An implementation of Apple Passkeys with IBM Security Verify as the relying party FIDO service
passkey_app
An implementation of Apple Passkeys with IBM Security Verify as the relying party FIDO service.
Prerequisites
The rplying party in this sample app is IBM Security Verify (ISV). Create a free trial tenant here: https://www.ibm.com/account/reg/us-en/signup?formid=urx-30041. You’ll need to have an IBMid but this can be done at the same time.
This link explains setting up your tenant: https://docs.verify.ibm.com/verify/docs/signing-up-for-a-free-trial
Configure FIDO2
- From the tenant admin portal, click (to expand) Authentication
- Click FIDO2 settings
- Click Relying Parties + to open the modal form
- Enter a Display name for the configuration
- Enter the Relying party identifier, for example
mytenant.verify.ibm.com
- In Allowed origins, enter the URL of your tenant. For example
https://mytenant.verify.ibm.com
, then click Add - Click Save to close the dialog
Create an identity application
The next steps allow your users to authenticate to ISV. In the passkey_app, resource owner password credential (ROPC) i.e username and password is configured.
- From the tenant admin portal, click (to expand) Applications
- Click Applications
- Click Add application to open the modal form
- Click Custom Application
- Click Add application button
- Complete the form as required, entering a Company name
- Click Sign-on tab
- Select Open ID Connect 1.0 as the Sign-on method
- Enter the application URL, this can be your tenant URL. For example
https://mytenant.verify.ibm.com
- Select Resource owner password credentials (ROPC) as the Grant type
- Click Save to add the new application.
- Once saved, click All users are entitled to this application
- Click on the Sign-on tab, and copy the Client ID. You’ll need this in the passkey_app.
Getting your user ID
- From the tenant admin portal, click (to expand) Directory
- Click Users & Groups
- Hover over the user from the list of users, click the user details card icon
- Copy the value of User ID. You’ll need this in the passkey_app.
Getting started
-
Open Terminal and clone the repository and open the project file in Xcode.
git clone git@github.com:craigaps/passkey_app.git xed .
-
In the project Signing & Capabilities, update the following settings to suit your development environment:
- Bundle Identifier
- Provisioning Profile
- Associated Domains
The value of the associated domain will contain the replying party identifier defined in step 5 of the Configure FIDO2 section above. For example:
webcredential:mytenant.verify.ibm.com
Ensure an
apple-app-site-association
(AASA) file is present on your domain in the .well-known directory, and that it contains an entry for this app’s App ID for the webcredentials service. For example:"webcredentials": { "apps": [ "TEAM.com.company.app" ] }
-
Open the passkey_appApp file
-
Replace the clientId value with the value from the ISV application settings.
-
Replace the host name of baseUrl and replyingParty values with your tenant. For example
mytenant.verify.ibm.com
-
Replace the
userid
value with the value from the getting your user ID section.
Resources
Supporting Security Key Authentication Using Physical Keys
Public-Private Key Authentication