    Error       0x19c858             404    0    tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement

2023-10-16 10:45:01.777950+0100 0xc2317    Default     0x19c858             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.819327+0100 0xc1337    Default     0x19c857             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment

2023-10-16 10:45:01.819743+0100 0xc1337    Error       0x1940f1             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com

The app is listed in https://internalfb.com/.well-known/apple-app-site-association so I don't understand why it is not associated.

My provisioning profile:

$ security cms -D -i ~/Downloads/fido2macos_Local_Development_VZPNUT84NZ.mobileprovision | xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -

<dict>	
				<key>com.apple.developer.associated-domains</key>

		<string>*</string>

				

				<key>com.apple.application-identifier</key>

		<string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string>

				

				<key>keychain-access-groups</key>

		<array>

				<string>V9WTTPBFK9.*</string>

		</array>

				

				<key>com.apple.developer.team-identifier</key>

		<string>V9WTTPBFK9</string>



	</dict>

Codesign output for the built artifact:


$ codesign -d --entitlements - --xml  /Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app | xmllint --xpath "/plist/dict" -
Executable=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
<dict><key>com.apple.application-identifier</key><string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string><key>com.apple.developer.associated-domains</key><array><string>webcredentials:internalfb.com</string><string>webcredentials:www.internalfb.com</string></array><key>com.apple.developer.team-identifier</key><string>V9WTTPBFK9</string></dict>
Posted by
ardi
Up vote reply of ardi Down vote reply of ardi
Post marked as solved

  • just noticed that I accidentally marked this as accepted answer and can't revert :) still unresolved

    ardi

  • I just answered that same question here :)

    garrett-davidson
Add a Comment

Both V9WTTPBFK9.com.meta.fido2macos.localDevelopment and V9WTTPBFK9.com.meta.fido2macos are also cached by the CDN: https://app-site-association.cdn-apple.com/a/v1/internalfb.com

Posted by
ardi
Post not yet marked as solved Up vote reply of ardi Down vote reply of ardi
Add a Comment

Just to follow up - internally we changed the team ID so there was a mismatch. Updating the app-site-association file to reflect this fixed the issue. Marking as resolved.

https://lickability.com/blog/insidious-bugs-number-3-apple-app-site-association-file/ for a similar issue and resolution

Posted by
ardi
Post not yet marked as solved Up vote reply of ardi Down vote reply of ardi
Add a Comment