Hi, I'm leveraging ASAuthorizationSecurityKeyPublicKeyCredentialProvider to authenticate users to an internal service using security keys or passkeys. I'm not using Sign in with Apple - registration is done in another internal service. We're using associated domains. This is on MacOS only.
I'm wondering whether I can programatically determine whether the user has a passkey enrolled with our super-secret-internal-service.com domain already?
The reason I'm asking is simply better UX - if the user doesn't have a passkey enrolled, I'd like to avoid offering them an option to use a platform authenticator and only offer them to tap their security key. We can assume that all users already have their security keys enrolled already.
So something like the following:
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data())
let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data())
var authRequests: [ASAuthorizationRequest] = [securityKeyRequest]
if (userHasPasskeyForDomain("super-secret-internal-service.com")) { // TODO how do I check this??
authRequests.append(platformKeyRequest)
}
let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])
Many thanks!
Post
Replies
Boosts
Views
Activity
Hi, I created a proof of concept app that leverages ASAuthorizationController
to authenticate using FIDO2 security keys and passkeys. I get an auth challenge from an internal provider, and leverage the above API(s) to authenticate. Basically the same use case as the following (using existing account): https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys#3761984
Initially it worked fine, I got a pop-up with a user prompt. However, after canceling one of the requests (can't remember whether I force-closed the window or just clicked Cancel) I get an error on every subsequent request:
response: {"error":"The operation couldn’t be completed. Request already in progress for specified application identifier."}
log stream | grep fido2 output:
2023-10-17 16:52:52.740329+0100 0x3f329d Default 0x7d21c1 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.1, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },
2023-10-17 16:52:52.750530+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.3441, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, accessing={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, },
2023-10-17 16:52:52.750603+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
2023-10-17 16:52:52.803355+0100 0x3f32ad Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0xa50a50 49962 com.meta.fido2macos.localDevelopment
2023-10-17 16:52:52.818560+0100 0x3f1eb0 Default 0x7c91e2 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos.localdevelopment token: f50000004b pid: 994
2023-10-17 16:52:52.846529+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos.localDevelopment token: 1c00000023 pid: 49962
2023-10-17 16:52:52.866484+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos.localDevelopment token: 1f00000020 pid: 49962
2023-10-17 16:52:53.027489+0100 0x3f329d Error 0x7d21c8 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement
2023-10-17 16:52:53.027604+0100 0x3f329d Default 0x7d21c8 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },
2023-10-17 16:52:53.059785+0100 0x3f2257 Default 0x7d21c7 77540 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment
I also tried calling ASAuthorizationController::cancel (https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/3950923-cancel) in random places but that didn't help either.
Happy to follow up more details / code if necessary. Thanks!
Similar issue:
https://developer.apple.com/forums/thread/723850
Hi, so I'm trying to use security key authentication using physical keys via the native APIs documented on Apple's developer website but am running into errors I don't understand. The application runs on MacOS.
The application is signed with an entitlement that contains the associated domain like so:
<key>com.apple.developer.associated-domains</key>
<array>
<string>webcredentials:example.com?mode=developer</string>
</array>
I have tried with and without ?mode=developer.
Here is the error I get:
{"error":"The operation couldn’t be completed. The calling process does not have an application identifier. Make sure it is properly configured."}
My application identifier is also configured in the .entitlements file.
Here is a rough overview of what I'm trying to do (basically, the auth server I'm contacting provides a challenge, and I want to create an assertion and send it back for verification). Trying to replicate the example from the official docs.
let options = try! JSONDecoder().decode(Request.self, from: options.data(using: .utf8)!).publicKey
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)
let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)
securityKeyRequest.userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference(rawValue: options.userVerification ?? "preferred")
securityKeyRequest.allowedCredentials = []
for credential in (options.allowCredentials ?? []) {
let id = credential.id.decodeBase64Url()!
let transports = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport.allSupported
let descriptor = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor(credentialID: id, transports: transports)
securityKeyRequest.allowedCredentials.append(descriptor)
}
securityKeyRequest.allowedCredentials = []
let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])
return run(authController: authController)
Happy to provide more context if necessary. Thanks in advance!