search

XcodesOrg / XcodesApp

The easiest way to install and switch between multiple versions of Xcode - with a mouse click.
MIT License
7.07k stars 310 forks source link

Supporting Passkeys on Apple Account Sign in #430

Open egesucu opened 1 year ago

egesucu commented 1 year ago

Tell us how we can improve Xcodes Apple has added passkeys support to its AppleID websites.

Can we provide similar authentication in XcodesApp without the need of login/password with 2FA?

o-az commented 1 year ago

that would be amazing. iCloud account password is too heavy a requirement.

ra1vo commented 1 year ago

this tool looks amazing, but requirement for AppleID credentials is no go for me

ArturoLee commented 8 months ago

+1

kinoroy commented 1 month ago

This is a tricky problem since the entire point of passkeys is that they are invisible to the user, and that they prevent phishing by taking control out of the users hands and allowing the browser/OS to check what passkey is needed for what website or app instead of the user (and potentially giving access to a threat actor).

The only way I can see for an app to access iCloud stored passkeys is through Apple's Authentication Services framework. However to use this framework, requires that the app prove that they own the site they are authenticating against using an associated domain entitlement.

Since Xcodes.app is an unofficial tool and obviously does not own Apple.com, it has no way to achieve that associated domain entitlement. Therefore the system would never allow us to use the passkey for Apple.com.

The only way I could see this being possible is if we are able to re-implement the auth flow in a way that opens an embedded WebView pointing to the Apple sign in page, with some custom javascript injected into the page that allows the user to sign in fully using the Apple sign in flow using passkey or whatever login option they want, while then capturing the necessary auth cookies and info we need after the user signs in.

However doing a quick test of WKWebView, it doesn't seem to show a passkey sign in option when navigating to appleid.apple.com so perhaps they block passkeys from app embedded web views.

I did, however get this sign in option presented (I'm not actually sure what they call this but it predates passkeys and lets you sign in to your Apple ID on Apple devices where you're already logged in to iCloud at the system level): WebViewTestAppleId

So maybe that would be sufficient in place of passkey support.

But more investigation would be needed to see if this type of auth flow would work.