Using both the Apple sample app for passkeys (link below) and another barebones sample app from github (link below), we are getting this same error when trying to retrieve a user's passkey that has been created from our website associated with the sample app:
ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
Error: ["NSLocalizedFailureReason": Unable to verify webcredentials association of TEAMID.com.company.product with domain app.company.com. Please try again in a few seconds.]
Note I have replaced TEAMID, the bundle id and the website id here, but the values match our site association file, which has this content:
{
"webcredentials": {
"apps": [ "TEAMID.com.company.product" ]
}
}
and is hosted at:
https://app.company.com/.well-known/apple-app-site-association
(returned with Content-Type: application/json header)
The enum values for ASAuthorizationError.Code I believe are:
canceled: 1000
failed: 1001
invalidResponse: 1002
notHandled: 1003
notInteractive: 1004
unknown: 1005
Thus we are getting notInteractive, which according to another forum post here, we should not be seeing. With both sample apps, I've made sure the request to perform authentication is triggered from a button press by the user. Can someone please help us figure out why we are getting this error?
Xcode version: 16.2
MacOS version: 15.2
iOS version: 18.2
iPhone model: iPhone SE (MHGT3X/A)
Link for Apple sample app:
https://developer.apple.com/documentation/authenticationservices/connecting_to_a_service_with_passkeys
Link for Github sample app:
https://github.com/hansemannn/iOS16-Passkeys-Sample
Authentication Services
RSS for tagImprove the experience of users when they enter credentials to establish their identity using Authentication Services.
Posts under Authentication Services tag
95 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
we are currently using an APNs Authentication Key to send
notifications and have not generated any Development or Production APNs certificates. Could you please confirm whether using the APNs
Authentication Key alone is sufficient under the updated requirements?
Alternatively, do we need to generate Development and Production APNs
certificates that support SHA-2 for compliance with the changes?
In order to create a Message Filter Extension it is necessary to set up Shared Web Credentials.
I'd like to form an understanding of what role SWC plays when the OS is making request to the associated network service (when the extension has called deferQueryRequestToNetwork()) and how this differs from when an app directly uses Shared Web Credentials itself.
When an app is making direct use of SWC, it makes a request to obtain the user's credentials from the web site.
However in the case of a Message Filter Extension, there aren't any individual user credentials, so what is happening behind the scenes when the OS makes a server request on behalf of a Message Filtering Extension?
A more general question - the documentation for Shared Web Credentials says "Associated domains establish a secure association between domains and your app.".
Thank you
Hi everyone,
I'm developing a minimal Safari web extension for macOS and trying to implement "Sign in with Apple" directly from the extension popup, as per Apple's guidelines it's prohibited to open a new tab/window:
Guideline 4.0 - Design: The user is taken to a new Safari window or tab to sign in or register for an account, which provides a poor user experience.
What I've Done So Far
Created an App ID with "Sign in with Apple" enabled and configured.
Created a Service ID with the "Sign in" feature enabled.
Enabled "Sign in with Apple" for native targets in Xcode
Added the following JavaScript code in my popup.html file to initialize the Apple JS API and handle authentication via a popup:
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<script>
// have tried many different configurations here - nothing works!
AppleID.auth.init({
clientId: '<valid client ID>',
redirectURI: '<valid URL>',
usePopup: true,
});
document.getElementById('sign-in-button-apple')
.addEventListener('click', () => {
AppleID.auth.signIn().then((response) => {
console.log('Success', response)
}).catch((error) => {
console.error('Error', error)
});
});
</script>
I also added event listeners for AppleID events:
document.addEventListener('AppleIDSignInOnSuccess', (event) => {
console.log('Success', event);
});
document.addEventListener('AppleIDSignInOnFailure', (event) => {
console.log('Error', event);
});
Issue
When I click the "Sign in" button in the popup, a native macOS dialog appears for authorization. However, after confirming sign-in, the modal just closes and no response (success or error) is logged in the console.
Expected behavior
To receive a success message or an error in the console about the authorization process result.
Questions
Service ID Configuration: Since the popup's location URL is safari-web-extension://<random-url>, I can't add it to the supported redirect URLs in the Service ID settings. Is there a way to work around this?
Safari Web Extension Setup: Are there specific configurations required in Xcode to enable "Sign in with Apple" within a Safari web extension?
Sign-In Method: Am I correctly implementing the signIn method in the JavaScript code? Could there be any constraints or special considerations for running it within an extension popup?
I would greatly appreciate any guidance, examples, or documentation that can help resolve this issue.
Thank you in advance!
Our app is getting rejected from the app store because we don't allow users to delete their accounts. However, we use a non-custodial auth provider, Web3Auth, so no user accounts are generated, and no data is stored. How are we supposed to allow users to delete an account that doesn't exist?
Hi everyone,
I am trying to use ASWebAuthenticationSession to authorize user using OAuth2.
Service Webcredentials is set.
/.well-known/apple-app-site-association file is set.
When using API for iOS > 17.4 using new init with callback: .https(...) everything works as expected, however i cannot make .init(url: ,callbackURLScheme: ....) to work.
How can i intercept callback using iOS <17.4?
Do I really need to use universal links?
callbackURL = https://mydomain.com/auth/callback
iOS18.1.1 macOS15.1.1 xcode16.1 Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Unable to verify webcredentials association of ********** with domain ******************. Please try again in a few seconds."
Our domain must query with VPN, so I set webcredentials:qa.ejeokvv.com?mode=developer
following:
"If you use a private web server, which is unreachable from the public internet, while developing your app, enable the alternate mode feature to bypass the CDN and connect directly to your server. To do this, add a query string to your associated domains entitlement, as shown in the following example:
:?mode=
"
but it still not working, even after I set mode=developer.
Please help!!!!
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process.
Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device.
If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance.
Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario.
If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint.
At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields:
**Fields I would like to use:
**
rp (Relying Party)
I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them?
authenticatorSelection
How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields?
timeout
Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS?
attestation
The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field.
extensions
If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps?
pubKeyCredParams
Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request?
excludeCredentials
I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated.
**Current Code
**
Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above.
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(
relyingPartyIdentifier: "www.example.com"
)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(
challenge: challenge,
name: userId,
userID: userIdData
)
let authController = ASAuthorizationController(authorizationRequests: [registrationRequest])
authController.delegate = self
authController.presentationContextProvider = self
authController.performRequests()
In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of.
If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
Hi,
ASCredentialProvider had been almost identically implemented on both iOS and macOS so far, but the ProvidesTextToInsert feature was only added to iOS. It would have been a crucial point to make Credential Providers available in all textfields, without users having to rely on developers correctly setting roles for their Text Fields.
It's right now impossible to paste credentials into Notes, or some other non-password text box both in web and desktop apps for example, in a seamless, OS-supported way without abusing Accessibility APIs which are understandably disallowed in Mac App Store apps. Or just pasting an SSH key, or anything. On macOS this has so many possibilities. It could even have a terminal command.
It's even more interesting that "Passwords..." is an option in macOS's AutoFill context menu, just like on iOS, however Credential Providers did not gain this feature on macOS, only on iOS.
Is this an upcoming feature, or should we find alternatives? Or should I file a feature request? If it's already in the works, it's pointless to file it.
Urgent Assistance Needed: Issue Logging into Apple Developer Enterprise Account via Visual Studio 2022 - "Authentication service is unavailable."
Dear Apple Support Team,
I am encountering an issue while attempting to log into my Apple Developer Enterprise account through Visual Studio 2022. The process consistently fails with the error message: "Authentication service is unavailable."
Here are the steps I followed:
Open Visual Studio 2022.
Navigate to Tools -> Options -> Apple Developer Account -> Add Account -> Select Enterprise Account.
Attempt to log in using my Apple Developer ID and password.
Despite multiple attempts, I continue to face the error: "Authentication service is unavailable."
This issue occurs on both Windows and Mac environments, with the same results. However, I am able to log into my Apple Developer account via the browser, and the Apple service status portal shows no outages.
As this issue is impacting our ability to deliver to our customers, I kindly request your prompt assistance in resolving this matter.
Thank you in advance for your help. I look forward to your quick response.
Best regards,
KanTime Dev Team
Windows Machine
Mac Machine
Our desktop app for macos will be released in 2 channels
appstore
dmg package on our official website for users to download and install
Now when we debug with passkey, we find that the package name of the appstore can normally arouse passkey, but the package name of the non-App Store can not arouse the passkey interface
I need your help. Thank you
Is there any particular reason why ASWebAuthenticationSession doesn't have support for async/await? (example below)
do {
let callbackURL = try await webAuthSession.start()
} catch {
// handle error
}
I'm curious if this style of integration doesn't exist for architectural reasons? Or is the legacy completion handler style preserved in order to prevent existing integrations from breaking?
Hello,
One of the apps my team is developing is using Keycloak for allowing users to authenticate inside the application. We are using Keycloak primarily to act as the backend identity provider and not forcing users to authenticate via social logins (Facebook, Google, etc.).
Under point 4.8 (at the time of posting) in the AppReview guidelines, would the app need to also offer another login service?
Hi all.
So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process.
Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari.
I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method.
But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari.
Some knows why its happening?
Thank you for any help or suggestion.
I am currently implementing an authentication function using ASWebAuthenticationSession to log in with my Instagram account.
I set a custom scheme for the callbackURLScheme, but
In the Instagram redirect URL
I was told I can't use a custom scheme.
What should I do with the callbackURLScheme of the ASWebAuthenticationSession in this case?
I'm currently implementing a function in SwiftUI to log in with my Instagram account.
It's not working, I'm creating a Firebase Auth function and it comes back to the redirect URL.
This may happen if browser sessionStorage is inaccessible or accidentally cleared. This may happen if browser sessionStorage is inaccessible or accidentally cleared.
I get this error.
I can't implement it. I have tried various methods, but all have failed.
If anyone knows how to do this, please help.
import SwiftUI
import AuthenticationServices
import FirebaseAuth
struct InstagramLoginView: View {
var body: some View {
VStack {
Text("Login with Instagram") // タイトル
Button(action: {
// ボタンが押された時にInstagramのログイン処理を開始
InstagramLoginHelper().startInstagramLogin()
}) {
Text("Login with Instagram")
.padding()
.background(Color.blue)
.foregroundColor(.white)
.cornerRadius(8)
}
}
}
}
class InstagramLoginHelper: NSObject, ASWebAuthenticationPresentationContextProviding {
func startInstagramLogin() {
let clientID = "XXXXXXXXXXXX"
let redirectURI = "https://XXXXXXXXXXX.firebaseapp.com/__/auth/handler"
let authURL = "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&amp;redirect_uri=\(redirectURI)&amp;scope=user_profile,user_media&amp;response_type=code"
let schem = "XXXXXXXXXXXX"
if let url = URL(string: authURL) {
let session = ASWebAuthenticationSession(url: url, callbackURLScheme: schem) { callbackURL, error in
if let error = error {
print("Error during authentication: \(error.localizedDescription)")
return
}
if let callbackURL = callbackURL, let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value {
// 認証コードを使ってFirebaseでログインする
self.loginWithInstagram(authCode: code)
}
}
session.presentationContextProvider = self
session.start()
}
}
func loginWithInstagram(authCode: String) {
// Firebaseのauthインスタンスを取得
let auth = Auth.auth()
// InstagramのOAuthプロバイダを使用する
let provider = OAuthProvider(providerID: "instagram.com")
// Instagramの認証コードを使って、プロバイダの認証資格情報を生成
provider.getCredentialWith(nil) { credential, error in
if let error = error {
print("Error during authentication: \(error.localizedDescription)")
return
}
if let credential = credential {
// Firebaseにログイン
auth.signIn(with: credential) { authResult, error in
if let error = error {
print("Error during Firebase authentication: \(error.localizedDescription)")
} else {
print("Successfully authenticated with Firebase.")
}
}
}
}
}
// ASWebAuthenticationPresentationContextProvidingの実装
func presentationAnchor(for session: ASWebAuthenticationSession) -&gt; ASPresentationAnchor {
return UIApplication.shared.windows.first { $0.isKeyWindow } ?? ASPresentationAnchor()
}
}
#Preview {
InstagramLoginView()
}
I am currently using the ability to log in with my Instagram account using ASWebAuthenticationSession and it is not working!
I filled in the URL directly and there was no problem on the web, but when I run it in SwiftUI in Xcode, it doesn't work and
Error: The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 2.)
I get this error.
I was told that I need a custom scheme to return to mobile, but the Instagram redirect URL says no custom scheme.
What should I do?
IDs and URLs are placed under assumption.
I have no idea since this is my first implementation.
Should I send the scheme URL from the website to mobile once using Django or something else?
import SwiftUI
import AuthenticationServices
struct InstagramLoginView: View {
@State private var authSession: ASWebAuthenticationSession?
@State private var token: String = ""
@State private var showAlert: Bool = false
@State private var alertMessage: String = ""
var body: some View {
VStack {
Text("Instagram Login")
.font(.largeTitle)
.padding()
Button(action: {
startInstagramLogin()
}) {
Text("Login with Instagram")
.padding()
.background(Color.blue)
.foregroundColor(.white)
.cornerRadius(10)
}
if !token.isEmpty {
Text("Token: \(token)")
.padding()
}
}
.alert(isPresented: $showAlert) {
Alert(title: Text("Error"), message: Text(alertMessage), dismissButton: .default(Text("OK")))
}
}
func startInstagramLogin() {
let clientID = "XXXXXXXXXX" // Instagram client ID
let redirectURI = "https://example.com" // Instagram Redirect URI
guard let authURL = URL(string: "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&redirect_uri=\(redirectURI)&scope=user_profile,user_media&response_type=code") else {
print("Invalid URL")
return
}
authSession = ASWebAuthenticationSession(url: authURL, callbackURLScheme: "customscheme") { callbackURL, error in
if let error = error {
print("Error: \(error.localizedDescription)")
return
}
guard let callbackURL = callbackURL else {
print("Invalid callback URL")
return
}
if let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value {
print("Authorization code: \(code)")
getInstagramAccessToken(authCode: code)
}
}
authSession?.start()
}
func getInstagramAccessToken(authCode: String) {
let tokenURL = "https://api.instagram.com/oauth/access_token"
var request = URLRequest(url: URL(string: tokenURL)!)
request.httpMethod = "POST"
let clientID = "XXXXXXXXXXXX"
let clientSecret = "XXXXXXXXXXXXXX" // Instagram clientSecret
let redirectURI = "https://example.com/"
let params = "client_id=\(clientID)&client_secret=\(clientSecret)&grant_type=authorization_code&redirect_uri=\(redirectURI)&code=\(authCode)"
request.httpBody = params.data(using: .utf8)
request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type")
URLSession.shared.dataTask(with: request) { data, response, error in
if let error = error {
print("Error: \(error.localizedDescription)")
return
}
guard let data = data else {
print("No data")
return
}
if let jsonResponse = try? JSONSerialization.jsonObject(with: data, options: []) as? [String: Any],
let accessToken = jsonResponse["access_token"] as? String {
print("Access Token: \(accessToken)")
// ここでアクセストークンを使用してInstagram APIにアクセスする
} else {
print("Failed to get access token")
}
}.resume()
}
}
#Preview {
InstagramLoginView()
}
Hi, I'm leveraging ASAuthorizationSecurityKeyPublicKeyCredentialProvider to authenticate users to an internal service using security keys or passkeys. I'm not using Sign in with Apple - registration is done in another internal service. We're using associated domains. This is on MacOS only.
I'm wondering whether I can programatically determine whether the user has a passkey enrolled with our super-secret-internal-service.com domain already?
The reason I'm asking is simply better UX - if the user doesn't have a passkey enrolled, I'd like to avoid offering them an option to use a platform authenticator and only offer them to tap their security key. We can assume that all users already have their security keys enrolled already.
So something like the following:
let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data())
let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId)
let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data())
var authRequests: [ASAuthorizationRequest] = [securityKeyRequest]
if (userHasPasskeyForDomain("super-secret-internal-service.com")) { // TODO how do I check this??
authRequests.append(platformKeyRequest)
}
let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest])
Many thanks!
Hello everyone,
I’m encountering an issue with Sign in with Apple in my watchOS app and would appreciate any guidance.
Background:
Initially, I did not have the Sign in with Apple capability enabled on my watchOS app.
I have since enabled the capability and grouped it with my iOS app.
For new user accounts created after this change, everything works perfectly:
The credentialState check returns .authorized on both iOS and watchOS.
However, for existing user accounts (created before enabling the capability on watchOS):
The credentialState check returns not authorized on watchOS.
The check still returns .authorized on iOS for these accounts.
Error Details:
When calling ASAuthorizationAppleIDProvider.credentialState(forUserID:) on watchOS for existing accounts, I receive the following error:
Error Domain=AKAuthenticationError Code=-7074 "(null)"
My Suspicions:
I believe the issue arises because the existing Sign in with Apple tokens are only associated with the iOS app’s bundle identifier and not with the watchOS app’s bundle identifier. Since the capability wasn’t enabled on the watchOS app when these accounts were created, their tokens aren’t valid for the watchOS app.
Questions:
Is this the correct explanation for why the credentialState check fails on watchOS for existing accounts, resulting in the AKAuthenticationError Code=-7074 error?
Can I update or migrate the existing accounts so that their Sign in with Apple tokens are valid for the watchOS app as well? If so, how can this be achieved?
Are there any best practices for handling this situation without requiring users to re-authenticate or removing the credentialState check from the watchOS app?
Goal:
I want to maintain the credentialState check on the watchOS app because it works correctly for new accounts and is important for security. I’m looking for a solution that allows existing users to continue using the app on their Apple Watch without interruption or additional sign-in steps.
Any help or suggestions would be greatly appreciated!
Thank you!