ASCredentialUpdater
A class to pass credential update events to credential managers enabled on the system.
Declaration
final class ASCredentialUpdaterOverview
The ASCredentialUpdater implements the functionality of the WebAuthn Signal API, allowing apps to update credential managers with information about existing credentials. By informing credential managers of updated, removed, or revoked credentials, the credential managers can stay synchronized with the credential information of the person using the device.
Use ASCredendialUpdater in the following scenarios:
- Updating passkey metadata
The system UI represents passkeys by a “user name”, set when the passkey is created. This field is usually a user name or email address. If your app allows the person using it to change the user name for their account, use reportPublicKeyCredentialUpdate(relyingPartyIdentifier:userHandle:newName:) to relay that information to credential managers.
- Removing revoked passkeys
Your app and its related services may allow someone using it to remove passkeys associated with their account, or delete the account entirely. Use reportUnknownPublicKeyCredential(relyingPartyIdentifier:credentialID:) to inform credential managers of this deletion, so the passkeys aren’t shown in future login flows.
- Removing passwords
When you’re confident the person using your app has transitioned to using a passkey to sign in and no longer requires a password fallback to sign in, you can direct credential managers to remove or hide passwords with reportUnusedPasswordCredential(domain:userName:). This prevents the now invalid passwords from appearing in the UI.
The following example shows how an app might use this class when processing various sign-in and account-management events:
import AuthenticationServices
let credentialUpdater = ASCredentialUpdater()
func handleSuccessfulPasskeySignIn() {
...
// Update passkey if the username changed on the account.
try credentialUpdater.reportPublicKeyCredentialUpdate(relyingPartyIdentifier:"example.com", userHandle:userData, newName: "name")
// Report accepted credentials.
try credentialUpdater.reportAllAcceptedPublicKeyCredentials(relyingPartyIdentifier:"example.com", userHandle:userData, allowedCredentialIDs:[credentialID1, credentailID2])
// Remove or hide stale password.
try credentialUpdater.reportUnusedPasswordCredential(domain: "example.com", username:"user")
}
func handleFailedPasskeySignIn() {
...
// Remove or hide invalid passkey.
try credentialUpdater.reportUnknownPublicKeyCredential(relyingPartyIdentifier:"example.com", credentialID:credentialIDData)
}
func handleAccountAccountDeletion() {
...
try credentialUpdater.reportAllAcceptedPublicKeyCredentials(relyingPartyIdentifier:"example.com", userHandle:userData, allowedCredentialIDs:[])
try credentialUpdater.reportUnusedPasswordCredential(domain: "example.com", username:"user")
}