Passkey against local server with self-signed certificate

Question

mikko-nylen OP

Created Jul ’22

Replies 7

Boosts 0

Views 4.5k

Participants 9

Hey!

Is it possible to test passkeys against a locally running server in simulator with self-signed certificate? As far as I can tell, the certificate is trusted on the Simulator and Safari has no trouble communicating with the server or fetching the apple-app-site-association file.

The error I'm getting is

ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
Error: ["NSLocalizedFailureReason": Application with identifier FAKETEAMID.com.example.apple-samplecode.Shiny is not associated with domain webauthn-api.local]

When running the Shiny example app. There is an apple-app-site-association available in https://webauthn-api.local:7001/.well-known/apple-app-site-association:

{
  "webcredentials": {
    "apps": [ "FAKETEAMID.com.example.apple-samplecode.Shiny" ]
  }
}

And in the Associated Domains, I've added:

webcredentials:webauthn-api.local:7001?mode=developer

I saw here https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_associated-domains that to use a local server with the apple-app-site-association, one should add ?mode=developer to the entitlement.

However, looking at the logs for the server, the simulator does not seem to ever attempt fetching /.well-known/apple-app-site-association file, so the developer mode does not seem to have any effect. Is the developer mode supposed to work with webcredentials service. Documentation linked above doesn't make any exclusions for that.

Boost

Answer 1

alevy97 OP

Nov ’22

Did you ever figure this out?

0

Answer 2

louie_keystructure OP

Nov ’22

Did you solve this? I am having the same problem. The server logs don't show the app ever went there.

0

Answer 3

louie_keystructure OP

Nov ’22

Same problem here. I am using the example app shinny. In associated domains I am using my full domain sub.mydomain.com for example. So I have this webcredentials:sub.mydomain.com?mode=developer

I can get https://sub.mydomain.com/.well-known/apple-app-site-association from my server so that works.

Both my server and the phone are on the same subnet, but not reachable from the internet.

I don't see the request logged at my server, which I expect I should. So the app is not hitting my server. But the documentation says it should???

0

Answer 4

JerryCarter OP

Nov ’22

The documentation is far less helpful than one would like. Here's what I've found to work so far.

The apple-app-site-association file must reside on a publicly accessible web server with a valid TLS certificate. (see https://jaanus.com/universal-links/).
I specified 'web credentials:mydomain.com?mode=developer' in Associated Domains in the Signing & Capabilities tab in Xcode.
On the iOS device, enable Associated Domains for development. This is found under Settings > Developer > Universal Links: Associated Domains Development
On the Apple Developer website, I have added an identifier for my application with 'Associated Domains' enabled to the Certificates, Identifiers & Profiles list of identifiers.

0

Answer 5

pankajhotwani OP

Apr ’23

I was stuck on the same issue for a long time but finally could resolve it by doing tunnelling with ngrok.com. Ngrok helped me provide a temporary domain with an SSL setup which made everything so clean

1

Answer 6

jdoxey OP

Nov ’23

I struggled with this one for a while too. I was eventually able to get passkeys working in the simulator using locally generated certificates. Here are a few things I did differently to you (but I'm not 100% sure which one would make the difference in your case),

hosting the server on port 443 (and not including the port in Associated Domains settings in Xcode)
generating a Root CA and leaf certificate chain, and trusting the generated Root CA in the simulator

0

Answer 7

khantzawko OP

May ’24

I face an issue like that, it was due to the fact that I didn't turn on any of the password manager in settings.

0