Authentication Services

RSS for tag

Improve the experience of users when they enter credentials to establish their identity using Authentication Services.

Posts under Authentication Services tag

96 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

Unable to create 'Shared Web Credentials' on fresh TestFlight Install
Hey Apple team (and eskimo 🙏), Our FinTech app uses iCloud Keychain shared web credentials to store a secure encryption password in iCloud Keychain. Some of our new users seem to run into an issue where the app fails to successfully create a shared web credential. All users are required to have the following two settings enabled: Settings --> Passwords --> Password Options --> Autofill from iCloud Passwords & Keychain Settings --> Apple D - -> iCloud - -> Passwords and Keychain --> 'Sync this iPhone' The issue appears to resolve itself when the user restarts their iPhone. We've had this bug 3 times now and would like to understand the root cause. We have a couple hypotheses: iOS is failing to verify that the domain for the shared web credential is valid via <domain>/.well-known/apple-app-site-association (and then restarting triggers reverification) Users were on a version of iOS where it was bugged (and then restarting finally completed an update to a new version). We've verified that the bug happened on 17.0.2 with one user (until they updated and it fixed itself)
1
0
599
Jan ’24
Flutter MSAL SSO with webview
Hi, I am using flutter MSAL SSO with flutter_inappwebview and azure_flutter_authentication package to login to the app. let viewController: UIViewController = UIViewController.keyViewController! let webviewParameters = MSALWebviewParameters(authPresentationViewController: viewController) webviewParameters.webviewType = .default I am trying to open another application in webview by using flutter_inappwebview, so that there will be a silent log in using MSAL SSO option in iOS device. But its not working InAppWebView( key: webViewKey, initialUrlRequest: URLRequest(url: Uri.parse(widget.url)), initialOptions: options, pullToRefreshController: pullToRefreshController, onWebViewCreated: (controller) { webViewController = controller; }, onLoadStart: (controller, url) { logger.d("printing webview controller type: " + controller.runtimeType.toString()); setState(() { this.url = url.toString(); urlController.text = this.url; isLoading = false; }); }, androidOnPermissionRequest: (controller, origin, resources) async { return PermissionRequestResponse( resources: resources, action: PermissionRequestResponseAction.GRANT); }, shouldOverrideUrlLoading: (controller, navigationAction) async { var uri = navigationAction.request.url!; if (![ "http", "https", "file", "chrome", "data", "javascript", "about" ].contains(uri.scheme)) { if (await canLaunch(url)) { // Launch the App await launch( url, ); // and cancel the request return NavigationActionPolicy.CANCEL; } } return NavigationActionPolicy.ALLOW; }, onLoadStop: (controller, url) async { pullToRefreshController?.endRefreshing(); setState(() { this.url = url.toString(); urlController.text = this.url; }); }, onLoadError: (controller, url, code, message) { pullToRefreshController?.endRefreshing(); }, onProgressChanged: (controller, progress) { if (progress == 100) { pullToRefreshController?.endRefreshing(); } setState(() { this.progress = progress / 100; urlController.text = this.url; }); }, onUpdateVisitedHistory: (controller, url, androidIsReload) { setState(() { this.url = url.toString(); urlController.text = this.url; }); }, onConsoleMessage: (controller, consoleMessage) { print(consoleMessage); }, ), How to should I pass the login session from swift code to inappwebview in flutter? Please help me with this. I really appreciate it. Its working fine with android devices. The problem is from iOS devices.
0
0
820
Jan ’24
[App Groups] Publishing apps sharing App Group for Sign-in
I am working on two applications that provide complementary functionality - one is a main app with authentication flow and the other handles additional functionalities within my service. I would like to publish these as separate apps on the App Store but allow them to share data through an App Group, specifically to enable sign-in state to carry across. The flow would be: Main app authenticates the user and saves an authentication token to the shared App Group container Second app launches and checks the container for this token. If present, it signs the user in automatically. In this way the Main app handles all login functionality which enables certain features in the other app(s) when logged in state is present. My questions are: Would this violate any App Store guidelines around app functionality distribution or data sharing? I intend to provide a technical rationale during review on why two apps are necessary. Would Apple allow such an implementation? What best practices should I follow when submitting for app review approval? It would be great to hear thoughts around the viability of this app architecture. Please let me know if further technical details are needed as well. Looking forward to community feedback on whether Apple permits apps sharing sensitive data via App Group specifically for identity management. Reference: guideline 2.5.2 2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps. Educational apps designed to teach, develop, or allow students to test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the app completely viewable and editable by the user. https://developer.apple.com/documentation/xcode/configuring-app-groups
0
0
526
Jan ’24
passkey registration fails on hybrid connect (qr code scan)
I developed an app that implements autofill extension with ASCredentialProviderViewController to provide passkeys. while it works smoothly on internal connections (e.g. register to webauthn.io on the same device where my app is installed), it fails when i'm scanning QR code on another device. I suspect it's a problem with the flags of the passkey attestation object as the only difference between the 2 requests (internal and hybrid) I've found is that the userVerificationPreference is changed from preferred (internal) to required (hybrid). i sent those flags (both on hybrid and internal connection): binary rep: 01011101 decimal rep: 93 is anyone has a clue what goes wrong?
1
1
887
Jan ’24
NFC Passport Reader - Libraries
Hi community! I'm on the hunt for alternatives to digital onboarding and NFC reader libraries on iOS (and maybe on Android too). Do any of you know of alternatives to: https://github.com/AndyQ/NFCPassportReader They should be compatible with ICAO Doc 9303 MRTD - https://www.icao.int/publications/pages/publication.aspx?docnum=9303 Your insights and suggestions mean a lot! Thanks! Description: NFCPassportReader - This package handles reading an NFC Enabled passport using iOS 13 CoreNFC APIS Version 2 (and the main branch) now uses Swift Async/Await for communication. If you need an earlier version, please use 1.1.9 or below! Supported features: Basic Access Control (BAC) Secure Messaging Reads DG1 (MRZ data) and DG2 (Image) in both JPEG and JPEG2000 formats, DG7, DG11, DG12, DG14 and DG15 (also SOD and COM datagroups) Passive Authentication Active Authentication Chip Authentication (ECDH DES and AES keys tested, DH DES AES keys implemented ad should work but currently not tested) PACE - currently only Generic Mapping (GM) supported Ability to dump passport stream and read it back in Uses Async/Await
0
0
1.1k
Dec ’23
passkey attestationObject confusion
Hello everybody, I'm trying to implement passkey provider for iOS device. I'm in the register phase of the passkey. Let's say this is my code to register request, what am I doing wrong?: import SwiftCBOR class CredentialProviderViewController: ASCredentialProviderViewController { . . . func generatePublicKeyCborEncoded() -> Data { let privateKey = P256.Signing.PrivateKey() let publicKey = privateKey.publicKey.x963Representation let decoded: [CBOR: CBOR] = [ CBOR.init(integerLiteral: 1): CBOR.init(integerLiteral: 2), CBOR.init(integerLiteral: 3): CBOR.init(integerLiteral: -7), CBOR.init(integerLiteral: -1): CBOR.init(integerLiteral: 1), CBOR.init(integerLiteral: -2): CBOR.byteString(publicKey[1..<33].map { $0 }), CBOR.init(integerLiteral: -3): CBOR.byteString(publicKey[33..<65].map { $0 }) ] return Data(CBOR.encode(decoded)) } @IBAction func onRegister(_ sender: UIButton) { NSLog("onRegister called 1") guard let request = newRegistrationRequest as? ASPasskeyCredentialRequest else {return} let attObj: Data = generatePublicKeyCborEncoded() let passkey: ASPasskeyRegistrationCredential = ASPasskeyRegistrationCredential( relyingParty: request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data([67, 92, 125, 254, 60, 232, 238, 248, 14, 107, 245, 21, 85, 130, 40, 54], attestationObject: attObj ) extensionContext.completeRegistrationRequest(using: passkey){ endedWell in NSLog("onRegister called \(endedWell ? "" : "not") ended well") } } }
2
0
956
Dec ’23
Does Apple allow packed format attestation in passkey credential provider approach?
I am trying to implement a third party passkey credential provider and I have been able to successfully setup the project for that. Below is a sample code which I am using - let passkeyRegistrationCredential = ASPasskeyRegistrationCredential(relyingParty: self.request?.credentialIdentity.serviceIdentifier.identifier ?? "", clientDataHash: self.request?.clientDataHash ?? Data(), credentialID: Data(credentialId), attestationObject: Data(attestationBytes) self.extensionContext.completeRegistrationRequest(using: passkeyRegistrationCredential) The attestationBytes object that I am generating and sending back to RP seems to work only if I set the "fmt" to "none", which basically requires "attStmt" to be sent as an empty value as per WebAuthn spec - https://www.w3.org/TR/webauthn-2/#sctn-none-attestation When trying to set the "fmt" to "packed" in attestation object and creating a self signed "attStmt" consisting of "alg" and "sig" key-values referring - https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation, it does not seem to work. The RP throws an error. I do not have "x5c" object as that supposedly is not mandatory in case of self attestation. I have "authData" also as part of the response properly setup. Is it not possible to use packed attestation or am I missing something in creating the attestation object? Also, does Apple modify the response being sent in the background before sending to RP if packed fmt is used?
1
0
846
Dec ’23
Why doesnt Apple allow BE BS flags to be false in AutoFill credential provider's attestation response?
It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation. If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client." What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device? Also, is there a plan to ever make those flags to be set to false in a future iOS release? Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?
2
0
958
Dec ’23
How to save login details to Keychain?
In my app user accounts are handled with Firebase Auth. When creating a user how can I get the system to suggest a Unique password (that prompt that comes up on the keyboard) and also how can i get it to save these details to the keychain. My app will have a website in the future so I want the details come up when the user tries to login there. When the user logs in i used the func below to save the details to the keychain, it says the details have been saved but it doesnt seem to come up in the passwords tab in Settings. func saveCredentialsToKeychain(email: String, password: String) { let query: [String: Any] = [ kSecClass as String: kSecClassInternetPassword, kSecAttrServer as String: "myWebsite.com", kSecAttrAccount as String: email, kSecValueData as String: password.data(using: .utf8)!, kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked ] let status = SecItemAdd(query as CFDictionary, nil) if status == errSecSuccess { print("Credentials saved to Keychain") } else { print("Error saving credentials to Keychain: \(status)") } }
0
0
654
Nov ’23
ASWebAuthenticationSession initiated session, file:// URL is not loaded and "Confirm the file to load" is presented instead
We are relying on ASWebAuthenticationSession to do web authentication. Since the API doesn't support POST requests directly we have to generate local file in ~/Library/Application Support/<foo.bar>/WebAuth.html containing the POST and use initial URL as file:///Users//Library/Application%20Support//WebAuth.html Problem is that Safari sometimes pops a dialog "Confirm the file to load" and sometimes it doesn't. This doesn't depend on "Full Disk access" TCC. Does anybody know a way to prevent this from happening? MDM option or something? Also styling of the popup is a rather poor UI choice - looks very confusing and like the user may choose another file to load. Chrome f.e. doesn't do such popups. I already have FB13340210 for this.
1
0
939
Jan ’24
Is there a way to specify the port on the server to add the AASA files to?
Hi. I'm trying to develop a passkey app connected with a Webauthn server. There is a problem in the process of creating the Attestation Object. Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port. In the WebAuthn specification, the RPID should not include the port number. (https://www.w3.org/TR/webauthn-2/#relying-party-identifier) When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked. But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port. Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443? I checked the post, but there is no more feedback, so I'm asking a question. (https://developer.apple.com/forums/thread/730028)
2
1
1.1k
Mar ’24
ASAuthorizationController performRequest returns 4097 error
Hi all, Trying to create a Passkeys registration in my app. This is the implementation I have: ASAuthorizationPlatformPublicKeyCredentialProvider *provider = [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc] initWithRelyingPartyIdentifier:[[jsonDict objectForKey:@"rp"] objectForKey:@"id"]]; ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest *request = [provider createCredentialRegistrationRequestWithChallenge: [jsonDict objectForKey:@"challenge"] name:[[jsonDict objectForKey:@"user"] objectForKey:@"name"] userID:[[jsonDict objectForKey:@"user"] objectForKey:@"id"]]; ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:[NSArray arrayWithObject:request]]; controller.delegate = self; controller.presentationContextProvider = self; [controller performRequests]; But I get this error: Remote proxy object error handler invoked with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." Connection to agent service interrupted with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." ASAuthorizationController credential request failed with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." And this is the NSError I get in authorizationController:didCompleteWithError: authorizationController error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} Everything is defined right (associated domains in project and .well-known). Any reason I can't continue? Edit: I'm with iOS 17.0 (21A5248v) and Xcode-Beta (15A5160n) if it matters. Thanks
4
0
1.7k
Jan ’24
Generating Passkeys
Firstly massive thank you to the Passkeys team at Apple for opening up the APIs to allow third-party password manager apps to save and autofill Passkeys in iOS 17! I wasn't expecting this so soon. Incredible work. I have successfully implemented the new methods on ASCredentialProviderViewController, up to the point where our app's extension is now being presented when a user is prompted to "Create a passkey?". However two things are not entirely clear to me from this point on: When the user chooses our app to create a password by tapping "Continue", the prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) method is called. Should I be handling passkey creation within this method? Really at this point I was expecting prepareInterface(forPasskeyRegistration: to be called instead. Are new passkeys automatically generated and returned by AuthenticationServices during this flow, or is it down to the developer to generate a new passkey here? I ask because the documentation for prepareInterface(forPasskeyRegistration: seems to imply the former, stating: "This method will present your extension's UI for user authentication before creating the passkey." Thanks again.
3
1
1.9k
Nov ’23