I have been looking through the example Passkey code in the Shiny app. I found it confusing at the part about how it performs passkey auto-fill.
Specifically, I'm confused about the code in the file Shared/AccountManager.swift
method beginAutoFillAssistedPasskeySignIn
.
func beginAutoFillAssistedPasskeySignIn(anchor: ASPresentationAnchor) {
self.authenticationAnchor = anchor
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain)
// Fetch the challenge from the server. The challenge needs to be unique for each request.
let challenge = Data()
let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge)
// AutoFill-assisted requests only support ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.
let authController = ASAuthorizationController(authorizationRequests: [ assertionRequest ] )
authController.delegate = self
authController.presentationContextProvider = self
authController.performAutoFillAssistedRequests()
}
Based on my understanding and what the WWDC session shows: performAutoFillAssistedRequests
should happen as soon as the screen presents, which is even before the user types in anything.
My question is: if the user hasn't typed in their username/email, how do I communicate with my server to get a challenge? My server requires a username(email) to return a challenge.
A possible answer I've been thinking about is: the server's authentication initial endpoint should NOT require a username/email because a challenge is naive and it's not user specified.
But I can't find the above info in any specifications. The best I could find was:
The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.
Source: https://www.w3.org/TR/webauthn-2/#sctn-sample-authentication
The wording "as much information as possible" from above implies that when the app requests a challenge, it's possible that it doesn't provide a username.
Please let me know if the answer above is correct. If not, please help answer the question. I really appreciate any help anyone can provide.