UAF iOS sourceApplication parameter

142 views
Skip to first unread message

Adric Lloyd

unread,
Jul 11, 2021, 8:18:05 PM7/11/21
to FIDO Dev (fido-dev)
My question is regarding the FIDO UAF iOS conformance tool v1.6.1

The specification indicates that one should look at the passed sourceApplication when receiving a URL in the x-callback-url format.


For FIDO UAF Clients, the custom URL scheme handler entrypoint is the openURL() function:

EXAMPLE 9
(BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation
Here, the URL above is received via the url parameter. For security considerations, the sourceApplication parameter contains the iOS bundle ID of the relying party application. This bundle ID must be used to verify the application FacetID.

iOS no longer provides the sourceApplication value if the sending application does not originate from the same development team (https://developer.apple.com/documentation/uikit/uiapplication/openurloptionskey/1623128-sourceapplication)

The conformance tool seems to expect this value to be passed by the conformance tool in order to pass the tests but this has not been possible. Hardcoding the conformance tool's bundleID has allowed me to pass these tests but this is presumably not a viable option for actual conformance testing.

Can anyone advise on the correct course of action here?

Thanks

Adric Lloyd

Ackermann Yuriy

unread,
Jul 12, 2021, 2:36:41 AM7/12/21
to Adric Lloyd, FIDO Dev (fido-dev)
in sceneDelegate, scene openURLContexts handler, you extract callers application via accessing first url context. Here is the code sample:

class SceneDelegate: UIResponder, UIWindowSceneDelegate {
    func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) {
        if let urlContext = URLContexts.first {
            let sourceApplication = urlContext.options.sourceApplication
        }
     }
}

Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c62a9abf-a668-4968-889e-1566836c3919n%40fidoalliance.org.
Message has been deleted

Adric Lloyd

unread,
Jul 13, 2021, 2:02:39 AM7/13/21
to FIDO Dev (fido-dev), Ackermann Yuriy, FIDO Dev (fido-dev), Adric Lloyd

Hi Yuri

Thanks for  the information, I've implemented this as you suggested and while the code gets hit I still get nil for the source application from the conformance tool. Ive attached the printout data below.

func scene(_ scene: UIScene, openURLContexts URLContexts: Set<UIOpenURLContext>) {
        if let urlContext = URLContexts.first {
            let sourceApplication = urlContext.options.sourceApplication
            print(sourceApplication)
        }
     }

(lldb) po URLContexts
▿ 1 element
  - 0 : <UIOpenURLContext: 0x2833f6080; URL: FidoUAFClient1://x-callback-url/UAF_OPERATION?x-success=FIDOConformaceToolsIonic://x-callback-url/UAF_OPERATION_RESULT&json=ewogICJjaGFubmVsQmluZGluZ3MiIDogIntcbiAgXCJzZXJ2ZXJFbmRQb2ludFwiIDogbnVsbCxcbiAgXCJjaWRfcHVia2V5XCIgOiBudWxsLFxuICBcInRsc1NlcnZlckNlcnRpZmljYXRlXCIgOiBudWxsLFxuICBcInRsc1VuaXF1ZVwiIDogbnVsbFxufSIsCiAgIm1lc3NhZ2UiIDogIntcbiAgXCJ1YWZQcm90b2NvbE1lc3NhZ2VcIiA6IFwiW3tcXFwiaGVhZGVyXFxcIjp7XFxcInVwdlxcXCI6e1xcXCJtYWpvclxcXCI6MSxcXFwibWlub3JcXFwiOjF9LFxcXCJvcFxcXCI6XFxcIlJlZ1xcXCIsXFxcImFwcElEXFxcIjpcXFwiXFxcIn0sXFxcImNoYWxsZW5nZVxcXCI6XFxcIkg5aVc5eUE5YUFYRl9sZWxRb2lfRGhVazUxNEFkOFRxdjB6Q25DcUtEcG9cXFwiLFxcXCJ1c2VybmFtZVxcXCI6XFxcImhlbGxvQHRlc3QuY29tXFxcIixcXFwicG9saWN5XFxcIjp7XFxcImFjY2VwdGVkXFxcIjpbW3tcXFwiYWFpZFxcXCI6W1xcXCIwMDQxIzEwMDRcXFwiXX1dXX19XVwiXG59Igp9&key=O1Dhfh4zPYrVMkAadLOjcH-Zw-i5nCwQxAkXnyhoiWY&state=7BFB0358814B43829530D7E87098D2C2; options: <UISceneOpenURLOptions: 0x2826817c0; sourceApp: (null); annotation: (null); openInPlace: NO; _eventAttribution: (null)>>

(lldb) po sourceApplication
nil

(lldb)

Any idea what might be happening?

Thanks

Adric Lloyd

Alban Çopja

unread,
Jul 28, 2021, 5:21:30 AM7/28/21
to FIDO Dev (fido-dev), adric...@gallagher.com, Ackermann Yuriy, FIDO Dev (fido-dev)
I did report the page includes due to my personal id issue veryfications
Reply all
Reply to author
Forward
0 new messages