My team is currently working on implementing passkeys and wanted to better understand the various errors that can be thrown both when creating and logging in with a passkey. To my understanding, after invoking the passkey request via the authorization controller, if an error occurs, the authorizationController(controller:didCompleteWithError:)
delegate method will be called. The error will be a ASAuthorizationError
, and there are a few codes listed here. The docs are a bit vague about when each of these errors can occur and what the difference is between them, so I am posting this in the hopes of gaining more clarity. The errors for which we'd like some clarification are:
failed
- This is pretty generic, how might this code be different than the other failure reasons, and what could cause it to be thrown either for creation or for authorization?
invalidResponse
- Does this mean that the system received an invalid response from the Relying Party?
notHandled
- What might cause the authorization request not to be handled?
notInteractive
- What does it mean for the authorization request to not be interactive? Does this mean that none of the specified
credentialIDs
are available?
- What does it mean for the authorization request to not be interactive? Does this mean that none of the specified
Finally, is it possible for both creation and authorization to throw all of these errors, or are there some that are exclusive?
Any help would be appreciated, thank you.
For passkey requests, canceled
, failed
, and the new matchedExcludedCredential
are the only errors you should ever see. The other error codes are specific to other types of requests.
The failed
error generally means some part of the request was invalid, such as invalid parameters being passed or an issue with Associated Domains. The error message should have a more descriptive reason.
The new matchedExcludedCredential
only applies if you're explicitly setting excludedCredentials
during a registration request.
The first two can both come from either creation or sign in, and matchedExcludedCredential
is specific to registration.