Unable to use AuthenticationServices - Security Key Authentication Using Physical Keys

Hi, so I'm trying to use security key authentication using physical keys via the native APIs documented on Apple's developer website but am running into errors I don't understand. The application runs on MacOS.

The application is signed with an entitlement that contains the associated domain like so:

	<key>com.apple.developer.associated-domains</key>
	<array>
		<string>webcredentials:example.com?mode=developer</string>
	</array>

I have tried with and without ?mode=developer.

Here is the error I get:

{"error":"The operation couldn’t be completed. The calling process does not have an application identifier. Make sure it is properly configured."}

My application identifier is also configured in the .entitlements file.

Here is a rough overview of what I'm trying to do (basically, the auth server I'm contacting provides a challenge, and I want to create an assertion and send it back for verification). Trying to replicate the example from the official docs.


  let options = try! JSONDecoder().decode(Request.self, from: options.data(using: .utf8)!).publicKey

  let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
  let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)

  let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
  let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)

  securityKeyRequest.userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference(rawValue: options.userVerification ?? "preferred")

  securityKeyRequest.allowedCredentials = []
  for credential in (options.allowCredentials ?? []) {
    let id = credential.id.decodeBase64Url()!
    let transports = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport.allSupported
    let descriptor = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor(credentialID: id, transports: transports)
    securityKeyRequest.allowedCredentials.append(descriptor)
  }
  securityKeyRequest.allowedCredentials = []

  let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])

  return run(authController: authController)

Happy to provide more context if necessary. Thanks in advance!

Answered by ardi in 768627022

Thanks @garrett-davidson ! After setting up the entitlements correctly it looks like I can reach the authentication server but I get rejected even saying that my app is not associated with the domain:

response: {"error":"The operation couldn’t be completed. Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com"}

log stream | grep fido2 shows the following when I try to send the request:


2023-10-16 10:45:01.552607+0100 0xc24e6    Default     0x19c851             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.1, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.561926+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.465, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, accessing={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, },

2023-10-16 10:45:01.561981+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2

2023-10-16 10:45:01.595107+0100 0xc216c    Default     0x0                  376    0    launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0x13c13c 31142 com.meta.fido2macos

2023-10-16 10:45:01.602683+0100 0xbfa8f    Default     0x194061             930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos token: 930000004e pid: 994

2023-10-16 10:45:01.654756+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos token: 1c00000023 pid: 31142

2023-10-16 10:45:01.671192+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos token: 1f00000020 pid: 31142

2023-10-16 10:45:01.777840+0100 0xc2317    Error       0x19c858             404    0    tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement

2023-10-16 10:45:01.777950+0100 0xc2317    Default     0x19c858             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.819327+0100 0xc1337    Default     0x19c857             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment

2023-10-16 10:45:01.819743+0100 0xc1337    Error       0x1940f1             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com

The app is listed in https://internalfb.com/.well-known/apple-app-site-association so I don't understand why it is not associated.

My provisioning profile:

$ security cms -D -i ~/Downloads/fido2macos_Local_Development_VZPNUT84NZ.mobileprovision | xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -

<dict>	
				<key>com.apple.developer.associated-domains</key>

		<string>*</string>

				

				<key>com.apple.application-identifier</key>

		<string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string>

				

				<key>keychain-access-groups</key>

		<array>

				<string>V9WTTPBFK9.*</string>

		</array>

				

				<key>com.apple.developer.team-identifier</key>

		<string>V9WTTPBFK9</string>



	</dict>

Codesign output for the built artifact:


$ codesign -d --entitlements - --xml  /Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app | xmllint --xpath "/plist/dict" -
Executable=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
<dict><key>com.apple.application-identifier</key><string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string><key>com.apple.developer.associated-domains</key><array><string>webcredentials:internalfb.com</string><string>webcredentials:www.internalfb.com</string></array><key>com.apple.developer.team-identifier</key><string>V9WTTPBFK9</string></dict>

The application identifier (and entitlements in general) are part of your application's code signature. If your project is configured to not be code signed, or to use ad-hoc code signing, then your entitlements are not actually being applied. Double check that your app is being signed correctly and that you have the com.apple.application-identifier entitlement getting applied to your built app.

Accepted Answer

Thanks @garrett-davidson ! After setting up the entitlements correctly it looks like I can reach the authentication server but I get rejected even saying that my app is not associated with the domain:

response: {"error":"The operation couldn’t be completed. Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com"}

log stream | grep fido2 shows the following when I try to send the request:


2023-10-16 10:45:01.552607+0100 0xc24e6    Default     0x19c851             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.1, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.561926+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.465, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, accessing={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, },

2023-10-16 10:45:01.561981+0100 0xc24e6    Default     0x19237c             404    0    tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2

2023-10-16 10:45:01.595107+0100 0xc216c    Default     0x0                  376    0    launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0x13c13c 31142 com.meta.fido2macos

2023-10-16 10:45:01.602683+0100 0xbfa8f    Default     0x194061             930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos token: 930000004e pid: 994

2023-10-16 10:45:01.654756+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos token: 1c00000023 pid: 31142

2023-10-16 10:45:01.671192+0100 0xbfa8f    Default     0x0                  930    0    distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos token: 1f00000020 pid: 31142

2023-10-16 10:45:01.777840+0100 0xc2317    Error       0x19c858             404    0    tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement

2023-10-16 10:45:01.777950+0100 0xc2317    Default     0x19c858             404    0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },

2023-10-16 10:45:01.819327+0100 0xc1337    Default     0x19c857             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment

2023-10-16 10:45:01.819743+0100 0xc1337    Error       0x1940f1             3460   0    AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com

The app is listed in https://internalfb.com/.well-known/apple-app-site-association so I don't understand why it is not associated.

My provisioning profile:

$ security cms -D -i ~/Downloads/fido2macos_Local_Development_VZPNUT84NZ.mobileprovision | xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -

<dict>	
				<key>com.apple.developer.associated-domains</key>

		<string>*</string>

				

				<key>com.apple.application-identifier</key>

		<string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string>

				

				<key>keychain-access-groups</key>

		<array>

				<string>V9WTTPBFK9.*</string>

		</array>

				

				<key>com.apple.developer.team-identifier</key>

		<string>V9WTTPBFK9</string>



	</dict>

Codesign output for the built artifact:


$ codesign -d --entitlements - --xml  /Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app | xmllint --xpath "/plist/dict" -
Executable=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
<dict><key>com.apple.application-identifier</key><string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string><key>com.apple.developer.associated-domains</key><array><string>webcredentials:internalfb.com</string><string>webcredentials:www.internalfb.com</string></array><key>com.apple.developer.team-identifier</key><string>V9WTTPBFK9</string></dict>

Both V9WTTPBFK9.com.meta.fido2macos.localDevelopment and V9WTTPBFK9.com.meta.fido2macos are also cached by the CDN: https://app-site-association.cdn-apple.com/a/v1/internalfb.com

Just to follow up - internally we changed the team ID so there was a mismatch. Updating the app-site-association file to reflect this fixed the issue. Marking as resolved.

https://lickability.com/blog/insidious-bugs-number-3-apple-app-site-association-file/ for a similar issue and resolution

Unable to use AuthenticationServices - Security Key Authentication Using Physical Keys
 
 
Q