How to get challenge without username for `performAutoFillAssistedRequests`?

I have been looking through the example Passkey code in the Shiny app. I found it confusing at the part about how it performs passkey auto-fill.

Specifically, I'm confused about the code in the file Shared/AccountManager.swift method beginAutoFillAssistedPasskeySignIn.

    func beginAutoFillAssistedPasskeySignIn(anchor: ASPresentationAnchor) {
        self.authenticationAnchor = anchor

        let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain)

        // Fetch the challenge from the server. The challenge needs to be unique for each request.
        let challenge = Data()
        let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge)

        // AutoFill-assisted requests only support ASAuthorizationPlatformPublicKeyCredentialAssertionRequest.
        let authController = ASAuthorizationController(authorizationRequests: [ assertionRequest ] )
        authController.delegate = self
        authController.presentationContextProvider = self
        authController.performAutoFillAssistedRequests()
    }

Based on my understanding and what the WWDC session shows: performAutoFillAssistedRequests should happen as soon as the screen presents, which is even before the user types in anything.

My question is: if the user hasn't typed in their username/email, how do I communicate with my server to get a challenge? My server requires a username(email) to return a challenge.

A possible answer I've been thinking about is: the server's authentication initial endpoint should NOT require a username/email because a challenge is naive and it's not user specified.

But I can't find the above info in any specifications. The best I could find was:

The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.

Source: https://www.w3.org/TR/webauthn-2/#sctn-sample-authentication

The wording "as much information as possible" from above implies that when the app requests a challenge, it's possible that it doesn't provide a username.

Please let me know if the answer above is correct. If not, please help answer the question. I really appreciate any help anyone can provide.

Up vote post of ShaneQi Down vote post of ShaneQi
871 views
Posted by
ShaneQi
Reply
Add a Comment

Accepted Reply

Thanks for calling this out! That example was written before passkey AutoFill was introduced, and even before resident keys were commonplace. It does not apply to passkeys and should be updated. Your server should support producing a challenge without a username.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Post marked as solved

  • Thanks for the response! Great WWDC session BTW, I've watched it for a couple of times already.

    I did some research on "Resident Keys" or "Client-side discoverable Credential". My understanding is that Apple's Passkeys are all "Resident Keys". Meaning that Apple's Passkeys can be used to do username-less login/AutoFill. So the Sample code actually makes sense now.

    (1/2)

    ShaneQi

  • If my understanding above is correct, what did you meant by saying:

    "It does not apply to passkeys and should be updated".

    What does not apply to passkeys? How should the sample code be updated (pseudocode or a brief explanation would be enough)?

    Thanks again!

    (2/2)

    ShaneQi

  • Glad to hear it! Yes passkeys in general (even on other platforms) are exclusively resident keys. By "it" I was referring to the advice to require a username first. Passkeys (and all resident keys) are strongly encouraged to be used in username-less flows in most cases, as that generally provides the best user experience.

    garrett-davidson
Add a Comment

Replies

Thanks for calling this out! That example was written before passkey AutoFill was introduced, and even before resident keys were commonplace. It does not apply to passkeys and should be updated. Your server should support producing a challenge without a username.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Post marked as solved

  • Thanks for the response! Great WWDC session BTW, I've watched it for a couple of times already.

    I did some research on "Resident Keys" or "Client-side discoverable Credential". My understanding is that Apple's Passkeys are all "Resident Keys". Meaning that Apple's Passkeys can be used to do username-less login/AutoFill. So the Sample code actually makes sense now.

    (1/2)

    ShaneQi

  • If my understanding above is correct, what did you meant by saying:

    "It does not apply to passkeys and should be updated".

    What does not apply to passkeys? How should the sample code be updated (pseudocode or a brief explanation would be enough)?

    Thanks again!

    (2/2)

    ShaneQi

  • Glad to hear it! Yes passkeys in general (even on other platforms) are exclusively resident keys. By "it" I was referring to the advice to require a username first. Passkeys (and all resident keys) are strongly encouraged to be used in username-less flows in most cases, as that generally provides the best user experience.

    garrett-davidson
Add a Comment