implementing start passkey enrollment (#15162)

Author: srushtisv

FirebaseAuth/Sources/Swift/Backend/AuthBackend.swift

@@ -355,6 +355,7 @@ final class AuthBackend: AuthBackendProtocol {
       .missingIosBundleIDError(message: serverDetailErrorMessage)
     case "MISSING_ANDROID_PACKAGE_NAME": return AuthErrorUtils
       .missingAndroidPackageNameError(message: serverDetailErrorMessage)
+    case "PASSKEY_ENROLLMENT_NOT_FOUND": return AuthErrorUtils.missingPasskeyEnrollment()
     case "UNAUTHORIZED_DOMAIN": return AuthErrorUtils
       .unauthorizedDomainError(message: serverDetailErrorMessage)
     case "INVALID_CONTINUE_URI": return AuthErrorUtils

FirebaseAuth/Sources/Swift/Backend/RPC/FinalizePasskeyEnrollmentRequest.swift

@@ -0,0 +1,72 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+/// The GCIP endpoint for finalizePasskeyEnrollment rpc
+private let finalizePasskeyEnrollmentEndPoint = "accounts/passkeyEnrollment:finalize"
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+class FinalizePasskeyEnrollmentRequest: IdentityToolkitRequest, AuthRPCRequest {
+  typealias Response = FinalizePasskeyEnrollmentResponse
+
+  /// The raw user access token.
+  let idToken: String
+  /// The passkey name.
+  let name: String
+  /// The credential ID.
+  let credentialID: String
+  /// The CollectedClientData object from the authenticator.
+  let clientDataJSON: String
+  /// The attestation object from the authenticator.
+  let attestationObject: String
+
+  init(idToken: String,
+       name: String,
+       credentialID: String,
+       clientDataJSON: String,
+       attestationObject: String,
+       requestConfiguration: AuthRequestConfiguration) {
+    self.idToken = idToken
+    self.name = name
+    self.credentialID = credentialID
+    self.clientDataJSON = clientDataJSON
+    self.attestationObject = attestationObject
+    super.init(
+      endpoint: finalizePasskeyEnrollmentEndPoint,
+      requestConfiguration: requestConfiguration,
+      useIdentityPlatform: true
+    )
+  }
+
+  var unencodedHTTPRequestBody: [String: AnyHashable]? {
+    var postBody: [String: AnyHashable] = [
+      "idToken": idToken,
+      "name": name,
+    ]
+    let authAttestationResponse: [String: AnyHashable] = [
+      "clientDataJSON": clientDataJSON,
+      "attestationObject": attestationObject,
+    ]
+    let authRegistrationResponse: [String: AnyHashable] = [
+      "id": credentialID,
+      "response": authAttestationResponse,
+    ]
+    postBody["authenticatorRegistrationResponse"] = authRegistrationResponse
+    if let tenantId = tenantID {
+      postBody["tenantId"] = tenantId
+    }
+    return postBody
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/FinalizePasskeyEnrollmentResponse.swift

@@ -0,0 +1,34 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+struct FinalizePasskeyEnrollmentResponse: AuthRPCResponse {
+  /// The user raw access token.
+  let idToken: String
+  /// Refresh token for the authenticated user.
+  let refreshToken: String
+
+  init(dictionary: [String: AnyHashable]) throws {
+    guard
+      let idToken = dictionary["idToken"] as? String,
+      let refreshToken = dictionary["refreshToken"] as? String
+    else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    self.idToken = idToken
+    self.refreshToken = refreshToken
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/GetAccountInfoResponse.swift

@@ -92,6 +92,9 @@ struct GetAccountInfoResponse: AuthRPCResponse {
 
     let mfaEnrollments: [AuthProtoMFAEnrollment]?
 
+    /// A list of the user’s enrolled passkeys.
+    let enrolledPasskeys: [PasskeyInfo]?
+
     /// Designated initializer.
     /// - Parameter dictionary: The provider user info data from endpoint.
     init(dictionary: [String: Any]) {
@@ -133,6 +136,11 @@ struct GetAccountInfoResponse: AuthRPCResponse {
       } else {
         mfaEnrollments = nil
       }
+      if let passkeyEnrollmentData = dictionary["passkeys"] as? [[String: AnyHashable]] {
+        enrolledPasskeys = passkeyEnrollmentData.map { PasskeyInfo(dictionary: $0) }
+      } else {
+        enrolledPasskeys = nil
+      }
     }
   }
 

FirebaseAuth/Sources/Swift/Backend/RPC/Proto/PasskeyInfo.swift

@@ -0,0 +1,40 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+public final class PasskeyInfo: NSObject, AuthProto, NSSecureCoding, Sendable {
+  /// The display name for this passkey.
+  public let name: String?
+  /// The credential ID used by the server.
+  public let credentialID: String?
+  required init(dictionary: [String: AnyHashable]) {
+    name = dictionary["name"] as? String
+    credentialID = dictionary["credentialId"] as? String
+  }
+
+  // NSSecureCoding
+  public static var supportsSecureCoding: Bool { true }
+
+  public func encode(with coder: NSCoder) {
+    coder.encode(name, forKey: "name")
+    coder.encode(credentialID, forKey: "credentialId")
+  }
+
+  public required init?(coder: NSCoder) {
+    name = coder.decodeObject(of: NSString.self, forKey: "name") as String?
+    credentialID = coder.decodeObject(of: NSString.self, forKey: "credentialId") as String?
+    super.init()
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/SetAccountInfoRequest.swift

@@ -73,6 +73,8 @@ private let kDeleteProvidersKey = "deleteProvider"
 /// The key for the "returnSecureToken" value in the request.
 private let kReturnSecureTokenKey = "returnSecureToken"
 
+private let kDeletePasskeysKey = "deletePasskey"
+
 /// The key for the tenant id value in the request.
 private let kTenantIDKey = "tenantId"
 
@@ -131,6 +133,9 @@ class SetAccountInfoRequest: IdentityToolkitRequest, AuthRPCRequest {
   /// The default value is `true` .
   var returnSecureToken: Bool = true
 
+  /// The list of credential IDs of the passkeys to be deleted.
+  var deletePasskeys: [String]? = nil
+
   init(accessToken: String? = nil, requestConfiguration: AuthRequestConfiguration) {
     self.accessToken = accessToken
     super.init(endpoint: kSetAccountInfoEndpoint, requestConfiguration: requestConfiguration)
@@ -183,6 +188,9 @@ class SetAccountInfoRequest: IdentityToolkitRequest, AuthRPCRequest {
     if returnSecureToken {
       postBody[kReturnSecureTokenKey] = true
     }
+    if let deletePasskeys {
+      postBody[kDeletePasskeysKey] = deletePasskeys
+    }
     if let tenantID {
       postBody[kTenantIDKey] = tenantID
     }

FirebaseAuth/Sources/Swift/Backend/RPC/StartPasskeyEnrollmentRequest.swift

@@ -0,0 +1,46 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+/// The GCIP endpoint for startPasskeyEnrollment rpc
+private let startPasskeyEnrollmentEndPoint = "accounts/passkeyEnrollment:start"
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+class StartPasskeyEnrollmentRequest: IdentityToolkitRequest, AuthRPCRequest {
+  typealias Response = StartPasskeyEnrollmentResponse
+
+  /// The raw user access token
+  let idToken: String
+
+  init(idToken: String,
+       requestConfiguration: AuthRequestConfiguration) {
+    self.idToken = idToken
+    super.init(
+      endpoint: startPasskeyEnrollmentEndPoint,
+      requestConfiguration: requestConfiguration,
+      useIdentityPlatform: true
+    )
+  }
+
+  var unencodedHTTPRequestBody: [String: AnyHashable]? {
+    var body: [String: AnyHashable] = [
+      "idToken": idToken,
+    ]
+    if let tenantID = tenantID {
+      body["tenantId"] = tenantID
+    }
+    return body
+  }
+}

FirebaseAuth/Sources/Swift/Backend/RPC/StartPasskeyEnrollmentResponse.swift

@@ -0,0 +1,45 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import Foundation
+
+@available(iOS 15.0, macOS 12.0, tvOS 16.0, *)
+struct StartPasskeyEnrollmentResponse: AuthRPCResponse {
+  /// The RP ID of the FIDO Relying Party.
+  let rpID: String
+  /// The user id
+  let userID: String
+  /// The FIDO challenge.
+  let challenge: String
+
+  init(dictionary: [String: AnyHashable]) throws {
+    guard let options = dictionary["credentialCreationOptions"] as? [String: Any] else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    guard let rp = options["rp"] as? [String: Any],
+          let rpID = rp["id"] as? String else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    guard let user = options["user"] as? [String: Any],
+          let userID = user["id"] as? String else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    guard let challenge = options["challenge"] as? String else {
+      throw AuthErrorUtils.unexpectedResponse(deserializedResponse: dictionary)
+    }
+    self.rpID = rpID
+    self.userID = userID
+    self.challenge = challenge
+  }
+}