Authentication Services

RSS for tag

Improve the experience of users when they enter credentials to establish their identity using Authentication Services.

Authentication Services Documentation

Posts under Authentication Services tag

85 Posts
Sort by:
Post not yet marked as solved
3 Replies
According to the documentation - of Apple's Anonymous Attestation Statement Format (fmt="apple"), the nonce generated from the authenticatorData the clientDataHash is embedded in an extension with OID ( 1.2.840.113635.100.8.2 ) in the certificate for the credential public key. If I try to validate a response generated after using touchID from my browser on my iOS14 device, I get a 38-byte value:   414:d=5  hl=2 l=   9 prim: OBJECT            :1.2.840.113635.100.8.2   425:d=5  hl=2 l=  38 prim: OCTET STRING      [HEX DUMP]:3024A1220420D9052FED7AA782C1B416C59B0AE15F309A336E22984E32505307A6339DDE52FD How can this be a SHA-256 hash value?
Post marked as solved
2 Replies
I am trying to implement sign in with apple with firebase. I cannot get around an issue where I get the following error when attempting a sign in: When running: Auth.auth().signIn(with: credential) { (authResult, error) in I get: nil credential = OAuthProvider.credential Optional(Error Domain=FIRAuthErrorDomain Code=17004 "The audience in ID Token [] does not match the expected audience." UserInfo={NSLocalizedDescription=The audience in ID Token [] does not match the expected audience., FIRAuthErrorUserInfoNameKey=ERROR_INVALID_CREDENTIAL}) Optional("The audience in ID Token [] does not match the expected audience.") I have added my URL as stated on firebase to my identifier. To complete set up, add this authorization callback URL to your app configuration in the Apple Developer Console. Additional steps may be needed to verify ownership of this web domain to Apple.  More code: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {   if let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential {    guard let nonce = currentNonce else {     fatalError("Invalid state: A login callback was received, but no login request was sent.")    }    guard let appleIDToken = appleIDCredential.identityToken else {     print("Unable to fetch identity token")     return    }    guard let idTokenString = String(data: appleIDToken, encoding: .utf8) else {     print("Unable to serialize token string from data: \(appleIDToken.debugDescription)")     return    }           print("credential = OAuthProvider.credential")    // Initialize a Firebase credential.    let credential = OAuthProvider.credential(withProviderID: "",                         idToken: idTokenString,                       rawNonce: nonce)     //Auth.auth().createUser(withEmail: T##String, password: T##String, completion: T##AuthDataResultCallback?##AuthDataResultCallback?##(AuthDataResult?, Error?) -> Void)    // Sign in with Firebase.    Auth.auth().signIn(with: credential) { (authResult, error) in           print(Auth.auth().currentUser?.uid ," credential = OAuthProvider.credential ", error)
Post not yet marked as solved
6 Replies
I'm trying to deprecate iOS 13 from my app. One of the compilation warnings I got as a result was: 'SecRequestSharedWebCredential' is deprecated: first deprecated in iOS 14.0 - Use ASAuthorizationController to make an ASAuthorizationPasswordRequest (AuthenticationServices framework) So I tried updating my code as follows let provider = ASAuthorizationPasswordProvider()             let request = provider.createRequest()             let authorizationController = ASAuthorizationController(authorizationRequests: [request])             authorizationController.delegate = self             authorizationController.presentationContextProvider = self             authorizationController.performRequests() But it always calls the delegate callback func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) with error Error Code=1001 "No credentials available for login." UserInfo={NSLocalizedFailureReason=No credentials available for login.} Even though the device (or simulator) has a stored password for my website. I have my website as an "associated domain" for my app of type webcredentials. What am I doing wrong here?
Post marked as solved
1 Replies
I am facing one issue while trying to Sign in with Apple. error is as below: "The Operation couldn't be completed ( error 1000.)" I get this error as soon as the button is pressed it doesn't even get into the actual sign-in part. I have verified that entitlements file is there with the below content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC ""> <plist version="1.0"> <dict> <key>aps-environment</key> <string>development</string> <key></key> <array> <string>Default</string> </array> </dict> </plist> I transferred the project and certificates from another machine. So deleted all the certificates and provisional profiles and recreated them from the new machine but faced an issue. Also, It only happens in exported (Archived build). When I directly install it from Xcode it is working fine. I have followed the official apple document to implement it. below is how I'm requesting the authentication: currentNonce = randomNonceString() let request = ASAuthorizationAppleIDProvider().createRequest() request.requestedScopes = [.fullName, .email] let controller = ASAuthorizationController(authorizationRequests: [request]) request.nonce = currentNonce?.sha256() controller.delegate = self controller.presentationContextProvider = self controller.performRequests() Below are delegates: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {         switch authorization.credential {         case let appleIDCredential as ASAuthorizationAppleIDCredential: //Authenticated             break         default:             break         } }     func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {         return self.view.window! }     func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { Utils.showAlert(withMessage: error.localizedDescription) } Any help would be appreciated
Post not yet marked as solved
2 Replies
Hi devs!!! Calling createCredentialRegistrationRequestWithChallenge returns the following error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named" UserInfo={NSDebugDescription=connection to service named} What can be the potential reason?
Post not yet marked as solved
1 Replies
I am creating a react app and am making use of Webauthn to use TouchID or FaceID for user authentication. I have built my app so that when the button is clicked, navigator.credentials.create is the only call made. With attestation set to none, there are no issues however as soon as I set attestation to direct I get an alert saying 'The operation can't be completed' and 'NotAllowedError: This request has been cancelled by the user.' is logged to console. The issue only presents itself on Safari and iOS devices however works perfectly on other browsers like Chrome. Has anyone encountered a similar issue and possibly know how to resolve it? Thanks Shay
Post not yet marked as solved
2 Replies
Apple rejected our app because when we use the Apple Sign Up button, the full name in the response is empty, but we need the first and last name in our app registration, so, the Text inputs in the app, first and last name is filled empty and we let the users enter those values, but Apple wants the users not to enter the values because the service already returns them but in our case are empty. We are using React native react-native-apple-authentication. Can anyone help us or have the same issue with apple review and how did you fix it?
Post marked as solved
3 Replies
Hi, I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher. Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?
Post marked as solved
5 Replies
I'm using Xcode 14.2 to build an app that runs on iOS 16.4. There is no webView.isInspectable property in this version. When my app presents a webview, it is inspectable in Safari -> develop, which is nice. However, when starting a ASWebAuthenticationSession, Safari -> develop shows "no inspectable applications". It was inspectable on iOS 16.1 but not iOS 16.4. How to solve this?
Post not yet marked as solved
1 Replies
We need to append some values in the User-Agent HTTP header for our SSO flows. We use the ASWebAuthenticationSession class as you should, but I can't find any information on how to modify the headers in this web view. I have tried setting the "global" user agent via UserDefaults.standard.register(defaults: ["UserAgent": "fakeUserAgent"]) While it does change the User-Agent in WKWebView, it seemingly does not impact the ASWebAuthenticationSession. There are also no configuration settings to change headers or User-Agent on ASWebAuthenticationSession. Is it not possible by security design?
Post not yet marked as solved
0 Replies
Hello. In order to respect the anonymity of the users of my web platform (by storing as little private data as possible in the database) I would like to know if OSx like its competitor Android proposes to use the internal security of the device (linked to a personal account - Apple or Android ID) to authenticate a user by requiring only his personal ID (or generated by the OS and intended for all browsers) for a double authentication and thus at the click of a button on the website send a text message on the phone (or all devices connected to the same account) to confirm to be the same person who accesses his personal account. using the same functionality as : . e.g. which would call the OS dual authentication system and ask the device (phone or tablet) to display a request for authentication confirmation either by simply clicking a button or by filling in a 6 digit code. Is it possible and does that exist ?
Post not yet marked as solved
1 Replies
I have a bit of a tricky severe hang in my app launch processing code path. Here is the detail: I have a .task modifier from the main ContentView that calls into the signInWithAppleManager.checkUserAuth method, which is marked async. I've tried wrapping the offending line in a Task block to get it off of the main thread, but it still hangs, and is still running on the main thread. Ironically, I found the hang after watching "Analyze Hangs With Instruments" from WWDC 23. However, at the point in the video towards the end where he discusses shared singletons, he mentions resolving a similar issue by making the shared singleton async, and then skips over how he would do it, kind of seemingly presenting a gap in analysis and debugging, while also explaining idle state ... kind of more irony. Thanks in advance! Task { let appleIDProvider = ASAuthorizationAppleIDProvider() Is there anything else that I can do to resolve this? Here is the code: public class SignInWithAppleManager: ObservableObject { @Published public private(set) var userAuthenticationState: AuthState = .undefined public static let shared = SignInWithAppleManager() private init() { } func signOutUser() async { KeychainItem.deleteUserIdentifierFromKeychain() await SignInWithAppleManager.shared.updateUserAuthenticationState(authState: .signedOut) } @MainActor func userAuthenticated() async { self.userAuthenticationState = .signedIn } @MainActor func userSignedOut() async { self.userAuthenticationState = .undefined } func simulateAuthenticated() async -&gt; Bool { return false } public var isAuthenticated: Bool { return self.userAuthenticationState == .signedIn } @MainActor func updateUserAuthenticationState(authState: AuthState) async { debugPrint("Current authstate: \(self.userAuthenticationState) New auth state: \(authState)") self.userAuthenticationState = authState } public func checkUserAuth() async -&gt; AuthState { debugPrint(#function) //completion handler defines authstate if KeychainItem.currentUserIdentifier == "" || KeychainItem.currentUserIdentifier == "simulator" { debugPrint("User identifier is empty string") await updateUserAuthenticationState(authState: .undefined) //userid is not defined in User defaults bc empty, something went wrong } else { await updateUserAuthenticationState(authState: .signedIn) } if await !self.simulateAuthenticated() { // HERE: ‼️ hangs for 2 seconds let appleIDProvider = ASAuthorizationAppleIDProvider() // HERE: ‼️ hangs for 2 seconds do { let credentialState = try await appleIDProvider.credentialState(forUserID: KeychainItem.currentUserIdentifier) switch credentialState { case .authorized: debugPrint("checkUserAuth:authorized") // The Apple ID credential is valid. Show Home UI Here await updateUserAuthenticationState(authState: .signedIn) break case .revoked: debugPrint("checkUserAuth:revoked") // The Apple ID credential is revoked. Show SignIn UI Here. await updateUserAuthenticationState(authState: .undefined) break case .notFound: debugPrint("checkUserAuth:notFound") // No credential was found. Show SignIn UI Here. await updateUserAuthenticationState(authState: .signedOut) break default: debugPrint("checkUserAuth:undefined") await updateUserAuthenticationState(authState: .undefined) break } } catch { // Handle error debugPrint("checkUserAuth:error") debugPrint(error.localizedDescription) await updateUserAuthenticationState(authState: .undefined) } } return self.userAuthenticationState } }
Post not yet marked as solved
2 Replies
Is there a way to release or generate a secret key when using passkeys? I want to build end-to-end encryption in my app but I also want to deliver a great user experience by leveraging the user's passkey. During authentication I want to also receive a secret that I can use to derive encryption keys. In the future on the web to do this you can leverage the WebAuthn pseudo-random function (PRF) extension. Is there an alternative to this in Authentication Services?
Post not yet marked as solved
3 Replies
Firstly massive thank you to the Passkeys team at Apple for opening up the APIs to allow third-party password manager apps to save and autofill Passkeys in iOS 17! I wasn't expecting this so soon. Incredible work. I have successfully implemented the new methods on ASCredentialProviderViewController, up to the point where our app's extension is now being presented when a user is prompted to "Create a passkey?". However two things are not entirely clear to me from this point on: When the user chooses our app to create a password by tapping "Continue", the prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) method is called. Should I be handling passkey creation within this method? Really at this point I was expecting prepareInterface(forPasskeyRegistration: to be called instead. Are new passkeys automatically generated and returned by AuthenticationServices during this flow, or is it down to the developer to generate a new passkey here? I ask because the documentation for prepareInterface(forPasskeyRegistration: seems to imply the former, stating: "This method will present your extension's UI for user authentication before creating the passkey." Thanks again.
Post not yet marked as solved
3 Replies
Hi all, Trying to create a Passkeys registration in my app. This is the implementation I have: ASAuthorizationPlatformPublicKeyCredentialProvider *provider = [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc] initWithRelyingPartyIdentifier:[[jsonDict objectForKey:@"rp"] objectForKey:@"id"]]; ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest *request = [provider createCredentialRegistrationRequestWithChallenge: [jsonDict objectForKey:@"challenge"] name:[[jsonDict objectForKey:@"user"] objectForKey:@"name"] userID:[[jsonDict objectForKey:@"user"] objectForKey:@"id"]]; ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:[NSArray arrayWithObject:request]]; controller.delegate = self; controller.presentationContextProvider = self; [controller performRequests]; But I get this error: Remote proxy object error handler invoked with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." Connection to agent service interrupted with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." ASAuthorizationController credential request failed with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." And this is the NSError I get in authorizationController:didCompleteWithError: authorizationController error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named" UserInfo={NSDebugDescription=connection to service named} Everything is defined right (associated domains in project and .well-known). Any reason I can't continue? Edit: I'm with iOS 17.0 (21A5248v) and Xcode-Beta (15A5160n) if it matters. Thanks
Post marked as solved
1 Replies
I have been looking through the example Passkey code in the Shiny app. I found it confusing at the part about how it performs passkey auto-fill. Specifically, I'm confused about the code in the file Shared/AccountManager.swift method beginAutoFillAssistedPasskeySignIn. func beginAutoFillAssistedPasskeySignIn(anchor: ASPresentationAnchor) { self.authenticationAnchor = anchor let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain) // Fetch the challenge from the server. The challenge needs to be unique for each request. let challenge = Data() let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challenge) // AutoFill-assisted requests only support ASAuthorizationPlatformPublicKeyCredentialAssertionRequest. let authController = ASAuthorizationController(authorizationRequests: [ assertionRequest ] ) authController.delegate = self authController.presentationContextProvider = self authController.performAutoFillAssistedRequests() } Based on my understanding and what the WWDC session shows: performAutoFillAssistedRequests should happen as soon as the screen presents, which is even before the user types in anything. My question is: if the user hasn't typed in their username/email, how do I communicate with my server to get a challenge? My server requires a username(email) to return a challenge. A possible answer I've been thinking about is: the server's authentication initial endpoint should NOT require a username/email because a challenge is naive and it's not user specified. But I can't find the above info in any specifications. The best I could find was: The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username. Source: The wording "as much information as possible" from above implies that when the app requests a challenge, it's possible that it doesn't provide a username. Please let me know if the answer above is correct. If not, please help answer the question. I really appreciate any help anyone can provide.
Post not yet marked as solved
1 Replies
We registered Certified Fido2 devices in Apple ID as security keys, registration performed without any problem. First logs in logs out iterations worked also without problem. Then after a while, one of the key started to be rejected, with the attached screenshot., with "failed to verify security key" and "error description not available". The second identical key still function correctly. We were unable to reproduce the problem on demand, the problem simply just seem to appear randomely. Although the second Fido2 device still works, there is a therotical possibility to be locked out of the account. The only difference we could identify with other Fido2 devices is that is prioritise ECC algorithm (-7) compared to other Fido2 devices that priorise RSA (-257) If ECC is not supported, then it should reject the Fido2 device at registration. How to properly contact Apple to solve this relatively serious issue ?
Post not yet marked as solved
1 Replies
Hey Folks, I'm currently building an SDK that will manage the creation and authentication of the passkeys for my users, and this SDK can be integrated on 3rd party apps that are out of my direct control. The scenario of when this SDK will be used is like when you have an app that you can link your account with LinkedIn, to get some info about you there and need to log in with your Linkedin account. So, the app itself that is consuming the SDK can have a passkey, and this "link account" feature (SDK) will also manage its passkey creation and authentication. Based on this I have a couple of questions: Can I grant only grant the associated domains/webcredentials entitlements to my SDK, such that the SDK is the only part allowed to create or access my passkeys but the app that consumes that SDK can only call the functionality exposed by the SDK, and not directly have the privileges to create and access my passkeys nor my iCloud Keychain? If 1 is not possible, what other options do I have? I imagine that if I give to access these 3rd party apps that consume my SDK to my associated domain webcredentials, I also will give them permission to them, to create passkeys in my name, using my RPID, and this is a really insecure scenario, so a no go. May you folks help me to understand the best course of action in this scenario? Thanks!
Post not yet marked as solved
0 Replies
We have been trying to implement OAuth 2.0 SAML Bearer Assertion authentication in our enterprise iOS application. We are not receiving the SAML Assertion id response in WKWEBVIEW. Can you please kindly confirm whether OAuth 2.0 SAML Bearer Assertion possible in NATIVE iOS development. Please suggest how this can be achieved in iOS native development.