Hi,
Currently, we do have native signin and home grown biometric solution leveraging Device biometrics within App and We have plans to adopt OAuth2.0 and OIDC using ASWebauthenticationsession. But we primarily wanted to know Perspectives from Apple with regards to UI/UX / Standards / Security while adopting OAuth2.0 and OIDC.
Please note that we dont have Apple SignIn or any other social login within App currently.
Post
Replies
Boosts
Views
Activity
Hi,
I referred to the documentation for reset passkeys - https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys#4047465 , this method createCredentialRegistrationRequest seems to be an instance of ASAuthorizationSecurityKeyPublicKeyCredentialRegistration and returns a registration request of the the type ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest, is this correct? When i tried to integrate the same, it gave "No algorithms specified for ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest" from iOS. So, i tried replacing the registration request with ASAuthorizationPlatformPublicKeyCredentialProvider with same params as expected for createCredentialRegistrationRequest with challenge, username and userId, but it ended up creating one more passkey which I could see in settings.
It created new passkey though I expected this to replace existing. is this expected?
Also, will this registration request expected to replace ALL passkeys created for this user for this domain or just 1 passkeys matching the user and domain?
Please let me know if I missed out anything. Thanks for your help
Hi,
The Authenticator Attestation Global Unique Identifier (AAGUID) for Safari and also, from iOS App is zero’ed out, is this expected to stay this way, can this be considered an ideal differentiator between Passkeys from Apps in iOS/Safari from Mac and other webAuth N Credentials generated from other platform Authenticators as Chrome/Yubico and other vendors happen to send different values.
is this value expected to change in future?
Hi,
Is there a guideline from Apple to prevent re-enrollment from same RP and same user Id so that we dont create multiple passkeys for same user account, We have a use case within app to create Passkeys on successful Login, but currently there is no API[ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest] available to pass excludedCredentials for the user Id sent by RP[https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials] so that iOS can avoid creating new Passkeys for same User Id and same RP.
If we end up creating multiple Passkeys for same RP and same User Id,basically RP has to maintain all Passkeys's publickey and credIds at their end, leading to authentication complexity.
Also,Due to re-enrollment for same user with same RP, this leads to authentication failures[as user might choose diff Passkey-CredId from Modal than the one for which Challenge is requested for] until RP supports truly discoverable credentials.
We could say to replace Passkeys during subsequent creation but it would invalidate passkeys already shared to others or in sync'ed devices on web[that might work based off of storedCredId] which would be already creating passkeys or adopt webAuthN on different browsers and create new credential there as well.
But, ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest has excludedCredentials though.
Hi,
We have a usecase where our website uses safari and has adopted webAuthN, say enrollment has happened in web using Safari and thus, passkeys for that user account User A in Website A has been created.
We have an App for the same website, so, when we enable autofill and adopt passkeys for authentication, Since the passkeys are icloud keychain sync'ed, Either autofill or through Modal, we would receive all Passkeys created in website A as domain is same in App entitlements as well.
For passkeys created through App, as recommended in webAuthN approach, we store the cred Id/username so as to fetch the challenge using that populate the same in AutoFill but for Passkeys created in web, though the success delegate method has ASAuthorizationPlatformPublicKeyCredentialAssertion object, it does not have challenge passed to it at first place as most passwordless providers require User Id as an attribute to generate challenge.
We had SecrequestSharedWebCredential which could retrieve us credentials and thus, with the user name for this scenario but has been deprecated from iOS14.
is there any alternate way to fetch atleast the user Id for the domain from iCloud Keychain?
Hi,
I tried verifying the rawattestationData and rawAuthenticatorData using third party libraries, but am not able to decode information in both rawAttestationData and rawAuthenticatorData, for ex, in rawAttestationObject, always authData decoding is returning nil.
For ex, this string representation of rawattestationdata : a363666d74646e6f6e656761747453746d74a06861757468446174615898d3a03fad282d25bfb82046633c2ae488dbf8e554c515bfe205512879f29c30c25d00000000000000000000000000000000000000000014f8f898d67027d0552f7fd2524e4ffec6debdede9a5010203262001215820fd8a8445e56a6888027b814c5ef51b9ad323d24bfb8725704fe2cdef76b87bbf2258202452a529b55374d20b26a3753167083f7ebc7404db731210f70fab1db757b7d4 returns {
"fmt": "none",
"attStmt": {},
"authData": h'd3a03fad282d25bfb82046633c2ae488dbf8e554c515bfe205512879f29c30c25d00000000000000000000000000000000000000000014f8f898d67027d0552f7fd2524e4ffec6debdede9a5010203262001215820fd8a8445e56a6888027b814c5ef51b9ad323d24bfb8725704fe2cdef76b87bbf2258202452a529b55374d20b26a3753167083f7ebc7404db731210f70fab1db757b7d4',
}
in CBOR playground but whenever i try with any third party lib for decoding authData, it returns me nil. and am not able to decode authdata in any CBOR playground online as well, Is there a recommendation or example implementation in swift for decoding cbor rawattestationData and rawauthenticatorData for verification?
Hi,
I understand that during subsequent login attempts, either the modal or autofill requests are shown for the user to authenticate if they are registered for passkeys during manual login first attempt.
Currently, our app has the option to automatically authenticate user using Face ID on App launch using the enrollment keys we had obtained during manual login if the user has opted for Face ID as login method for subsequent attempts. Simply put, there is no user intervention for this existing autologin step other than app launch.
My questions are:
Is there an API option that could call Face Authentication step of Passkeys directly without showing modal or Autofill so that we land on delegate on Face ID authentication success? OR
Can the continue button in modal that gets presented for subsequent passkeys authentication attempt be called programmatically so that we land on delegate on Face ID authentication success?
we will call Option 1 or 2 after we get the challenge from Server on App Launch.
Hi,
I watched through the video for passkeys and I have couple of questions for passkeys adoption cross channel/platform.
when I try to login from PC for an account for which I have passkey generated from App, PC browser generates a QR code, iOS will act as the authenticator on the scan of QR code and logs the user in.
Now,
for subsequent Login, will the PC user be still shown QR code or is the QR code and authenticator from iOS just single time for enrollment and for loggin in subsequent time, browser can take care?
Will there be any 2nd public private key pair generated from PC to handle subsequent login?
if not, does the iphone need to be in close proximity every time?
My question is more towards the Keys generated for PC browser and subsequent logins from PC. can you please throw some light on above questions?
Hi, Do we have any update on apple sign in mandatory date for apps with social login? Apr 2020 has been the mandatory date for adopting Apple sign in in apps with Social Login enabled. Is there any update or deadline extension on the agenda? Thanks!