https://www.ory.sh/ logo
Join Slack
Powered by
Hello, I'm trying to bring together the documentat...
# ory-network
t
Hello, I'm trying to bring together the documentation about Ory products, and [Apple documentation about passkeys](https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys).
According to Apple doc, an iOS app can share passkeys with its matching website through its [associated domain](https://developer.apple.com/documentation/xcode/supporting-associated-domains). This feature requires a JSON file hosted at 
https://<mydomain>/.well-known/apple-app-site-association
.
I could not find in the Ory documentation, or in the Ory console, how such file should be created.
I'm somewhat struggling to find out where to start in order to enable passkeys on the app I'm working on, while profiting from Ory's cloud solution 😅
Could anyone hint me at some online resource I could feed from? Thanks in advance, and happy 2023 to all!
m
In general passkeys are just the same as WebAuthn, just a more marketable term. This are most of the docs we have for it: https://www.ory.sh/docs/kratos/mfa/webauthn-fido-yubikey https://www.ory.sh/docs/kratos/passwordless/passkeys I am not sure about the AASA file though and not that familiar with iOs, My guess would be you can just create it for the app yourself? I will see if I can find out more.
t
Thanks Vincent. Indeed this file, hosted online (not somewhere on a user device), establishes the "associated domain" for an native application on Apple platforms. It is not required for webauthn to work, you are correct. However, an "associated domain" is documented as required in Apple documentation https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys:
Important
You must have an associated domain with the 
webcredentials
service type when making a registration or assertion request; otherwise, the request returns an error. See Supporting associated domains for more information.
I understand that my previous message only says "I need this file because Apple says so", and I did not explain what goes wrong if this file is missing.
I'll gather more information and come back.
So. Apple documentation says that "assertion requests" fail without an associated domain (that requires this AASA file). What's an "assertion request"? In the WWDC video Meet passkeys, "assertion requests" are what makes it possible to sign in. It really looks like AASA files are necessary.
Now, if you know users of Ory Cloud solutions who successfully use passkeys on Apple platforms, then Apple doc must slightly be misleading. And indeed I'm wondering if AASA is only required for flows that use the "AutoFill" feature.
In Apple parlance, "Autofill" is what allows the OS to prefill sign-in forms with relevant data - username or password. In the case of passkeys, it is the selection of the relevant passkey.
The "associated domain" makes it possible to share urls, passwords (and now, passkeys) between a website, and its associated native application.
For example, if you sign up on the web, you can reuse the same passkey on the native app. The OS is able to link the website and the native app thanks to the AASA file.
I'm not sure I need to bother you more about this until I figure out if I'm really blocked without this AASA file.
Yet maybe you can give a look at it - it's supposed to enhance the user experience in some scenarios, and users love great experience 🙂
Ha, I get it know 😅
The AASA file is hosted on the mydomain.com, which is fully under our control. Ory services would be hosted on ory.mydomain.com, with the "Custom Domain Name" feature of Ory plans.
Sorry I took such a long time to figure this out. Thank you.
m
Hey Gwendal, just getting back to this. Yes that is how it would work 👍 Let me know how it goes. I would also be happy to amend the documentation a bit. Did you happen to find any helpful guides/tutorials for AASA in general?
3 Views
Open in Slack
PreviousNext
Powered by