Looks like a security flow in ASCredentialProviderViewController
- Register a new Passkey on
foo.example.com
- Now iOS 17 (RC) will suggest and permit to select the Passkey to login in
bar.example.com
, which is agains specs
From specs:
For example, given a Relying Party whose origin is https://login.example.com:1337, then the following RP IDs are valid: login.example.com (default) and example.com, but not m.login.example.com and not com.
Also looks like a bug, in this method:
func prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest)
If I've registered my Passkey for RP foo.example.com
and trying to login to bar.example.com
(the bug). In ASCredentialRequest.credentialIdentity.serviceIdentifier.identifier
is foo.example.com
but I am trying to login to bar.example.com
, from this we can't understand on what RP is this Passkey used and can't restrict the use of Passkey in case it is used on a wrong RP.
P.S: iCloud Passkeys works as expected.