Conditional UI flow

[paulf69487623]

Hello,

I've been experimenting with using Passkeys and the conditional UI workflow, and trying to integrate with AWS Cognito. I've run into a question I hope somebody can shed some light on.

So far I have an API endpoint that will let me get a "usernameless" challenge. I pass this to startAuthentication with the useBrowserAutofill option set to true. On IOS, I do get the prompt to authenticate with a passkey, but the username never gets auto-filled. I've looked at the output of startAuthentication, and I don't see anything there that contains the username. I do see the user ID, but no login name. I did set the autocomplete options on the login name field.

I was hoping that if the username was filled in, I could call the normal signIn method on the normal AWS Amplify APIs, and pass the challenge answer as metadata to the server. Unfortunately I never get the username, so I can't call the API to finish the login. There might be a different way to accomplish this, but this approach would be the most in line with the traditional use of the API.

Am I doing something wrong here? Is this just a quirk of the IOS implementation? Any insight would be appreciated!

Thanks,

Paul

[paulf69487623]

One more note. I'm currently using the Cognito-generated user ID, which looks like a UUID, as the user ID for the user ID in the registration request. This seems to be stored as the user handle in the authenticator.

Would it make sense to store the user login instead, which in this case is the email address? If that gets returned as the user handle by startAuthentication, I could use that to submit the Cognito authentication. I'm not sure if there are any major downsides to this, though.

[paulf69487623]

I've finally got this working! Its got some ugly hacks, but it is actually working on IOS and Android. The browser pops up the Passkey prompt, and clicking on the passkey successfully authenticates the user. Its all tied in with AWS Cognito for user management, and is working with the AWS Amplify Auth libraries to talk to Cognito.

The biggest thing I had to change was to use the user's login name (email in my test case) as the userId on the registration options. Then that is returned as the userHandle on the credential. From there I'm able to call Auth.signIn specifying the userHandle. When I get the prompt for the custom challenge response, I send the output of startAuthentication plus the challenge. Then it can verify using the challenge and the response.

I've got to fix the challenge verification part. Right now I'm vulnerable to replay attacks. I'm thinking that the browser can return the challenge that it used with the response, and then I can just verify that the challenge was created recently and hasn't been used already. Basically, see if its in the DB and less than some timeout old. Once its used, delete it immediately. I'm using DynamoDB, so I may use the auto-delete feature to keep things from accumulating.

A few quirks I need to figure out. The biggest one is if you log out, you're still on the same page so the passkey prompt doesn't show up. On IOS at least, clicking on the username doesn't initiate the conditional UI. Reloading the page causes it to run again and prompt for the passkey. I've tried making a button that retries the passkey, but that doesn't seem to work.

I'm thinking of publishing this all once I get it polished up some more.