Post not yet marked as solved
Hi,
I have a problem with associated domains developing Passkeys app.
Adding alternate mode(developer mode) to Associated Domains Entitlement, it works fine.
But in non developer mode, CDN doesn't seem to read the AASA file.
AASA file's path is: https://(host).(rootdomain)/.well-known/apple-app-site-associtation
I checked the TLS certificate conditions and all conditions are met.
https://support.apple.com/en-us/HT213464
https://support.apple.com/en-us/HT210176
https://support.apple.com/en-us/102028
Is there another reason why it only works in developer mode?
Thanks for your reply.
Post not yet marked as solved
My App just uses Phone Number Authentication only . There is no Email/Password , Google , FaceBook, Apple or any other Social Authentication.
So i just wanted to ask that will my app be accepted by Appstore based on Appstore Guidelines as I am not using Apple Authentication & only using Phone Number Authentication.
Your help will mean a lot.
Post not yet marked as solved
Hi devs!!!
Calling createCredentialRegistrationRequestWithChallenge returns the following error:
Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent}
What can be the potential reason?
Post not yet marked as solved
When we call ASWebAuthenticationSession with preferEphemeral = false macOS generates this dialog with a meaningless "(null)". This looks very odd and scary for a normal person. Why it shows "null" and can we control this to make it meaningful at least?
Post not yet marked as solved
Hi Team,
Is it possible to access the user's birthday and gender when they login with Apple option?
I've checked Apple Authentication Services framework but found nothing about it. The only information we can access is user's name and email.
However, I received a review note saying that this information is already provided by the Apple Authentication Services framework.
Please kindly share the solution or tell me what should I do to resolve this issue.
Cheers,
Vanto
I'm trying to implement passkeys in my app. I successfully get to the dialog in iOS simulator to register with a Passkey and I can also read the result and see all the right things in credentialRegistration.rawClientDataJSON. The one thing that's not working is when decoding the rawAttestationObject (which should be CBOR as I understand), I find all data defined in the spec (aaguid, credentialIdLength, credentialId) except for the credentialPublicKey! The rawAttestationObject basically ends after the credentialId. I see this both when decoding the rawAttestationObject manually as well as when using WebAuthn libraries on the server, which will give me an "Unexpected end of CBOR data" error.
Any ideas why the rawAttestationObject does not contain the public key?
For reference, here is the initialization of the Passkey request:
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.domain)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(challenge: challenge, name: name, userID: userID)
let authController = ASAuthorizationController(authorizationRequests: [ registrationRequest ])
authController.performRequests()
And here is how I handle the result:
case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
let rawAttestationObject = credentialRegistration.rawAttestationObject!.base64EncodedString()
let credentialID = credentialRegistration.credentialID.base64EncodedString()
let rawClientDataJSON = credentialRegistration.rawClientDataJSON.base64EncodedString()
let response: PasskeysResponse = [
"attestationObject": rawAttestationObject,
"credentialId": credentialID,
"clientDataJson": rawClientDataJSON,
]
Here is an example for a decoded attestation object:
{
"rpIdHash": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYmW4=",
"flags": {
"userPresent": false,
"userVerified": false,
"backupEligibility": true,
"backupState": true,
"attestedCredentialData": true,
"extensionData": false
},
"signCount": 425116148,
"aaguid": "20318e2d-77fa-f54d-bed7-ba15ccd3fade",
"credentialId": "1B1KJf6uYF0AAAAAAAAAAAAAAAAAAAAAAAAAAAAUQW65BAqkeKqu97vbc0Se5R1F3Y+lAQIDJiABIVggtdSX2ZAHsBxU4ja1xP6hCZGUXgUCb6Ipau3stU8rrz4iWCBwhOBWOgwT4yKRnU1hA11thC8+CvjmrCkfq//648cwHg==",
"credentialPublicKey": ""
}
As you can see, it looks all good except for the "credentialPublicKey": "" part.
We are working on implementing FIDO2 with passkeys and its works fine in the consumer with Apple ID. On the Enterprise level we can't able to make it because corp device don't have option to enable Apple ID and its disabled by MDM as per policy.
is there any alternate approach where corp device can use FIDO authentication without using Apple ID?
thanks
Post not yet marked as solved
What policy does apply to me as I have a working application that serves contents based on their chosen location or place which does not require any login but for some super users I will open webview where they can authenticate themself and view/change thee only do I still need to provide test credential and any policy that apply to me related to data and privacy as the content will be also shown via webview and my app only served to US region.
I'm implementing passkeys by following the example from the Food Truck sample project. I have nearly everything working, but there's one problem. I'm using the AuthorizationController environment value and passing that to my login and register functions, but when I call authorizationController.performAutoFillAssistedRequest, I don't see or know of any way to cancel it, so if the user tries to type in their username instead of use the autofill suggestion, the second (non-autofill) request throws the error, The operation couldn’t be completed. Request already in progress for specified application identifier. I know that ASAuthorizationController has a cancel() function, but is there any way to do this with AuthorizationController?
Hi,
I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher.
Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?
Post not yet marked as solved
I keep getting the following error when trying to run Passkey sign in on macOS.
Told not to present authorization sheet: Error
Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1
"(null)"
The same piece of code is working as expected on iOS.
Some more info:
The association file and entitlements are correct and validated as everything is working on iOS.
The app is built on SwiftUI and use the same codebase for macOS and iOS
Validated that the presentation anchor is also correct on macOS because other SSO login works with the same presentation anchor.
Not sure where the problem is. Followed https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/ to get the integration.
Hello.
Does WKWebView on Mac support FIDO2(webauthn)?
We need to implement this in our app and ASWebAuthenticationSession API comes up in searches all the time as the only solution. Is this still the case?
From my experiments ASWebAuthenticationSession on Mac doesn't provide best user experience - too much fiddling and odd behavior for an end user.
F.e. user needs to click Open button from the browser window to pass token to the very same app which initiated the window and this is not very logical considering all the efforts to setup applink.
Would appreciate an advice.
Post not yet marked as solved
Whenever user try to login,
it automatically uses hidden email for some reason.
Therefore existing users from mobile app can't access web :(
Anyone having this issue? How do I solve this?
Post not yet marked as solved
I'm trying to deprecate iOS 13 from my app. One of the compilation warnings I got as a result was:
'SecRequestSharedWebCredential' is deprecated: first deprecated in iOS 14.0 - Use ASAuthorizationController to make an ASAuthorizationPasswordRequest (AuthenticationServices framework)
So I tried updating my code as follows
let provider = ASAuthorizationPasswordProvider()
let request = provider.createRequest()
let authorizationController = ASAuthorizationController(authorizationRequests: [request])
authorizationController.delegate = self
authorizationController.presentationContextProvider = self
authorizationController.performRequests()
But it always calls the delegate callback
func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error)
with error
Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "No credentials available for login." UserInfo={NSLocalizedFailureReason=No credentials available for login.}
Even though the device (or simulator) has a stored password for my website. I have my website as an "associated domain" for my app of type webcredentials.
What am I doing wrong here?
Post not yet marked as solved
On a iPhone, I have registered 2 different passkeys for 2 different users(Lets say user A and user B) for a domain example.com. Now at the time of authentication I am able to use Passkeys of user A to authenticate user B with authentication challenge fetched from server. This should not be allowed. As per documentation, I can see ASAuthorizationPlatformPublicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge) only accepts challenge value and does not accept any user ID. How can I verify the user details/info while authenticating with Passkey.
Post not yet marked as solved
We have been trying to implement OAuth 2.0 SAML Bearer Assertion authentication in our enterprise iOS application. We are not receiving the SAML Assertion id response in WKWEBVIEW. Can you please kindly confirm whether OAuth 2.0 SAML Bearer Assertion possible in NATIVE iOS development. Please suggest how this can be achieved in iOS native development.
Post not yet marked as solved
Hey Folks,
I'm currently building an SDK that will manage the creation and authentication of the passkeys for my users, and this SDK can be integrated on 3rd party apps that are out of my direct control.
The scenario of when this SDK will be used is like when you have an app that you can link your account with LinkedIn, to get some info about you there and need to log in with your Linkedin account. So, the app itself that is consuming the SDK can have a passkey, and this "link account" feature (SDK) will also manage its passkey creation and authentication.
Based on this I have a couple of questions:
Can I grant only grant the associated domains/webcredentials entitlements to my SDK, such that the SDK is the only part allowed to create or access my passkeys but the app that consumes that SDK can only call the functionality exposed by the SDK, and not directly have the privileges to create and access my passkeys nor my iCloud Keychain?
If 1 is not possible, what other options do I have? I imagine that if I give to access these 3rd party apps that consume my SDK to my associated domain webcredentials, I also will give them permission to them, to create passkeys in my name, using my RPID, and this is a really insecure scenario, so a no go.
May you folks help me to understand the best course of action in this scenario?
Thanks!
Post not yet marked as solved
We registered Certified Fido2 devices in Apple ID as security keys, registration performed without any problem. First logs in logs out iterations worked also without problem. Then after a while, one of the key started to be rejected, with the attached screenshot., with "failed to verify security key" and "error description not available". The second identical key still function correctly.
We were unable to reproduce the problem on demand, the problem simply just seem to appear randomely. Although the second Fido2 device still works, there is a therotical possibility to be locked out of the account.
The only difference we could identify with other Fido2 devices is that is prioritise ECC algorithm (-7) compared to other Fido2 devices that priorise RSA (-257)
If ECC is not supported, then it should reject the Fido2 device at registration.
How to properly contact Apple to solve this relatively serious issue ?
I have been looking through the example Passkey code in the Shiny app. I found it confusing at the part about how it performs passkey auto-fill.
Specifically, I'm confused about the code in the file Shared/AccountManager.swift method beginAutoFillAssistedPasskeySignIn.
func beginAutoFillAssistedPasskeySignIn(anchor: ASPresentationAnchor) {
self.authenticationAnchor = anchor
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
// Fetch the challenge from the server. The challenge needs to be unique for each request.
let challenge = Data()
let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge)
// AutoFill-assisted requests only support ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.
let authController = ASAuthorizationController(authorizationRequests: [ assertionRequest ] )
authController.delegate = self
authController.presentationContextProvider = self
authController.performAutoFillAssistedRequests()
}
Based on my understanding and what the WWDC session shows: performAutoFillAssistedRequests should happen as soon as the screen presents, which is even before the user types in anything.
My question is: if the user hasn't typed in their username/email, how do I communicate with my server to get a challenge? My server requires a username(email) to return a challenge.
A possible answer I've been thinking about is: the server's authentication initial endpoint should NOT require a username/email because a challenge is naive and it's not user specified.
But I can't find the above info in any specifications. The best I could find was:
The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.
Source: https://www.w3.org/TR/webauthn-2/#sctn-sample-authentication
The wording "as much information as possible" from above implies that when the app requests a challenge, it's possible that it doesn't provide a username.
Please let me know if the answer above is correct. If not, please help answer the question. I really appreciate any help anyone can provide.
Post not yet marked as solved
I am creating a react app and am making use of Webauthn to use TouchID or FaceID for user authentication.
I have built my app so that when the button is clicked, navigator.credentials.create is the only call made.
With attestation set to none, there are no issues however as soon as I set attestation to direct I get an alert saying 'The operation can't be completed' and 'NotAllowedError: This request has been cancelled by the user.' is logged to console.
The issue only presents itself on Safari and iOS devices however works perfectly on other browsers like Chrome.
Has anyone encountered a similar issue and possibly know how to resolve it?
Thanks
Shay
OhjunKwon.
