feat: support Safari

selfservice/strategy/passkey/.snapshots/TestCompleteLogin-flow=passwordless-case=passkey_button_exists.json

@@ -38,7 +38,7 @@
       "async": true,
       "crossorigin": "anonymous",
       "id": "webauthn_script",
-      "integrity": "sha512-fMylX5h+UK/Cb8ha7P4MBTcbtZ7NPXPV2ZVet49V5ZjJki1q2KJnk+HUohPzNdrndTQad4VRsMwOyPkWZ4GHVw==",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
       "node_type": "script",
       "referrerpolicy": "no-referrer",
       "type": "text/javascript"

selfservice/strategy/passkey/.snapshots/TestCompleteLogin-flow=refresh-case=refresh_passwordless_credentials-browser.json

@@ -30,7 +30,7 @@
       "async": true,
       "crossorigin": "anonymous",
       "id": "webauthn_script",
-      "integrity": "sha512-fMylX5h+UK/Cb8ha7P4MBTcbtZ7NPXPV2ZVet49V5ZjJki1q2KJnk+HUohPzNdrndTQad4VRsMwOyPkWZ4GHVw==",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
       "node_type": "script",
       "referrerpolicy": "no-referrer",
       "type": "text/javascript"

selfservice/strategy/passkey/.snapshots/TestCompleteLogin-flow=refresh-case=refresh_passwordless_credentials-spa.json

@@ -30,7 +30,7 @@
       "async": true,
       "crossorigin": "anonymous",
       "id": "webauthn_script",
-      "integrity": "sha512-fMylX5h+UK/Cb8ha7P4MBTcbtZ7NPXPV2ZVet49V5ZjJki1q2KJnk+HUohPzNdrndTQad4VRsMwOyPkWZ4GHVw==",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
       "node_type": "script",
       "referrerpolicy": "no-referrer",
       "type": "text/javascript"

selfservice/strategy/passkey/.snapshots/TestCompleteSettings-case=a_device_is_shown_which_can_be_unlinked.json

@@ -109,7 +109,7 @@
       "async": true,
       "crossorigin": "anonymous",
       "id": "webauthn_script",
-      "integrity": "sha512-fMylX5h+UK/Cb8ha7P4MBTcbtZ7NPXPV2ZVet49V5ZjJki1q2KJnk+HUohPzNdrndTQad4VRsMwOyPkWZ4GHVw==",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
       "node_type": "script",
       "referrerpolicy": "no-referrer",
       "type": "text/javascript"

selfservice/strategy/passkey/.snapshots/TestCompleteSettings-case=one_activation_element_is_shown.json

@@ -61,7 +61,7 @@
       "async": true,
       "crossorigin": "anonymous",
       "id": "webauthn_script",
-      "integrity": "sha512-fMylX5h+UK/Cb8ha7P4MBTcbtZ7NPXPV2ZVet49V5ZjJki1q2KJnk+HUohPzNdrndTQad4VRsMwOyPkWZ4GHVw==",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
       "node_type": "script",
       "referrerpolicy": "no-referrer",
       "type": "text/javascript"

selfservice/strategy/passkey/.snapshots/TestRegistration-case=passkey_button_exists-browser.json

@@ -38,13 +38,40 @@
     "meta": {},
     "type": "input"
   },
+  {
+    "attributes": {
+      "async": true,
+      "crossorigin": "anonymous",
+      "id": "webauthn_script",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
+      "node_type": "script",
+      "referrerpolicy": "no-referrer",
+      "type": "text/javascript"
+    },
+    "group": "webauthn",
+    "messages": [],
+    "meta": {},
+    "type": "script"
+  },
   {
     "attributes": {
       "disabled": false,
-      "name": "method",
+      "name": "passkey_register",
       "node_type": "input",
-      "type": "submit",
-      "value": "passkey"
+      "type": "hidden"
+    },
+    "group": "passkey",
+    "messages": [],
+    "meta": {},
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "passkey_register_trigger",
+      "node_type": "input",
+      "onclick": "window.__oryPasskeyRegistration()",
+      "type": "button"
     },
     "group": "passkey",
     "messages": [],
@@ -57,6 +84,18 @@
     },
     "type": "input"
   },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "passkey_create_data",
+      "node_type": "input",
+      "type": "hidden"
+    },
+    "group": "passkey",
+    "messages": [],
+    "meta": {},
+    "type": "input"
+  },
   {
     "attributes": {
       "autocomplete": "new-password",

selfservice/strategy/passkey/.snapshots/TestRegistration-case=passkey_button_exists-spa.json

@@ -38,13 +38,40 @@
     "meta": {},
     "type": "input"
   },
+  {
+    "attributes": {
+      "async": true,
+      "crossorigin": "anonymous",
+      "id": "webauthn_script",
+      "integrity": "sha512-SSVrbpK6KOwN4xsH+nSyinjp4BOw8dsCU5dgegdpYUk0k7idTnQTd2JGVd+EJZV/TkdRaSKFJHRetpt5vydIZA==",
+      "node_type": "script",
+      "referrerpolicy": "no-referrer",
+      "type": "text/javascript"
+    },
+    "group": "webauthn",
+    "messages": [],
+    "meta": {},
+    "type": "script"
+  },
   {
     "attributes": {
       "disabled": false,
-      "name": "method",
+      "name": "passkey_register",
       "node_type": "input",
-      "type": "submit",
-      "value": "passkey"
+      "type": "hidden"
+    },
+    "group": "passkey",
+    "messages": [],
+    "meta": {},
+    "type": "input"
+  },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "passkey_register_trigger",
+      "node_type": "input",
+      "onclick": "window.__oryPasskeyRegistration()",
+      "type": "button"
     },
     "group": "passkey",
     "messages": [],
@@ -57,6 +84,18 @@
     },
     "type": "input"
   },
+  {
+    "attributes": {
+      "disabled": false,
+      "name": "passkey_create_data",
+      "node_type": "input",
+      "type": "hidden"
+    },
+    "group": "passkey",
+    "messages": [],
+    "meta": {},
+    "type": "input"
+  },
   {
     "attributes": {
       "autocomplete": "new-password",

selfservice/strategy/passkey/passkey_registration.go

@@ -108,18 +108,14 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, regFlow *reg
 
 	regFlow.TransientPayload = params.TransientPayload
 
-	if params.Register == "" && params.Method != "passkey" {
+	if params.Register == "" {
 		return flow.ErrStrategyNotResponsible
 	}
 
 	if err := flow.EnsureCSRF(s.d, r, regFlow.Type, s.d.Config().DisableAPIFlowEnforcement(ctx), s.d.GenerateCSRFToken, params.CSRFToken); err != nil {
 		return s.handleRegistrationError(w, r, regFlow, params, err)
 	}
 
-	if len(params.Register) == 0 {
-		return s.addPassKeyNodes(r, w, regFlow, params)
-	}
-
 	params.Method = s.ID().String()
 	if err := flow.MethodEnabledAndAllowed(ctx, regFlow.GetFlowName(), params.Method, params.Method, s.d); err != nil {
 		return s.handleRegistrationError(w, r, regFlow, params, err)
@@ -188,19 +184,18 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, regFlow *reg
 		return s.handleRegistrationError(w, r, regFlow, params, err)
 	}
 
-	// Remove the WebAuthn URL from the internal context now that it is set!
-	regFlow.InternalContext, err = sjson.DeleteBytes(regFlow.InternalContext, flow.PrefixInternalContextKey(s.ID(), InternalContextKeySessionData))
-	if err != nil {
-		return s.handleRegistrationError(w, r, regFlow, params, err)
-	}
-
 	if err := s.d.RegistrationFlowPersister().UpdateRegistrationFlow(ctx, regFlow); err != nil {
 		return s.handleRegistrationError(w, r, regFlow, params, err)
 	}
 
 	return nil
 }
 
+type passkeyCreateData struct {
+	CredentialOptions    *protocol.CredentialCreation `json:"credentialOptions"`
+	DisplayNameFieldName string                       `json:"displayNameFieldName"`
+}
+
 func (s *Strategy) PopulateRegistrationMethod(r *http.Request, regFlow *registration.Flow) error {
 	ctx := r.Context()
 	if regFlow.Type != flow.TypeBrowser {
@@ -220,67 +215,31 @@ func (s *Strategy) PopulateRegistrationMethod(r *http.Request, regFlow *registra
 		regFlow.UI.SetNode(n)
 	}
 
-	regFlow.UI.Nodes.Append(node.NewInputField(
-		"method",
-		"passkey",
-		node.PasskeyGroup,
-		node.InputAttributeTypeSubmit,
-	).WithMetaLabel(text.NewInfoSelfServiceRegistrationRegisterPasskey()))
+	// Passkey nodes begin
+	createData := new(passkeyCreateData)
 
-	regFlow.UI.SetCSRF(s.d.GenerateCSRFToken(r))
-
-	return nil
-}
-
-func (s *Strategy) populateRegistrationNodes(ctx context.Context, schemaURL *url.URL) (node.Nodes, error) {
-	runner, err := schema.NewExtensionRunner(ctx)
+	fieldName, err := s.PasskeyDisplayNameFromSchema(ctx, defaultSchemaURL.String())
 	if err != nil {
-		return nil, err
-	}
-	c := jsonschema.NewCompiler()
-	runner.Register(c)
-
-	nodes, err := container.NodesFromJSONSchema(ctx, node.DefaultGroup, schemaURL.String(), "", c)
-	if err != nil {
-		return nil, err
-	}
-	return nodes, nil
-}
-
-func (s *Strategy) addPassKeyNodes(r *http.Request, w http.ResponseWriter, regFlow *registration.Flow, params *updateRegistrationFlowWithPasskeyMethod) error {
-	ctx := r.Context()
-
-	username := s.PasskeyDisplayNameFromTraits(ctx, identity.Traits(params.Traits))
-	if username == "" {
-		return s.handleRegistrationError(w, r, regFlow, params, schema.NewMissingIdentifierError())
-	}
-
-	// Render default nodes as hidden fields, also create passkey
-	c, err := container.NewFromStruct("", node.DefaultGroup, params.Traits, "traits")
-	if err != nil {
-		return s.handleRegistrationError(w, r, regFlow, params, err)
-	}
-	for _, n := range c.Nodes {
-		regFlow.UI.SetValue(n.ID(), n)
+		return err
 	}
-
-	regFlow.UI.SetCSRF(s.d.GenerateCSRFToken(r))
+	createData.DisplayNameFieldName = fieldName
 
 	webAuthn, err := webauthn.New(s.d.Config().PasskeyConfig(ctx))
 	if err != nil {
 		return errors.WithStack(err)
 	}
 	user := &webauthnx.User{
-		Name:   username,
+		Name:   "",
 		ID:     []byte(randx.MustString(64, randx.AlphaNum)),
 		Config: s.d.Config().PasskeyConfig(ctx),
 	}
 	option, sessionData, err := webAuthn.BeginRegistration(user)
 	if err != nil {
 		return errors.WithStack(err)
 	}
+	createData.CredentialOptions = option
 
-	injectWebAuthnOptions, err := json.Marshal(option)
+	injectWebAuthnOptions, err := json.Marshal(createData)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -301,33 +260,51 @@ func (s *Strategy) addPassKeyNodes(r *http.Request, w http.ResponseWriter, regFl
 		Group: node.PasskeyGroup,
 		Meta:  &node.Meta{},
 		Attributes: &node.InputAttributes{
-			Name:   node.PasskeyRegister,
-			Type:   node.InputAttributeTypeHidden,
-			OnLoad: "window.__oryPasskeyRegistration()", // defined in webauthn.js
+			Name:       node.PasskeyCreateData,
+			Type:       node.InputAttributeTypeHidden,
+			FieldValue: string(injectWebAuthnOptions),
 		}})
 
 	regFlow.UI.Nodes.Upsert(&node.Node{
 		Type:  node.Input,
-		Group: node.WebAuthnGroup,
+		Group: node.PasskeyGroup,
 		Meta:  &node.Meta{},
 		Attributes: &node.InputAttributes{
-			Name:       node.PasskeyCreateData,
-			Type:       node.InputAttributeTypeHidden,
-			FieldValue: string(injectWebAuthnOptions),
+			Name: node.PasskeyRegister,
+			Type: node.InputAttributeTypeHidden,
 		}})
 
-	if err := s.d.RegistrationFlowPersister().UpdateRegistrationFlow(r.Context(), regFlow); err != nil {
-		return s.handleRegistrationError(w, r, regFlow, params, err)
+	regFlow.UI.Nodes.Append(&node.Node{
+		Type:  node.Input,
+		Group: node.PasskeyGroup,
+		Meta:  &node.Meta{Label: text.NewInfoSelfServiceRegistrationRegisterPasskey()},
+		Attributes: &node.InputAttributes{
+			Name:    node.PasskeyRegisterTrigger,
+			Type:    node.InputAttributeTypeButton,
+			OnClick: "window.__oryPasskeyRegistration()", // defined in webauthn.js
+		}})
+
+	// Passkey nodes end
+
+	regFlow.UI.SetCSRF(s.d.GenerateCSRFToken(r))
+
+	return nil
+}
+
+func (s *Strategy) populateRegistrationNodes(ctx context.Context, schemaURL *url.URL) (node.Nodes, error) {
+	runner, err := schema.NewExtensionRunner(ctx)
+	if err != nil {
+		return nil, err
 	}
+	c := jsonschema.NewCompiler()
+	runner.Register(c)
 
-	redirectTo := regFlow.AppendTo(s.d.Config().SelfServiceFlowRegistrationUI(r.Context())).String()
-	if x.IsJSONRequest(r) {
-		s.d.Writer().WriteError(w, r, flow.NewBrowserLocationChangeRequiredError(redirectTo))
-	} else {
-		http.Redirect(w, r, redirectTo, http.StatusSeeOther)
+	nodes, err := container.NodesFromJSONSchema(ctx, node.DefaultGroup, schemaURL.String(), "", c)
+	if err != nil {
+		return nil, err
 	}
 
-	return flow.ErrCompletedByStrategy
+	return nodes, nil
 }
 
 func (s *Strategy) validateCredentials(ctx context.Context, i *identity.Identity) error {

selfservice/strategy/passkey/passkey_registration_test.go

@@ -104,6 +104,9 @@ func TestRegistration(t *testing.T) {
 				f := testhelpers.InitializeRegistrationFlowViaBrowser(t, client, fix.publicTS, flowIsSPA(flowType), false, false)
 				testhelpers.SnapshotTExcept(t, f.Ui.Nodes, []string{
 					"2.attributes.value",
+					"3.attributes.src",
+					"3.attributes.nonce",
+					"6.attributes.value",
 				})
 			})
 		}
@@ -248,7 +251,7 @@ func TestRegistration(t *testing.T) {
 
 				assert.Contains(t, gjson.Get(actual, "ui.action").String(), fix.publicTS.URL+registration.RouteSubmitFlow, "%s", actual)
 				registrationhelpers.CheckFormContent(t, []byte(actual), "csrf_token", "traits.email")
-				assert.Equal(t, text.NewErrorValidationIdentifierMissing().Text, gjson.Get(actual, "ui.messages.0.text").String(), "%s", actual)
+				assert.Equal(t, text.NewErrorValidationRegistrationNoStrategyFound().Text, gjson.Get(actual, "ui.messages.0.text").String(), "%s", actual)
 			})
 		}
 	})