Help with Passkey Registration & Authentication on iOS 17 (Credential Provider + Error Code 1004)

By my understanding, you have three options: talk to the webauthn.io administrator, use a commercial service, or create your own Relying Party Server.

Webauthnio route. You are effectively asking that the site admin permit a strange and untrusted application to write content into their database. I would be very hesitant to do so if asked.

Commercial service. There are a number that seem to exist such as Stytch. When I looked several months back, the pricing was prohibitive for small projects but Stytch appears to have a free, low volume option.

Create your own. There are a number of libraries available. If you do server-side swift, there are two projects on github that might help: swift-webauthn and webauthn-swift. The first is from the Vapor guys.

For our own efforts (and perhaps because the team embraces pain), we ended up writing a Relying Party Server from scratch using grpc-swift to communicate between the Apple clients and server. This is not a good general solution as it doesn't allow web clients. While it has worked great for us, I will advise against this route given the complexity of the Webauthn specification.

I'm facing the same problem as OP.

We are creating a Digital Wallet app to allow people to manager their own credentials, including passkeys. We've completed our Android work and I'm now porting it to iOS.

When using webauthn.io or webauthn.me with our iOS app, I get the same error:

The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.

on Firefox and Safari, and the following on Chrome:

The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client.

This is after I scan the QR code with my iPhone camera app, press the "Save a passkey" button that pops up and then press "Continue" on the "Create a passkey? A passkey for ... will be saved and available on devices where [insert app] is installed".

We don't seem to have this error on Android, at all. On Android, it is possible to use our app, or any other passkey/password manager, to register on the example webauthn page.

@JerryCarter I think you've misunderstood what OP is doing. They are not trying to use webauthn.io as a form of 3rd party authentication for their own website. Rather, we are using it as a way to test out how our password manager-type app is able to do the FIDO2/Webauthn Register and Authenticate flow on a 3rd party website. As a stand in for other services, like Github, Twitter, etc that also accept passkeys.

I've been going through the Apple documentation and, unless I'm wrong (which I hope I am), the only way to make this work is to either 1) make use of iCloud Keychain to manage our passkeys, 2) only make this work on websites that are our associated domain (with the website in turn adding our app's bundle id /.well-known/, e.g. https://webauthn.io/.well-known/apple-app-site-association).

I decided to double check and see if Bitwarden, my password manager, works on webauthn.io. It didnt, and it makes sense given that this is the associated app under the aforementioned endpoint:

{"webcredentials": {"apps": ["FNN8Z5JMFP.com.duosecurity.mattmil3.WebAuthn-In-Thick-Client"]}}

Meanwhile, if I open up webauthn.io in my computer browser or in my Android (firefox browser), I am able to save a passkey in Bitwarden.

This seems to me that Apple is still trying to cripple 3rd party password managers, forcing them to rely on iCloud or to only work on a narrow set of websites.

Or am I missing something?

Yes, @HMD2V is right — I'm trying to register a passkey as a third-party password manager app. I’ve seen other apps successfully register passkeys on websites like https://webauthn.io, but despite trying multiple approaches, I haven’t been able to get it working, and I couldn’t find any documentation pointing me in the right direction.

Just to add more detail: I’ve correctly configured Info.plist to show the "Create a passkey" popup. When I tap Continue on the popup, it triggers:

swift

override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest)

There, I create an instance of ASPasskeyRegistrationCredential and call completeRegistrationRequest. However, the website then returns this error:

The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.

I'd really appreciate any help or guidance on how to get this working.

Good news - I figured out an issue with Bitwarden; it now works.

The question is still how the Bitwarden iOS app - a password manager ostensibly managing their own cryptographic material - is able register a passkey on webauthn.io when they're not claiming each other?

https://github.com/bitwarden/ios/blob/d1053a7218bbab5a63511ba6ec62bc85361622cd/Bitwarden/Application/Support/Bitwarden.entitlements

https://github.com/bitwarden/ios/blob/d1053a7218bbab5a63511ba6ec62bc85361622cd/BitwardenAutoFillExtension/Application/Support/BitwardenAutoFill.entitlements

https://webauthn.io/.well-known/apple-app-site-association

Would love to be pointed to the right iOS documentation for this stuff.