Support for macOS/iOS platofrm

[korywka]

According to docs, apple gives next fields properties while registration: ASPublicKeyCredential + ASPasskeyRegistrationCredential

• credentialID
• rawClientDataJSON
• attestationObject

and not authenticatorData which is required while verifying at the server:

webauthn/src/server.ts

Line 39 in 9b3908a

const authenticator = parseAuthenticator(registrationJson.response.authenticatorData);

It looks like I’m currently forced to switch to another library, where server-side verification only requires these two values:

https://github.com/MasterKale/SimpleWebAuthn/blob/786d2d8cd4560c36b6361f818a8ddaa8f0301012/packages/server/src/types/index.ts#L157-L167

I think this is quite important, since the passkeys server can serve not just web clients. Please feel free to close this if it's beyond the scope of this package.

[dagnelies]

Thanks for bringing this up, I wasn't aware that Apple isn't providing authenticatorData. I'm kind of swamped with work right now but I'll definitely take a look at it

[dagnelies]

Old comment:

I'm kind of puzzled since https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse/getAuthenticatorData

says Safari supports it since v16 in 2022 ...at least it's a relief that the browser version works

New Comment:

I noticed it's the Swift docs for native apps. Does it at least provide the public key? Because in really old web version, the public was encoded in a fairly complex way in the payload. Is response.publicKey and response.publicKeyAlgorithm available?

[korywka]

No access to these params. They should be extracted at server. I am trying the simple web auth lib and will let you know if it validates correctly. So we can copy the extraction part of attestationObject :)

[korywka]

Alternatively, the library can specify that it only supports browsers as clients and leave the current implementation unchanged. (I’m not sure what Android provides for passkeys.)

[dagnelies]

Well, this would require a dependency to a CBOR parsing library ....

No access to these params. They should be extracted at server. I am trying the simple web auth lib and will let you know if it validates correctly. So we can copy the extraction part of attestationObject :)

Well, this would require a dependency to a CBOR parsing library ....and I was quite happy to be dependency free until now. There was already this discussion somewhere here, where some password managers also had incomplete implementations of webauthn.

[dagnelies]

Alternatively, the library can specify that it only supports browsers as clients and leave the current implementation unchanged. (I’m not sure what Android provides for passkeys.)

Yeah, I'm kind of inclined to do that... it's called "Web Authentication" after all ;)

[korywka]

I believe 'Web' here refers to W3C and the client-server interaction model, not specifically to web browsers. But I completely understand your frustration with external dependencies 😂 that's exactly why I started the project with this library, until I ran into macOS 🥹

[dagnelies]

Note added to the README / Homepage at the end:

Note: apparently, native iOS / macOS clients written in Switft are not compatible with the server-side part of this library, as they do not provide the publicKey and publicKeyAlgorithm properties during registration in the first place. See #95.

[dagnelies]

I'm kind of disappointed though that apparently they are not even spec-compliant ...I don't really "get" the docs, but it would be nice if the getPublicKey and getPublicKeyAlgorithm were exposed somehow

[korywka]

Thanks. And I confirm that simple web auth package supports macos cause of cbor decoding.

[korywka]

Also I like more their way of handling public key as binary. It takes less memory storage space.

[dagnelies]

Also I like more their way of handling public key as binary. It takes less memory storage space.

What do you mean? All base64 strings are just encoded binary objects, they're kind of equivalent. Or do you mean you rather store the binary buffer in the database rather the base64 encoded string of it? ...it takes 4/3 space but it's handy for some databases not natively supporting "binaries" as native values.

[korywka]

As far as I know, it is 2/3 (not 3/4). Yep server side actions provide and accept binary. So the backend does not need to convert. It agree that it is very small change, like removing padding, but implements more default way, imho.

[dagnelies]

In base64 encoding, 3 bytes are encoded as 4 characters.