Hello, I have a fully functional webauthn relying party that uses passkeys and I am trying to implement an iOS sdk for it. On the server, the AASA file is valid and well served at /.well-known/assetlinks.json. I verified its validity with branch.io and that it is indeed cached by Apple's CDN (https://app-site-association.cdn-apple.com/a/v1/service.domain.com), but even will all these I still get the following error when installing the app on a device and starting the passkey ceremony:
Passkey authorization failed. Error: The operation couldn’t be completed. Application with identifier TEAM.com.APP is not associated with domain service.domain.com
So I then checked the system log when installing the app on my iPhone, and under the swcd process (which is apparently responsible of fetching the AASA file) I found the following error:
swcd: Domain is invalid. Will not attempt a download.
The issue that I have is that my domain is actually an IDN, it has a special character in it. But everywhere I have used it, I converted it to ASCII (punycode). With this conversion, Apple's CDN is able to fetch the AASA file, and the passkey ceremony works fine on a browser.
So I don't understand how the device (both iPhone or Mac) finds this domain to be invalid? In the app's entitlements, I added the capability for an associated domain, with webcredentials:service.domain.com with the domain name converted to ASCII (punycode) and developer mode doesn't address this issue as it appears when the app is installed (and is not related to Apple's CDN).
The last thing I tried was to add the domain with special characters in the app's entitlements (for webcredentials:) but then Xcode was unable to install the app on the device, and gave the following error:
Failed to verify code signature (A valid provisioning profile for this executable was not found.)
which happened only with a special character in the domain in the app's entitlements.
All this leaves me kind of in a dead end, I understand Xcode or iOS/macOS has a hard time with IDNs and special characters (so do I), but I have no idea on how to solve this (without changing the domain name), so I would really appreciate any help. Thanks in advance.
PS: I tested all this previously with another domain without special characters and it was working. It also had dashes ('-') in it and the new domain converted to ASCII is basically a regular domain with '-' in it so I suppose there is some kind of conversion made from ASCII back to special characters and that then, the domain is considered as invalid, but this doesn't really help me a lot...
PS2: My devices are running on iOS 17.4.1 and macOS 14.4.1 with Xcode 15.2
Post
Replies
Boosts
Views
Activity
I am trying to implement a login page in SwiftUI for an idp that relies on passkeys only, following the sample code from the food truck app.
The registration of a new passkey works fine but when it comes to signing in, ASAuthorizationPlatformPublicKeyCredentialProvider().createCredentialAssertionRequest returns a signature that cannot be verified by the server.
On safari (and other browsers) the signing in&up process works fine and additionally, a passkey registered from the swift app works on the web, which leads me to believe there is an issue in the AuthenticationServices framework as every other steps works without any problem.
The verification of the signature happens on the server side (after several validation steps of the other parameters) with WebCrypto.subtle.verify(verifyAlgorithm, key, signature, data);
With the data argument being a concat of the clientDataJSON and the authenticatorData and for an apple authenticator, the key argument (which is the public key stored by the server) is an EC2 key with the following verifyAlgorithm argument:
verifyAlgorithm = {
name: 'ECDSA',
hash: { name: SHA-256 },
};
After carefully analyzing multiple responses, coming both from the app and safari, either on iOS or macOS, I can safely say that the ASAuthorizationResult.passkeyAssertion returns the expected values for:
rawAuthenticatorData
rawClientDataJSON
credentialID
userID
Which all match the expected values during the server-side validation. The only remaining value from the ASAuthorizationResult.passkeyAssertion is the signature, which as mentioned above, is invalid when verified by the server.
I already submitted a bug report (FB15113372) as well as a DTS request, but haven’t received any feedback yet.
In order to further narrow down the problem, I replicated the signature verification process in a sage notebook. I got the same result: the signature produced in Safari is fine, but the one from the Swift app is invalid. I collected some thoughts of potential issues in this notebook, but I still haven’t been able to draw a clear conclusion on why does this issue occur.
Hence if anyone has knowledge of this issue or has a similar problem with signature verification, their advice is most welcomed.
Thank you in advance for your help
PS: All the recent tests were made on the latest publicly available OS releases (iOS 18.01, macOS 15.0.1) and Xcode 16.0