According to the documentation - https://github.com/w3c/webauthn/pull/1491 of Apple's Anonymous Attestation Statement Format (fmt="apple"), the nonce generated from the authenticatorData the clientDataHash is embedded in an extension with OID ( 1.2.840.113635.100.8.2 ) in the certificate for the credential public key. If I try to validate a response generated after using touchID from my browser on my iOS14 device, I get a 38-byte value:   414:d=5  hl=2 l=   9 prim: OBJECT            :1.2.840.113635.100.8.2   425:d=5  hl=2 l=  38 prim: OCTET STRING      [HEX DUMP]:3024A1220420D9052FED7AA782C1B416C59B0AE15F309A336E22984E32505307A6339DDE52FD How can this be a SHA-256 hash value?

I am trying to implement sign in with apple with firebase. I cannot get around an issue where I get the following error when attempting a sign in: When running: Auth.auth().signIn(with: credential) { (authResult, error) in I get: nil credential = OAuthProvider.credential Optional(Error Domain=FIRAuthErrorDomain Code=17004 "The audience in ID Token [com.name.app] does not match the expected audience." UserInfo={NSLocalizedDescription=The audience in ID Token [com.name.app] does not match the expected audience., FIRAuthErrorUserInfoNameKey=ERROR_INVALID_CREDENTIAL}) Optional("The audience in ID Token [com.name.app] does not match the expected audience.") I have added my URL as stated on firebase to my identifier. To complete set up, add this authorization callback URL to your app configuration in the Apple Developer Console. Additional steps may be needed to verify ownership of this web domain to Apple.  More code: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {   if let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential {    guard let nonce = currentNonce else {     fatalError("Invalid state: A login callback was received, but no login request was sent.")    }    guard let appleIDToken = appleIDCredential.identityToken else {     print("Unable to fetch identity token")     return    }    guard let idTokenString = String(data: appleIDToken, encoding: .utf8) else {     print("Unable to serialize token string from data: \(appleIDToken.debugDescription)")     return    }           print("credential = OAuthProvider.credential")    // Initialize a Firebase credential.    let credential = OAuthProvider.credential(withProviderID: "apple.com",                         idToken: idTokenString,                       rawNonce: nonce)     //Auth.auth().createUser(withEmail: T##String, password: T##String, completion: T##AuthDataResultCallback?##AuthDataResultCallback?##(AuthDataResult?, Error?) -> Void)    // Sign in with Firebase.    Auth.auth().signIn(with: credential) { (authResult, error) in           print(Auth.auth().currentUser?.uid ," credential = OAuthProvider.credential ", error)

I'm trying to deprecate iOS 13 from my app. One of the compilation warnings I got as a result was: 'SecRequestSharedWebCredential' is deprecated: first deprecated in iOS 14.0 - Use ASAuthorizationController to make an ASAuthorizationPasswordRequest (AuthenticationServices framework) So I tried updating my code as follows let provider = ASAuthorizationPasswordProvider()             let request = provider.createRequest()             let authorizationController = ASAuthorizationController(authorizationRequests: [request])             authorizationController.delegate = self             authorizationController.presentationContextProvider = self             authorizationController.performRequests() But it always calls the delegate callback func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) with error Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "No credentials available for login." UserInfo={NSLocalizedFailureReason=No credentials available for login.} Even though the device (or simulator) has a stored password for my website. I have my website as an "associated domain" for my app of type webcredentials. What am I doing wrong here?

I am facing one issue while trying to Sign in with Apple. error is as below: "The Operation couldn't be completed (com.apple.AuthenticationServices.AuthorizationError error 1000.)" I get this error as soon as the button is pressed it doesn't even get into the actual sign-in part. I have verified that entitlements file is there with the below content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC ""> <plist version="1.0"> <dict> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> </dict> </plist> I transferred the project and certificates from another machine. So deleted all the certificates and provisional profiles and recreated them from the new machine but faced an issue. Also, It only happens in exported (Archived build). When I directly install it from Xcode it is working fine. I have followed the official apple document to implement it. below is how I'm requesting the authentication: currentNonce = randomNonceString() let request = ASAuthorizationAppleIDProvider().createRequest() request.requestedScopes = [.fullName, .email] let controller = ASAuthorizationController(authorizationRequests: [request]) request.nonce = currentNonce?.sha256() controller.delegate = self controller.presentationContextProvider = self controller.performRequests() Below are delegates: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {         switch authorization.credential {         case let appleIDCredential as ASAuthorizationAppleIDCredential: //Authenticated             break         default:             break         } }     func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {         return self.view.window! }     func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { Utils.showAlert(withMessage: error.localizedDescription) } Any help would be appreciated

Hi devs!!! Calling createCredentialRegistrationRequestWithChallenge returns the following error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} What can be the potential reason?

Apple rejected our app because when we use the Apple Sign Up button, the full name in the response is empty, but we need the first and last name in our app registration, so, the Text inputs in the app, first and last name is filled empty and we let the users enter those values, but Apple wants the users not to enter the values because the service already returns them but in our case are empty. We are using React native react-native-apple-authentication. Can anyone help us or have the same issue with apple review and how did you fix it?

Hi, I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher. Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?

I'm using Xcode 14.2 to build an app that runs on iOS 16.4. There is no webView.isInspectable property in this version. When my app presents a webview, it is inspectable in Safari -> develop, which is nice. However, when starting a ASWebAuthenticationSession, Safari -> develop shows "no inspectable applications". It was inspectable on iOS 16.1 but not iOS 16.4. How to solve this?

Firstly massive thank you to the Passkeys team at Apple for opening up the APIs to allow third-party password manager apps to save and autofill Passkeys in iOS 17! I wasn't expecting this so soon. Incredible work. I have successfully implemented the new methods on ASCredentialProviderViewController, up to the point where our app's extension is now being presented when a user is prompted to "Create a passkey?". However two things are not entirely clear to me from this point on: When the user chooses our app to create a password by tapping "Continue", the prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) method is called. Should I be handling passkey creation within this method? Really at this point I was expecting prepareInterface(forPasskeyRegistration: to be called instead. Are new passkeys automatically generated and returned by AuthenticationServices during this flow, or is it down to the developer to generate a new passkey here? I ask because the documentation for prepareInterface(forPasskeyRegistration: seems to imply the former, stating: "This method will present your extension's UI for user authentication before creating the passkey." Thanks again.

Hi all, Trying to create a Passkeys registration in my app. This is the implementation I have: ASAuthorizationPlatformPublicKeyCredentialProvider *provider = [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc] initWithRelyingPartyIdentifier:[[jsonDict objectForKey:@"rp"] objectForKey:@"id"]]; ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest *request = [provider createCredentialRegistrationRequestWithChallenge: [jsonDict objectForKey:@"challenge"] name:[[jsonDict objectForKey:@"user"] objectForKey:@"name"] userID:[[jsonDict objectForKey:@"user"] objectForKey:@"id"]]; ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:[NSArray arrayWithObject:request]]; controller.delegate = self; controller.presentationContextProvider = self; [controller performRequests]; But I get this error: Remote proxy object error handler invoked with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." Connection to agent service interrupted with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." ASAuthorizationController credential request failed with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." And this is the NSError I get in authorizationController:didCompleteWithError: authorizationController error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} Everything is defined right (associated domains in project and .well-known). Any reason I can't continue? Edit: I'm with iOS 17.0 (21A5248v) and Xcode-Beta (15A5160n) if it matters. Thanks

On a iPhone, I have registered 2 different passkeys for 2 different users(Lets say user A and user B) for a domain example.com. Now at the time of authentication I am able to use Passkeys of user A to authenticate user B with authentication challenge fetched from server. This should not be allowed. As per documentation, I can see ASAuthorizationPlatformPublicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge) only accepts challenge value and does not accept any user ID. How can I verify the user details/info while authenticating with Passkey.

Hello. Does WKWebView on Mac support FIDO2(webauthn)? We need to implement this in our app and ASWebAuthenticationSession API comes up in searches all the time as the only solution. Is this still the case? From my experiments ASWebAuthenticationSession on Mac doesn't provide best user experience - too much fiddling and odd behavior for an end user. F.e. user needs to click Open button from the browser window to pass token to the very same app which initiated the window and this is not very logical considering all the efforts to setup applink. Would appreciate an advice.

Whenever user try to login, it automatically uses hidden email for some reason. Therefore existing users from mobile app can't access web :( Anyone having this issue? How do I solve this?

I keep getting the following error when trying to run Passkey sign in on macOS. Told not to present authorization sheet: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1 "(null)" The same piece of code is working as expected on iOS. Some more info: The association file and entitlements are correct and validated as everything is working on iOS. The app is built on SwiftUI and use the same codebase for macOS and iOS Validated that the presentation anchor is also correct on macOS because other SSO login works with the same presentation anchor. Not sure where the problem is. Followed https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/ to get the integration.

We are working on implementing FIDO2 with passkeys and its works fine in the consumer with Apple ID. On the Enterprise level we can't able to make it because corp device don't have option to enable Apple ID and its disabled by MDM as per policy. is there any alternate approach where corp device can use FIDO authentication without using Apple ID? thanks

I'm implementing passkeys by following the example from the Food Truck sample project. I have nearly everything working, but there's one problem. I'm using the AuthorizationController environment value and passing that to my login and register functions, but when I call authorizationController.performAutoFillAssistedRequest, I don't see or know of any way to cancel it, so if the user tries to type in their username instead of use the autofill suggestion, the second (non-autofill) request throws the error, The operation couldn’t be completed. Request already in progress for specified application identifier. I know that ASAuthorizationController has a cancel() function, but is there any way to do this with AuthorizationController?

Hi. I'm trying to develop a passkey app connected with a Webauthn server. There is a problem in the process of creating the Attestation Object. Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port. In the WebAuthn specification, the RPID should not include the port number. (https://www.w3.org/TR/webauthn-2/#relying-party-identifier) When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked. But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port. Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443? I checked the post, but there is no more feedback, so I'm asking a question. (https://developer.apple.com/forums/thread/730028)

What policy does apply to me as I have a working application that serves contents based on their chosen location or place which does not require any login but for some super users I will open webview where they can authenticate themself and view/change thee only do I still need to provide test credential and any policy that apply to me related to data and privacy as the content will be also shown via webview and my app only served to US region.

I'm trying to implement passkeys in my app. I successfully get to the dialog in iOS simulator to register with a Passkey and I can also read the result and see all the right things in credentialRegistration.rawClientDataJSON. The one thing that's not working is when decoding the rawAttestationObject (which should be CBOR as I understand), I find all data defined in the spec (aaguid, credentialIdLength, credentialId) except for the credentialPublicKey! The rawAttestationObject basically ends after the credentialId. I see this both when decoding the rawAttestationObject manually as well as when using WebAuthn libraries on the server, which will give me an "Unexpected end of CBOR data" error. Any ideas why the rawAttestationObject does not contain the public key? For reference, here is the initialization of the Passkey request: let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.domain) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(challenge: challenge, name: name, userID: userID) let authController = ASAuthorizationController(authorizationRequests: [ registrationRequest ]) authController.performRequests() And here is how I handle the result: case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration: let rawAttestationObject = credentialRegistration.rawAttestationObject!.base64EncodedString() let credentialID = credentialRegistration.credentialID.base64EncodedString() let rawClientDataJSON = credentialRegistration.rawClientDataJSON.base64EncodedString() let response: PasskeysResponse = [ "attestationObject": rawAttestationObject, "credentialId": credentialID, "clientDataJson": rawClientDataJSON, ] Here is an example for a decoded attestation object: { "rpIdHash": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYmW4=", "flags": { "userPresent": false, "userVerified": false, "backupEligibility": true, "backupState": true, "attestedCredentialData": true, "extensionData": false }, "signCount": 425116148, "aaguid": "20318e2d-77fa-f54d-bed7-ba15ccd3fade", "credentialId": "1B1KJf6uYF0AAAAAAAAAAAAAAAAAAAAAAAAAAAAUQW65BAqkeKqu97vbc0Se5R1F3Y+lAQIDJiABIVggtdSX2ZAHsBxU4ja1xP6hCZGUXgUCb6Ipau3stU8rrz4iWCBwhOBWOgwT4yKRnU1hA11thC8+CvjmrCkfq//648cwHg==", "credentialPublicKey": "" } As you can see, it looks all good except for the "credentialPublicKey": "" part.

Hi Team, Is it possible to access the user's birthday and gender when they login with Apple option? I've checked Apple Authentication Services framework but found nothing about it. The only information we can access is user's name and email. However, I received a review note saying that this information is already provided by the Apple Authentication Services framework. Please kindly share the solution or tell me what should I do to resolve this issue. Cheers, Vanto