When using an ASWebAuthenticationSession to log in, with prefersEphemeralSession = false to enable SSO, the system presents an alert asking if the user wants to allow "SomeApp" to Sign In with "someauthprovider.xyz". The system presents exactly the same alert when you want to log out, and it is confusing for users. It's my understanding that the system does this because the alert really means "would you like to allow this app to let some page access Safari's shared cookie vault?" in lay terms, and is not distinguishing between create, read, update, or delete. It would be splendid if Apple changes this dialog depending on the operation. I would also like to know if there is any other way to fix this.

Hi, I am creating simple app with ios 17. I want to authenticate via ios passcode. but I couldn't find any example about it. Where can I get some example about using ios passcode in ios 17? please help me.

We have recently rolled out a one-time-password only log in system for our app. Access to our app is by invite only and users are required to register outside of the app to set up their account (it is an app for events & conferences). The majority of users have requested this login system as it is more secure and easier than a traditional password. I submitted the app for review, but it was rejected as the Apple tester required the email access code that was sent when they entered the tester email address we have in the app description. Does anyone have any advice on how we can remedy this so that our app does not keep getting rejected for this reason? Thanks

Hello, I'm trying to enroll on the trader account program but after filling out the form, then entering the email verification code that was sent I don't ever receive the phone OTP code that I'm supposed to receive. I'm not from the US, my country code is +51 so I select that on the dial code combo-box then enter my number that is 9 digits long. However, I tried with a US phone from a friend and it works just fine, he does receive the confirmation code. How can I fix this? I already have an app stuck for over 1 week because of this. I've called apple support multiple times and they send me to send evidence via email which I have. They've told me it was "scaled" to the engineering them but of course that's gonna take a long while for it to be fixed. Has anyone encountered a similar problem? I believe there's gotta be a quirk or something in that form that will actually get the system to work.

I'm working my way through adding passkey support to my app. At app launch, I'd like to test to see if the user has already created a passkey for the service, and if not, immediately present the account creation UI. Is there an API call I can make to see if the user already has a credential? From the examples I’ve found, it seems I should just try to sign in, and I’ll get an error callback if there are no stored credentials. Is that right?

My organization is using mutual TLS authentication for HTTPS, with PIV cards storing the certs. We observe that some OS X devices send only the leaf certs when establishing the mTLS connection, whereas others send the entire chain. We cannot validate the leaf cert without the intermediate cert, so those clients are rejected. What drives the decision whether to send the whole chain, vs the leaf cert only? For more details, and some things we observed. The PIV cards are US DoD CAC cards: https://www.cac.mil/common-access-card/ The client cert chain on the card looks like this: Leaf client cert, CN=LastName.Name Intermediate cert, CN=DOD ID CA-70 "Root" cert, CN=DoD Root CA 6 through 8.: Additional interoperability certs. Our system is set up to trust the "root" cert CN=DoD Root CA 6. Neither the leaf cert, nor other certs in the chain are trusted by Apple Keychain Trust Store by default. We find that most laptops will send the entire chain, 1 through 8, when establishing the mTLS connection with our servers. This allows us to validate them correctly. On a subset of OS X devices, Google Chrome will only send the leaf chain. This happens even when we use exact same PIV card, and exact same PIV reader as on working laptops. Safari will not send any cert at all. We found that if we explicitly add the CN=DoD Root CA 6 to the Apple Trust Store, Google Chrome and Safari will start sending a short chain, containing only certs 1 through 3. This allows the server to validate them. When we remove it from Trust Store, Chrome is back to sending only leaf, but Safari will not even send the leaf. Again, this only happens on some laptops; on most of the laptops, both Safari and Google Chrome will send the entire chain, regardless of whatever is set up in Trust Store. My suspicion is that for some reason, on those laptops, Safari will not send the client certs that OS X doesn't trust. This makes sense, but this is not the behavior we want. We want the same behavior on the working laptops, which is to send the whole chain. All of our laptops are on OS X 14.4

I'm getting ready to release the first version of our app, which is designed for existing (paying) customers of our service. The app will only have a Sign In functionality for the first few versions, ie users cannot create a new account through the app. We currently only have password or Google authentication through the website. I'm wondering how the app store guidelines apply here. It seems that since the March 4, 2020 update, Apple Sign In is required when using any other third party oauth providers (Google for our case). However I'm unclear if the listed exceptions cover this scenario. To state the obvious, users do not have a way currently to create an account with Apple Sign In, so exactly 0 users will ever succeed in logging in with that button if I'm required to put it. I understand the guidelines if we're talking about creating accounts, but since this is Sign In only, is it still required to provide as an option? Thanks in advance!

I would like implement certificate based authentication using MSCA as authenticator and along with 2FA as otp/push. Same I have achieve using authorization plugin where as first factor as user name and password and for second factor it going to my server for otp varification. In this case I would like to go to MACS for primary as certificate authentication and after that I would like to go to my server for second factor.

We extended the ASCredentialProviderViewController in our app to provide passkeys and everything seems to be working fine (from the user's perspective). But we are curious why prepareCredentialListForServiceIdentifiers:requestParameters: is never called. Since: Passkey credentials seem only to be used / offered when added to the ASCredentialIdentityStore. We duplicated a passkey in our app for about 15 times and all passkeys for the same service were still offered by the credential chooser from iOS and not in our app (via "prepareCredentialListForServiceIdentifiers:requestParameters:"). we believe that in the current versions of iOS "prepareCredentialListForServiceIdentifiers:requestParameters:" is not used. It would be nice to get some clarification since it currently seems not possible to test the implementation of this method!

The below code used to compile for iOS 16.0 and above when using Xcode 15.2. Now it seems that ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.excludeCredentials is only available on iOS 17.4 an above in Xcode 15.3? Is there any reason that's the case? let request = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: id).createCredentialRegistrationRequest(challenge: challengeData, name: name, userID: userIDData) // ERROR: 'excludedCredentials' is only available in iOS 17.4 or newer request.excludedCredentials = registrationOptions.excludeCredentials

Xcode 15.2, iOS 17.2 I have a piece of code that displays videos. It has been working for at least 6 months. Suddenly only the first video played. The following videos would only play audio with the video being frozen at the first frame. I noticed that SwiftUI would start to instantiate multiple instances of my player observable class instead of just one. After chasing the problem for most of a day I found that if I completely removed every piece of code referencing AuthenticationServices then everything would work fine again. Even if I add the following piece of code which is not used or called in any way. Then SwiftUI will start to act weird. func configure(_ request: ASAuthorizationAppleIDRequest) { request.requestedScopes = [.fullName, .email] } If I comment out request.requestedScopes = [.fullName, .email] everything works fine. The SignInWithApple is configured and works fine if I enable the code. Any suggestions on how to solve or any work arounds would be highly appreciated.

I’m looking to see if anybody else has noticed that iOS 17.4 seems to have broken password autofill for associated domains. Meaning if I open my app to the login page (web view) it recognizes the associated domains and they password in my keychain. If I tap on my user name my keychain is unlocked with biometrics (FaceID) and I’m returned to the page, but the user name and password field is not filed in. This just started happening in iOS 17.4 (17.3.1 works fine for example). Interestingly, if you choose the 🔑 icon on the right side of the keyboard and then choose your credentials you get a blank page until you tap in a text field then the username and password show up. I have filled out a bug report with Apple, but in the mean time I was curious if anybody else has seen this or have a solution.

Hi. I'm trying to develop a passkey app connected with a Webauthn server. There is a problem in the process of creating the Attestation Object. Since I am assigned 8445 port, I need to upload the /.well-known/ directory to that port. In the WebAuthn specification, the RPID should not include the port number. (https://www.w3.org/TR/webauthn-2/#relying-party-identifier) When initializing an ASAuthorizationPlatformPublicKeyCredentialProvider object, if I add the port number to RPID, the passkey UI will work and ASAuthorization object will be checked. But, I don't get authentication from webauthn server because the Attestation Obj is generated with RPID which contains port. Is there any way to specify the port number to check the "well-known" directory? Or is it only possible on port 443? I checked the post, but there is no more feedback, so I'm asking a question. (https://developer.apple.com/forums/thread/730028)

If my app utilizes ASWebAuthenticationSession or SFSafariViewController, do I need to add all potential tracking domains that users may access within the session? There is virtually no way to limit the URLs or domains that users can access within the ASWebAuthenticationSession or SFSafariViewController, so how can I know all the potential domains?

Garritt, Kudos for leadership on making Apple PassKeys a reality. would like to consult with Apple security/privacy/authentication teams about new anon/auth tools for web security and device logins generally. concepts are shared in uspto pending patent app 17/572336, for which notice of allowance has issued. thanks, timo founder and seo PoKos Communications Corp. 603.491.9792 (m)

We are relying on ASWebAuthenticationSession to do web authentication. Since the API doesn't support POST requests directly we have to generate local file in ~/Library/Application Support/<foo.bar>/WebAuth.html containing the POST and use initial URL as file:///Users//Library/Application%20Support//WebAuth.html Problem is that Safari sometimes pops a dialog "Confirm the file to load" and sometimes it doesn't. This doesn't depend on "Full Disk access" TCC. Does anybody know a way to prevent this from happening? MDM option or something? Also styling of the popup is a rather poor UI choice - looks very confusing and like the user may choose another file to load. Chrome f.e. doesn't do such popups. I already have FB13340210 for this.

Hey community! I have an idea of social network for VisionOS. I'm trying to figure out the best approach to implement authentication flow for the users. I'm looking into Auth0 Package, but facing some issues with platform compatibility. Are there any recommendations? I have auth0 in iOS app and that works just fine. I use webAuth() method and during migration to VisionOS I got the next error: "Module 'Auth0' has no member named 'webAuth'". I discovered the source code a little bit and found the next condition in "Auth0" file that are not passing: #if WEB_AUTH_PLATFORM. That should be the root cause why error occues on compilation stage. I tried to apply the flag "-DWEB_AUTH_PLATFORM" to "Swift Compiler - Custom Flags", but it didn't help. Are there any tweaks that I can apply to my project and make it work? I would be happy if someone provide any relevant information. Thank you!