Web Credentials aren't being recognized even though the AASA file is configured correctly

We have an App that displays a WKWebWiew. The page being loaded in the WebView loads a snippet with a button that when clicked, initiates WebAuthN Flow. The App throws he following

[WebAuthn] Request cancelled after error: The operation couldn’t be completed. Application with identifier 123ABCDEF4.com.exmaple.app.staging is not associated with domain example.co.za.

In the above quote, 123ABCDEF4 would represent the TeamID, com.exmaple.app.staging is the bundle identifier and example.co.za is the main/root domain while the WKWebView actually loads a URL at staging.example.co.za.

in Xcode, the App's Associated Domains contains the following

webcredentials:staging.example.co.za

The AASA file hosted at https://staging.example.co.za/.well-known/apple-app-site-association returns the following

{
    "applinks": {
        "details": [
            {
                "appIDs": [
                    "123ABCDEF4.com.example.app",
                    "123ABCDEF4.com.example.app.staging"
                ],
                "paths": [
                    "*"
                ]
            }
        ]
    },
    "webcredentials": {
        "apps": [
            "123ABCDEF4.com.example.app",
            "123ABCDEF4.com.example.app.staging"
        ]
    },
    "appclips": {
        "apps": []
    }
}

May you kindly advise what we may be doing wrong? The message being thrown refers to the fact that the Staging app is not associated with the root/main domain. If it's any consolation, we've updated both example.co.za and staging.exmaple.co.za to return the exact same AASA file where they both registers both Prod & Staging AppIds

Up vote post of DefijnEngineer Down vote post of DefijnEngineer
305 views
Posted by
DefijnEngineer
Reply
Add a Comment

Replies

I've found that restricting the webcredentials's apps to one App solves the issue, but this is not ideal for when we'd like to support more Apps and their associated environments. If "apps" supports only one item, then perhaps it shouldn't be an array?

So to ensure that Prod Environment works, this is the content served at https://example.co.za/.well-known/apple-app-site-association

{
    "applinks": {
        "details": []
    },
    "webcredentials": {
        "apps": [
            "123ABCDEF4.com.example.app"
        ]
    },
    "appclips": {
        "apps": []
    }
}

To ensure that the Staging/Test environment works, this is the content served at https://staging.example.co.za/.well-known/apple-app-site-association

{
    "applinks": {
        "details": []
    },
    "webcredentials": {
        "apps": [
            "123ABCDEF4.com.example.app.staging"
        ]
    },
    "appclips": {
        "apps": []
    }
}

In the case of Prod, we need to ensure that WebAuthN is initiated with example.co.za (and webcredentials in Xcode matches that)

In the case of Staging/Test, we need to ensure that WebAuthN is initiated with staging.example.co.za (and webcredentials in Xcode matches that)

Posted by
DefijnEngineer
Up vote reply of DefijnEngineer Down vote reply of DefijnEngineer
Add a Comment

The apps array does support multiple apps, so that shouldn't be an issue. If you made this change to your association file recently, it's possible you're hitting a stale cache. By default, the association file is served through an Apple CDN. If you enable Associated Domains Developer Mode, then your device will reach out directly to your server instead of going through Apple's CDN. There are more details in this session video.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Add a Comment