ForgeRock SDKs

Authenticate by using a WebAuthn device

Once the user’s mobile device has been registered in AM, the device can be used as an authenticator with its registered key pair through the WebAuthn Authentication node, which is returned as a WebAuthnAuthenticationCallback by the iOS SDK.

With WebAuthnAuthenticationCallback, you must implement the following protocol method to handle the authentication process:

public protocol PlatformAuthenticatorAuthenticationDelegate {
    func selectCredential(keyNames: [String], selectionCallback: @escaping WebAuthnCredentialsSelectionCallback)

As part of authentication process, the SDK provides the WebAuthnAuthenticationCallback for authenticating the device as a credential.

if let authenticationCallback = callback as? WebAuthnAuthenticationCallback {

    authenticationCallback.delegate = self

    // Note that the `Node` parameter in `.authenticate()` is an optional parameter.
    // If the node is provided, the SDK automatically sets the assertion
    // to the designated HiddenValueCallback.
    authenticationCallback.authenticate(node: node) { (assertion) in
        // Authentication is successful
        // Submit the Node using
    } onError: { (error) in
        // An error occurred during the authentication process
        // Submit the Node using

The WebAuthnAuthenticationCallback.authenticate() method has an optional parameter, Node.

If the current node contains WebAuthnAuthenticationCallback and HiddenValueCallback, and this node is provided in the WebAuthnAuthenticationCallback.authenticate() method as a parameter, the SDK automatically sets the outcome of the authentication process for both success and failure to the designated HiddenValueCallback.

If the node is not provided, the assertion or error outcome must be set manually.

Select credentials

The func selectCredential() method is invoked when Username from device is enabled in the WebAuthn Authentication node. This feature requires that Username to device is enabled in the WebAuthn Registration node as well. With these options enabled, the registered key pair is associated with the username, and the SDK can present a list of registered keys to the user to continue the authentication process without collecting a username.

The keyName is an array of strings constructed as <User’s displayName> <Registered Timestamp>.

You may alter the string value, and present the altered value to the user, but you must return the key name string as it was provided in the original array.

func selectCredential(keyNames: [String], selectionCallback: @escaping WebAuthnCredentialsSelectionCallback) {
    let actionSheet = UIAlertController(title: "Select Credentials", message: nil, preferredStyle: .actionSheet)

    for keyName in keyNames {
        actionSheet.addAction(UIAlertAction(title: keyName, style: .default, handler: { (action) in

    actionSheet.addAction(UIAlertAction(title: "Cancel", style: .cancel, handler: { (action) in

    guard let vc = self.viewController else {

    if actionSheet.popoverPresentationController != nil {
        actionSheet.popoverPresentationController?.sourceView = self
        actionSheet.popoverPresentationController?.sourceRect = self.bounds

    DispatchQueue.main.async {
        viewController.present(actionSheet, animated: true, completion: nil)
Copyright © 2010-2023 ForgeRock, all rights reserved.