Passkeys don't respect WebAuthn specs (RP ID)

Looks like a security flow in ASCredentialProviderViewController

  1. Register a new Passkey on foo.example.com
  2. Now iOS 17 (RC) will suggest and permit to select the Passkey to login in bar.example.com, which is agains specs

From specs:

For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com.

Also looks like a bug, in this method:

func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest)

If I've registered my Passkey for RP foo.example.com and trying to login to bar.example.com (the bug). In ASCredentialRequest.credentialIdentity.serviceIdentifier.identifier is foo.example.com but I am trying to login to bar.example.com, from this we can't understand on what RP is this Passkey used and can't restrict the use of Passkey in case it is used on a wrong RP.

P.S: iCloud Passkeys works as expected.

Hey Incogn1to, as a fellow third-party passkey provider, I wonder if you can help. We're debugging an issue with passkey compatibility for Google Accounts: https://developer.apple.com/forums/thread/737161

It's most likely an issue with our specific implementation, but for peace of mind I wanted to ask if you're able to provide passkeys for Google accounts? Google is the only service we're unable to provide passkeys for, so if you're able to then at least I know the issue is on my end. Thanks!

Hey @codecomet,

Looks like you are not following the specs, check this https://www.w3.org/TR/webauthn-2/#sctn-attestation

When you are constructing the AttestationObject the resulting CBOR must be an Ordered Dictionary that has the order:

  1. fmt
  2. attStmt
  3. authData

Looks like other services don't care about this, but Google does :)))

You are welcome.

I think I almost understand the issue, but I have a few followup questions. Can you please submit this through Feedback Assistant, including some additional information?

  1. Are you seeing this in Safari or in an app associated with example.com?
  2. Is the RPID of the registered passkey actually foo.example.com or did it get registered for example.com?
  3. Did you save the passkey's credential identity to the system through ASCredentialIdentityStore, and if so, what serviceIdentifier did you use?
  4. Is the unexpected passkey being shown on the system QuickType bar or only when pulling up the full list of credentials?

Sample code and/or a screen recording would also be super helpful. Thank you!

I have submitted a feedback FB13165119 (Passkeys don't respect WebAuthn specs (RP ID))

Here is the answer:

  1. Are you seeing this in Safari or in an app associated with example.com?

I haven't checked it in other apps only in Safari.

  1. Is the RPID of the registered passkey actually foo.example.com or did it get registered for example.com?

I register the Passkey for foo.example.com and NOT example.com

  1. Did you save the passkey's credential identity to the system through ASCredentialIdentityStore, and if so, what serviceIdentifier did you use?

Yes. I save the Passkey with ASCredentialIdentityStore and I set the same value that I get from ASPasskeyCredentialRequest.credentialIdentity.serviceIdentifier.identifier, in this case the foo.example.com

  1. Is the unexpected passkey being shown on the system QuickType bar or only when pulling up the full list of credentials?

The unexpected passkey is being shown on the system QuickType bar as a suggestion to fill when I visit the bar.example.com

And the most strange thing is that when I use the wrong Passkey on bar.example.com in func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest), the credentialRequest.credentialIdentity.serviceIdentifier.identifier == "foo.example.com"

Hello Incogn1to, could you please share which which library you are using to generate the key pair (ES256) that make up the passkey ?

Thank you!

Passkeys don't respect WebAuthn specs (RP ID)
 
 
Q