I have my custom Authplugin implemented at login (system.login.console), and I want to remove password requirement validation/authentication from system.login.console authorization right. Do you see any functionality loss in completely removing password need at login. And is there any reference which can help me here to acheive this?
Authentication Services
RSS for tagImprove the experience of users when they enter credentials to establish their identity using Authentication Services.
Posts under Authentication Services tag
101 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hey everyone,
I'm working on a password manager app for iOS and I'm trying to implement the new iOS 18 feature that lets users enable autofill directly from within the app. I know this exists because I've seen it in action in another app. They've clearly figured it out, but I'm struggling to find any documentation or info about the specific API.
Has anyone else had any luck finding this? Any help would be greatly appreciated!
Thanks in advance!
Hello everyone,
In my application, i have implemented authentication using ASWebauthenticationSession. However, when redirecting the user to a WKWebView, no cookies are shared, causing the session to be lost and requiring the user to log in again.
Is there a way to share cookies between the two? If not, what would be the best approach to set up authentication that ensures SSO when switching to a WebView ?
Thank you very much for your help !
I am currently unable to enable passkey in my app so I am having to tell my users to skip the prompts for using passkey. We have noticed that after a few times of this the OS will stop asking the user to register their passkey. The question is, how long does this last before the OS asks you to use passkey again? Is it permanent until you re-install the app? Just looking for a time frame if anyone knows.
I am using Auth0 as a login manager for our app. The way Auth0 handles login is that their SDK will create a web view where the login is actually handled. Once the login is finished the session will end and the app will gain control. We are not set up for passkeys in their system and can't set up quickly to do that. Unfortunately with the new iOS "passkey is the primary login" way iOS is set up now, users are asked to use passkey when it's not supported on the backend. I don't have direct control of the login screens. Is there any way, at the app level, to tell the app to not use passkeys so that it quits showing up as an option for the users? I can't find any documentation on doing this. How can I stop passkey in my app entirely?
I have been able to save and remove ASPasskeyCredentialIdentities in the ASCredentialIdentityStore. But after saving a ASPasskeyCredentialIdentity, when I retrieve the current identities stored, it always returns an empty list. I check to make sure the store is enabled. I am using this method which is available starting with iOS 17.4:
extension ASCredentialIdentityStore {
public func credentialIdentities(forService serviceIdentifier: ASCredentialServiceIdentifier? = nil, credentialIdentityTypes: ASCredentialIdentityStore.IdentityTypes = []) async -> [any ASCredentialIdentity]
}
I have called it like this:
store.credentialIdentities(forService: nil, credentialIdentityTypes: .passkey)
And this:
store.credentialIdentities()
Has anyone got this to work?
Hi team, if I log into my app on Safari and try to enroll/challenge MFA security key option, I will be able to see this pop-up that gives me the option to pick either passkeys or external security keys
However, my team member who's using the same version of safari, can only see the external security key option
Why is this?
Hello,
I've developed a macOS app with an AutoFill Credential Provider extension that functions as a passkey provider. In the registration flow, I want my app to appear as a passkey provider only when specific conditions are met.
Is there a way to inspect the request from the web before the passkey provider selection list is displayed to the user, determine whether my app can handle it, and then use that result to instruct the OS on whether to include my app in the passkey provider selection list?
Alternatively, is there a way to predefine conditions that must be met before my app is offered as a passkey provider in the selection list?
Thanks!
I'm developing an iOS app that utilizes Universal Links and ASWebAuthenticationSession to deep-link from a website to the app itself. This implementation adheres to the recommendations outlined in RFC 8252, ensuring that the app opening the ASWebAuthenticationSession is the same app that is launched via the Universal Link.
Problem:
While most users can successfully launch the app via Universal Links,a few percent of users experience instances where the app fails to launch, and the user is redirected to the browser.
What I've Tried:
ASWebAuthenticationSession Configuration: I've double-checked the configuration of callbackURLScheme and presentationContextProvider.
Universal Links: Verified the apple-app-site-association file and associated domains entitlement.
Network Conditions: Tested on various network environments (Wi-Fi, cellular) and devices.
Questions:
What are the potential causes for this behavior?
Has anyone else encountered a similar issue and found a solution?
Are there any debugging techniques or ways to generate more detailed logs?
I haven't been able to determine which device or OS version is causing this problem.
Thank you.
I want to implement webauthn using WKWebView for my mac application. I want to host the asaa file in the rpid. Below are my site configuration -
Main domain - example.com
Subdomain which has the sign-in view and where webauthn kicks in - signin.example.com
RPID - example.com
Where shall i host the asaa file at domain(example.com) or subdomain(signin.example.com)?
Seeing the following error when attempting automatic passkey upgrade - [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.
We're trying to enable Automatic passkey upgrade (https://developer.apple.com/videos/play/wwdc2024/10125/?time=38) for our website but it's not working from our testing on iOS 18.2 and 18.3 Beta Safari.
The flow on our website looks like:
the customers use autofill to fill out email and password on the sign-in page (abc.com/signin)
PublicKeyCredential.getClientCapabilities is called to check if conditionalCreate supported.
land on another page of our website (abc.com/pageX), which calls navigator.credentials.create with mediation conditional (Right after sign-in).
We checked that we followed the steps in above video: Allow automatic passkey upgrades is enabled, mediation is set to conditional and password autofill is used to signed in. However, Safari threw an error [Warning] NotAllowedError: The request is not allowed by the user agent or the platform in the current context, possibly because the user denied permission.
Can Apple help guide us if anything is missed here?
I’m implementing Passkey registration on iOS using ASAuthorizationPlatformPublicKeyCredentialProvider. On the server side, I’m using a WebAuthn library that throws the error UnexpectedRPIDHash: Unexpected RP ID hash during verifyRegistrationResponse().
Domain: pebblepath.link (publicly routable, valid SSL certificate, no warnings in Safari)
Associated Domains in Xcode**: webcredentials:pebblepath.link
AASA file:
{
"applinks": { "apps": [] },
"webcredentials": {
"apps": [
"H33XH8JMV6.com.reactivex.pebblepath"
]
}
}
Xcode Configuration:
Team ID: H33XH8JMV6
Bundle ID: com.reactivex.pebblepath
Associated Domains: webcredentials:pebblepath.link
Logs:
iOS clientDataJSON shows "origin": "https://pebblepath.link".
Server logs confirm expectedOrigin = "https://pebblepath.link" and expectedRPID = "pebblepath.link".
Despite this, the server library still errors out: finishRegistration error: UnexpectedRPIDHash.
I’ve verified that:
The domain has a valid CA-signed SSL cert (no Safari warnings).
The AASA file is reachable at https://pebblepath.link/.well-known/apple-app-site-association.
The app’s entitlements match H33XH8JMV6.com.reactivex.pebblepath.
I’ve removed old passkeys from Settings → Passwords on the device and retried fresh.
I’m testing on a real device with iOS 16+; I am using a Development provisioning profile, but that shouldn’t cause an RP ID mismatch as long as the domain is valid.
Every log indicates that the domain and origin match exactly, but the WebAuthn library still throws UnexpectedRPIDHash, implying iOS is embedding a different (or unrecognized) RP ID hash in the credential.
Has anyone else encountered this with iOS passkeys and a valid domain/AASA setup? Is there an extra step needed to ensure iOS recognizes the domain for passkey registration?
Any guidance or insights would be greatly appreciated!
Not getting ASCredentialServiceIdentifier in func prepareOneTimeCodeCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier]) when trying to use ASCredentialProviderViewController for autofilling one time codes in iOS 18.
Using both the Apple sample app for passkeys (link below) and another barebones sample app from github (link below), we are getting this same error when trying to retrieve a user's passkey that has been created from our website associated with the sample app:
ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
Error: ["NSLocalizedFailureReason": Unable to verify webcredentials association of TEAMID.com.company.product with domain app.company.com. Please try again in a few seconds.]
Note I have replaced TEAMID, the bundle id and the website id here, but the values match our site association file, which has this content:
{
"webcredentials": {
"apps": [ "TEAMID.com.company.product" ]
}
}
and is hosted at:
https://app.company.com/.well-known/apple-app-site-association
(returned with Content-Type: application/json header)
The enum values for ASAuthorizationError.Code I believe are:
canceled: 1000
failed: 1001
invalidResponse: 1002
notHandled: 1003
notInteractive: 1004
unknown: 1005
Thus we are getting notInteractive, which according to another forum post here, we should not be seeing. With both sample apps, I've made sure the request to perform authentication is triggered from a button press by the user. Can someone please help us figure out why we are getting this error?
Xcode version: 16.2
MacOS version: 15.2
iOS version: 18.2
iPhone model: iPhone SE (MHGT3X/A)
Link for Apple sample app:
https://developer.apple.com/documentation/authenticationservices/connecting_to_a_service_with_passkeys
Link for Github sample app:
https://github.com/hansemannn/iOS16-Passkeys-Sample
we are currently using an APNs Authentication Key to send
notifications and have not generated any Development or Production APNs certificates. Could you please confirm whether using the APNs
Authentication Key alone is sufficient under the updated requirements?
Alternatively, do we need to generate Development and Production APNs
certificates that support SHA-2 for compliance with the changes?
In order to create a Message Filter Extension it is necessary to set up Shared Web Credentials.
I'd like to form an understanding of what role SWC plays when the OS is making request to the associated network service (when the extension has called deferQueryRequestToNetwork()) and how this differs from when an app directly uses Shared Web Credentials itself.
When an app is making direct use of SWC, it makes a request to obtain the user's credentials from the web site.
However in the case of a Message Filter Extension, there aren't any individual user credentials, so what is happening behind the scenes when the OS makes a server request on behalf of a Message Filtering Extension?
A more general question - the documentation for Shared Web Credentials says "Associated domains establish a secure association between domains and your app.".
Thank you
Hi everyone,
I'm developing a minimal Safari web extension for macOS and trying to implement "Sign in with Apple" directly from the extension popup, as per Apple's guidelines it's prohibited to open a new tab/window:
Guideline 4.0 - Design: The user is taken to a new Safari window or tab to sign in or register for an account, which provides a poor user experience.
What I've Done So Far
Created an App ID with "Sign in with Apple" enabled and configured.
Created a Service ID with the "Sign in" feature enabled.
Enabled "Sign in with Apple" for native targets in Xcode
Added the following JavaScript code in my popup.html file to initialize the Apple JS API and handle authentication via a popup:
<script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script>
<script>
// have tried many different configurations here - nothing works!
AppleID.auth.init({
clientId: '<valid client ID>',
redirectURI: '<valid URL>',
usePopup: true,
});
document.getElementById('sign-in-button-apple')
.addEventListener('click', () => {
AppleID.auth.signIn().then((response) => {
console.log('Success', response)
}).catch((error) => {
console.error('Error', error)
});
});
</script>
I also added event listeners for AppleID events:
document.addEventListener('AppleIDSignInOnSuccess', (event) => {
console.log('Success', event);
});
document.addEventListener('AppleIDSignInOnFailure', (event) => {
console.log('Error', event);
});
Issue
When I click the "Sign in" button in the popup, a native macOS dialog appears for authorization. However, after confirming sign-in, the modal just closes and no response (success or error) is logged in the console.
Expected behavior
To receive a success message or an error in the console about the authorization process result.
Questions
Service ID Configuration: Since the popup's location URL is safari-web-extension://<random-url>, I can't add it to the supported redirect URLs in the Service ID settings. Is there a way to work around this?
Safari Web Extension Setup: Are there specific configurations required in Xcode to enable "Sign in with Apple" within a Safari web extension?
Sign-In Method: Am I correctly implementing the signIn method in the JavaScript code? Could there be any constraints or special considerations for running it within an extension popup?
I would greatly appreciate any guidance, examples, or documentation that can help resolve this issue.
Thank you in advance!
Our app is getting rejected from the app store because we don't allow users to delete their accounts. However, we use a non-custodial auth provider, Web3Auth, so no user accounts are generated, and no data is stored. How are we supposed to allow users to delete an account that doesn't exist?
Hi everyone,
I am trying to use ASWebAuthenticationSession to authorize user using OAuth2.
Service Webcredentials is set.
/.well-known/apple-app-site-association file is set.
When using API for iOS > 17.4 using new init with callback: .https(...) everything works as expected, however i cannot make .init(url: ,callbackURLScheme: ....) to work.
How can i intercept callback using iOS <17.4?
Do I really need to use universal links?
callbackURL = https://mydomain.com/auth/callback
iOS18.1.1 macOS15.1.1 xcode16.1 Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Unable to verify webcredentials association of ********** with domain ******************. Please try again in a few seconds."
Our domain must query with VPN, so I set webcredentials:qa.ejeokvv.com?mode=developer
following:
"If you use a private web server, which is unreachable from the public internet, while developing your app, enable the alternate mode feature to bypass the CDN and connect directly to your server. To do this, add a query string to your associated domains entitlement, as shown in the following example:
:?mode=
"
but it still not working, even after I set mode=developer.
Please help!!!!