Hi, so I'm trying to use security key authentication using physical keys via the native APIs documented on Apple's developer website but am running into errors I don't understand. The application runs on MacOS.
The application is signed with an entitlement that contains the associated domain like so:
<key>com.apple.developer.associated-domains</key>
<array>
<string>webcredentials:example.com?mode=developer</string>
</array>
I have tried with and without ?mode=developer.
Here is the error I get:
{"error":"The operation couldn’t be completed. The calling process does not have an application identifier. Make sure it is properly configured."}
My application identifier is also configured in the .entitlements file.
Here is a rough overview of what I'm trying to do (basically, the auth server I'm contacting provides a challenge, and I want to create an assertion and send it back for verification). Trying to replicate the example from the official docs.
let options = try! JSONDecoder().decode(Request.self, from: options.data(using: .utf8)!).publicKey
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)
let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)
securityKeyRequest.userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference(rawValue: options.userVerification ?? "preferred")
securityKeyRequest.allowedCredentials = []
for credential in (options.allowCredentials ?? []) {
let id = credential.id.decodeBase64Url()!
let transports = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport.allSupported
let descriptor = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor(credentialID: id, transports: transports)
securityKeyRequest.allowedCredentials.append(descriptor)
}
securityKeyRequest.allowedCredentials = []
let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])
return run(authController: authController)
Happy to provide more context if necessary. Thanks in advance!
Thanks @garrett-davidson ! After setting up the entitlements correctly it looks like I can reach the authentication server but I get rejected even saying that my app is not associated with the domain:
response: {"error":"The operation couldn’t be completed. Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com"}
log stream | grep fido2 shows the following when I try to send the request:
2023-10-16 10:45:01.552607+0100 0xc24e6 Default 0x19c851 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.1, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },
2023-10-16 10:45:01.561926+0100 0xc24e6 Default 0x19237c 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.465, attribution={responsible={TCCDProcess: identifier=com.apple.Terminal, pid=2381, auid=501, euid=501, responsible_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal, binary_path=/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal}, accessing={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, },
2023-10-16 10:45:01.561981+0100 0xc24e6 Default 0x19237c 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
2023-10-16 10:45:01.595107+0100 0xc216c Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0x13c13c 31142 com.meta.fido2macos
2023-10-16 10:45:01.602683+0100 0xbfa8f Default 0x194061 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos token: 930000004e pid: 994
2023-10-16 10:45:01.654756+0100 0xbfa8f Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos token: 1c00000023 pid: 31142
2023-10-16 10:45:01.671192+0100 0xbfa8f Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos token: 1f00000020 pid: 31142
2023-10-16 10:45:01.777840+0100 0xc2317 Error 0x19c858 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement
2023-10-16 10:45:01.777950+0100 0xc2317 Default 0x19c858 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=31142.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos, pid=31142, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, },
2023-10-16 10:45:01.819327+0100 0xc1337 Default 0x19c857 3460 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment
2023-10-16 10:45:01.819743+0100 0xc1337 Error 0x1940f1 3460 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Application with identifier V9WTTPBFK9.com.meta.fido2macos.localDevelopment is not associated with domain internalfb.com
The app is listed in https://internalfb.com/.well-known/apple-app-site-association so I don't understand why it is not associated.
My provisioning profile:
$ security cms -D -i ~/Downloads/fido2macos_Local_Development_VZPNUT84NZ.mobileprovision | xmllint --xpath "/plist/dict/key[text()='Entitlements']/following-sibling::dict[position()=1]" -
<dict>
<key>com.apple.developer.associated-domains</key>
<string>*</string>
<key>com.apple.application-identifier</key>
<string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string>
<key>keychain-access-groups</key>
<array>
<string>V9WTTPBFK9.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>V9WTTPBFK9</string>
</dict>
Codesign output for the built artifact:
$ codesign -d --entitlements - --xml /Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app | xmllint --xpath "/plist/dict" -
Executable=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2
<dict><key>com.apple.application-identifier</key><string>V9WTTPBFK9.com.meta.fido2macos.localDevelopment</string><key>com.apple.developer.associated-domains</key><array><string>webcredentials:internalfb.com</string><string>webcredentials:www.internalfb.com</string></array><key>com.apple.developer.team-identifier</key><string>V9WTTPBFK9</string></dict>