search

okta / okta-devices-swift

okta-devices-swift
https://github.com/okta/okta-devices-swift
Apache License 2.0
8 stars 1 forks source link

Send UV_TEMPORARILY_UNAVAILABLE userConsent if device passcode is not… #133

Closed pavelkozlov-okta closed 1 year ago

pavelkozlov-okta commented 1 year ago

Problem Analysis (Technical)

Face ID reset leads to invalidation of enrolled userVerification key and attempts to sign challenge response JWT return TKError.Code.corruptedData error. This error is handled to send UV_PERMANENTLY_UNAVAILABLE userConsent using PoP key.

If device passcode is turned off, userVerification key is not invalidated but all attempts to sign challenge response JWT using this key return LAError.Code.passcodeNotSet error which doesn't have a specific handler and treated as general error leading to UC prompting.

Solution (Technical)

In order to provide the same experience for both cases, added handling of LAError.Code.passcodeNotSet error to send UV_TEMPORARILY_UNAVAILABLE userConsent value. After setting a new passcode the Face ID becomes available again and the userVerification key works as before.

IldarAbdullin-okta commented 1 year ago

LGTM! Do we have any documentation of the UV_PERMANENTLY_UNAVAILABLE or UV_TEMPORARILY_UNAVAILABLE cases and what should happen?

@stevelind-okta , https://github.com/okta/okta-verify-contracts/blob/master/Documentation/FastPass/authentication.md#response-context-collection-and-validation