Post not yet marked as solved
On a iPhone, I have registered 2 different passkeys for 2 different users(Lets say user A and user B) for a domain example.com. Now at the time of authentication I am able to use Passkeys of user A to authenticate user B with authentication challenge fetched from server. This should not be allowed. As per documentation, I can see ASAuthorizationPlatformPublicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge) only accepts challenge value and does not accept any user ID. How can I verify the user details/info while authenticating with Passkey.
Hello.
Does WKWebView on Mac support FIDO2(webauthn)?
We need to implement this in our app and ASWebAuthenticationSession API comes up in searches all the time as the only solution. Is this still the case?
From my experiments ASWebAuthenticationSession on Mac doesn't provide best user experience - too much fiddling and odd behavior for an end user.
F.e. user needs to click Open button from the browser window to pass token to the very same app which initiated the window and this is not very logical considering all the efforts to setup applink.
Would appreciate an advice.
Post not yet marked as solved
Whenever user try to login,
it automatically uses hidden email for some reason.
Therefore existing users from mobile app can't access web :(
Anyone having this issue? How do I solve this?
Post not yet marked as solved
I keep getting the following error when trying to run Passkey sign in on macOS.
Told not to present authorization sheet: Error
Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1
"(null)"
The same piece of code is working as expected on iOS.
Some more info:
The association file and entitlements are correct and validated as everything is working on iOS.
The app is built on SwiftUI and use the same codebase for macOS and iOS
Validated that the presentation anchor is also correct on macOS because other SSO login works with the same presentation anchor.
Not sure where the problem is. Followed https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/ to get the integration.
We are working on implementing FIDO2 with passkeys and its works fine in the consumer with Apple ID. On the Enterprise level we can't able to make it because corp device don't have option to enable Apple ID and its disabled by MDM as per policy.
is there any alternate approach where corp device can use FIDO authentication without using Apple ID?
thanks
I'm implementing passkeys by following the example from the Food Truck sample project. I have nearly everything working, but there's one problem. I'm using the AuthorizationController environment value and passing that to my login and register functions, but when I call authorizationController.performAutoFillAssistedRequest, I don't see or know of any way to cancel it, so if the user tries to type in their username instead of use the autofill suggestion, the second (non-autofill) request throws the error, The operation couldn’t be completed. Request already in progress for specified application identifier. I know that ASAuthorizationController has a cancel() function, but is there any way to do this with AuthorizationController?
Post not yet marked as solved
Hi.
I'm trying to develop a passkey app connected with a Webauthn server.
There is a problem in the process of creating the Attestation Object.
Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port.
In the WebAuthn specification, the RPID should not include the port number.
(https://www.w3.org/TR/webauthn-2/#relying-party-identifier)
When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked.
But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port.
Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443?
I checked the post, but there is no more feedback, so I'm asking a question.
(https://developer.apple.com/forums/thread/730028)
Post not yet marked as solved
What policy does apply to me as I have a working application that serves contents based on their chosen location or place which does not require any login but for some super users I will open webview where they can authenticate themself and view/change thee only do I still need to provide test credential and any policy that apply to me related to data and privacy as the content will be also shown via webview and my app only served to US region.
I'm trying to implement passkeys in my app. I successfully get to the dialog in iOS simulator to register with a Passkey and I can also read the result and see all the right things in credentialRegistration.rawClientDataJSON. The one thing that's not working is when decoding the rawAttestationObject (which should be CBOR as I understand), I find all data defined in the spec (aaguid, credentialIdLength, credentialId) except for the credentialPublicKey! The rawAttestationObject basically ends after the credentialId. I see this both when decoding the rawAttestationObject manually as well as when using WebAuthn libraries on the server, which will give me an "Unexpected end of CBOR data" error.
Any ideas why the rawAttestationObject does not contain the public key?
For reference, here is the initialization of the Passkey request:
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.domain)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(challenge: challenge, name: name, userID: userID)
let authController = ASAuthorizationController(authorizationRequests: [ registrationRequest ])
authController.performRequests()
And here is how I handle the result:
case let credentialRegistration as ASAuthorizationPlatformPublicKeyCredentialRegistration:
let rawAttestationObject = credentialRegistration.rawAttestationObject!.base64EncodedString()
let credentialID = credentialRegistration.credentialID.base64EncodedString()
let rawClientDataJSON = credentialRegistration.rawClientDataJSON.base64EncodedString()
let response: PasskeysResponse = [
"attestationObject": rawAttestationObject,
"credentialId": credentialID,
"clientDataJson": rawClientDataJSON,
]
Here is an example for a decoded attestation object:
{
"rpIdHash": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYmW4=",
"flags": {
"userPresent": false,
"userVerified": false,
"backupEligibility": true,
"backupState": true,
"attestedCredentialData": true,
"extensionData": false
},
"signCount": 425116148,
"aaguid": "20318e2d-77fa-f54d-bed7-ba15ccd3fade",
"credentialId": "1B1KJf6uYF0AAAAAAAAAAAAAAAAAAAAAAAAAAAAUQW65BAqkeKqu97vbc0Se5R1F3Y+lAQIDJiABIVggtdSX2ZAHsBxU4ja1xP6hCZGUXgUCb6Ipau3stU8rrz4iWCBwhOBWOgwT4yKRnU1hA11thC8+CvjmrCkfq//648cwHg==",
"credentialPublicKey": ""
}
As you can see, it looks all good except for the "credentialPublicKey": "" part.
Post not yet marked as solved
Hi Team,
Is it possible to access the user's birthday and gender when they login with Apple option?
I've checked Apple Authentication Services framework but found nothing about it. The only information we can access is user's name and email.
However, I received a review note saying that this information is already provided by the Apple Authentication Services framework.
Please kindly share the solution or tell me what should I do to resolve this issue.
Cheers,
Vanto
Post not yet marked as solved
When we call ASWebAuthenticationSession with preferEphemeral = false macOS generates this dialog with a meaningless "(null)". This looks very odd and scary for a normal person. Why it shows "null" and can we control this to make it meaningful at least?
Post not yet marked as solved
My App just uses Phone Number Authentication only . There is no Email/Password , Google , FaceBook, Apple or any other Social Authentication.
So i just wanted to ask that will my app be accepted by Appstore based on Appstore Guidelines as I am not using Apple Authentication & only using Phone Number Authentication.
Your help will mean a lot.
Post not yet marked as solved
Hello,
I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn.
But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem?
(The app is installed on the iPhone with iOS 17)
Post not yet marked as solved
Hi,
I have a problem with associated domains developing Passkeys app.
Adding alternate mode(developer mode) to Associated Domains Entitlement, it works fine.
But in non developer mode, CDN doesn't seem to read the AASA file.
AASA file's path is: https://(host).(rootdomain)/.well-known/apple-app-site-associtation
I checked the TLS certificate conditions and all conditions are met.
https://support.apple.com/en-us/HT213464
https://support.apple.com/en-us/HT210176
https://support.apple.com/en-us/102028
Is there another reason why it only works in developer mode?
Thanks for your reply.
I tried to use preferImmediatelyAvailableCredentials option in my sign in via Passkey process and expected to see this logic:
If passkey isn’t available (for some reason, for example, user deleted it) the sign up modal sheet appears. But instead of this I got ‘Choose how you’d like in sign in’ sheet. As I understand, preferImmediatelyAvailableCredentials should allow me to fallback to sign up and skip this step but it doesn’t.
My code is:
func signIn(credId: String) {
currentAuthController?.cancel()
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challengeData)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: challengeData)
if let data = Data(base64urlEncoded: credId) {
let cred = ASAuthorizationPlatformPublicKeyCredentialDescriptor(credentialID: data)
assertionRequest.allowedCredentials = [cred]
}
let requests = [assertionRequest, securityKeyRequest]
let authController = ASAuthorizationController(authorizationRequests: requests)
authController.delegate = self
authController.presentationContextProvider = self
currentAuthController = authController
authController.performRequests(options: .preferImmediatelyAvailableCredentials)
}
Post not yet marked as solved
I just wrote code for our app to use ASWebAuthenticationSession for 3rd-party authentication (in particular, YUBIKEYS WOOHOO). Our app registers a URI scheme of x-com-kithrup for launch services events, so I used x-com-kithrup-yubi for ASWebAUthenticationSession.
Only, I didn't change the back end, so it still redirects to x-com-kithrup://success on a successful login. And... ASWebAuthenticationSession is still calling the handler when it gets a URL with the x-com-kithrup URI, instead of the x-com-kithrup-yubi URI scheme.
Post not yet marked as solved
Dear developers,
In case I want to start building healthcare marketplace app (pharmacies, medical equipments and labs) where every users can search for specific medicine, some Medical equipment and lab test can get a list of pharmacies, labs who provide those products/service. Having said that what could be the best sign in option for (pharmacists, labs, physicians, people/users) on phone number or E-mail or any sign in option that will fit who want to join healthcare app? I want your though guys here as I am trying to have a universal healthcare app that can connect all healthcare people/product/service with people.
Thanks in advance for any advice
Post not yet marked as solved
Hi all!
When building with macOS 14 SDK in macOS 14 RC, the Sign In With Apple button(SignInWithAppleButton) stretches its background to occupy the entire window content view. We expect it to be in the area with a red stroke(see the screenshot)
Here's the code:
struct ContentView: View {
var body: some View {
SignInWithAppleButton(.signIn, onRequest: { $0.requestedScopes = [.fullName, .email] }, onCompletion: { _ in })
.signInWithAppleButtonStyle(.black)
.border(Color.red, width: 3)
.padding(80)
}
}
And screenshot:
One important addition: the button works, and its hit area remains within that red rectangle.
Any help is highly appreciated.
Thank you!
Post not yet marked as solved
Everything was working well in the beta version of iOS 17 and the registration and login were done correctly. However, after installing the public(release) version of iOS 17, the functions "completeRegistrationRequest" and "completeAssertionRequest" do not work properly and their completion result is false. and I faced the "Operation failed" error in the "webauthn" website. What's wrong?
Hi, so I'm trying to use security key authentication using physical keys via the native APIs documented on Apple's developer website but am running into errors I don't understand. The application runs on MacOS.
The application is signed with an entitlement that contains the associated domain like so:
<key>com.apple.developer.associated-domains</key>
<array>
<string>webcredentials:example.com?mode=developer</string>
</array>
I have tried with and without ?mode=developer.
Here is the error I get:
{"error":"The operation couldn’t be completed. The calling process does not have an application identifier. Make sure it is properly configured."}
My application identifier is also configured in the .entitlements file.
Here is a rough overview of what I'm trying to do (basically, the auth server I'm contacting provides a challenge, and I want to create an assertion and send it back for verification). Trying to replicate the example from the official docs.
let options = try! JSONDecoder().decode(Request.self, from: options.data(using: .utf8)!).publicKey
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)
let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!)
securityKeyRequest.userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference(rawValue: options.userVerification ?? "preferred")
securityKeyRequest.allowedCredentials = []
for credential in (options.allowCredentials ?? []) {
let id = credential.id.decodeBase64Url()!
let transports = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport.allSupported
let descriptor = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor(credentialID: id, transports: transports)
securityKeyRequest.allowedCredentials.append(descriptor)
}
securityKeyRequest.allowedCredentials = []
let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])
return run(authController: authController)
Happy to provide more context if necessary. Thanks in advance!
