Is there some way to suggest to the system that it should autofill passwords in a ASWebAuthenticationSession on a domain not previously associated with my app? I'm working on an app that currently has native login and registration screens, password autofill works great and links credentials it to my associated domains. I now need to move these login and registration screens to use ASWebAuthenticationSession and have users authenticate on a website on a new domain. The system does not autofill my apps credentials on these pages. I can add this new domain as an associated domain, and new registrations are able to save the password and then autofill it later. But I can't get previously saved passwords to autofill on this new domain. Is that possible? I did manage to use Shared Web Credentials to save the users credentials against the new domain when they login. But this will only migrate users that login between now and when I switch to ASWebAuthenticationSession, not all users will be migrated. Any new ideas or solutions much appreciated.

I am creating links to add TOTP authentication for the iCloud keychain. But after clicking the link, will cause an system crash with macOS 12.0.1 and clicking the link with iOS cause an alert: "Cannot Add Verification Code to This Account - A verification code could not be created from this URL.". I have tried the following link: otpauth://totp/example.com:Username&secret=4SMF2WK32UQZNHO6JWBO3GDJQYI4MP2D4FQA&issuer=example.com I also tried the whole thing with the Apple specific prefix, which resulted in the same error. Is this a general problem with apples integration, or is there anything I am missing?

Hello, Our platform uses Apple ID for authentication and login, both on the web and in our native app. We have noticed that if a user logs in through the web via Apple ID and they have the iOS app installed, the app automatically opens after authentication. This is the URL that seems to open the app: https://appleid.apple.com/auth/authorize?... Is it possible to prevent this? We would like mobile web users to be able to use the mobile web site even if they do have the native app installed. Currently they are forced into the app after login. I've checked a few other apps and this behavior exists among them as well, it doesn't seem to be a quirk of our system only. Thank you! Doug

I'm trying to deprecate iOS 13 from my app. One of the compilation warnings I got as a result was: 'SecRequestSharedWebCredential' is deprecated: first deprecated in iOS 14.0 - Use ASAuthorizationController to make an ASAuthorizationPasswordRequest (AuthenticationServices framework) So I tried updating my code as follows let provider = ASAuthorizationPasswordProvider()             let request = provider.createRequest()             let authorizationController = ASAuthorizationController(authorizationRequests: [request])             authorizationController.delegate = self             authorizationController.presentationContextProvider = self             authorizationController.performRequests() But it always calls the delegate callback func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) with error Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "No credentials available for login." UserInfo={NSLocalizedFailureReason=No credentials available for login.} Even though the device (or simulator) has a stored password for my website. I have my website as an "associated domain" for my app of type webcredentials. What am I doing wrong here?

Hello, Apple Team. In our iOS app, we are planning to use ASWebAuthenticationSession for cookie sharing with Safari App for single sign on. Normal steps we can think of are as follows: Start ASWebAuthenticationSession. Alert dialog shows up for user permission. If the user permits, web browser shows up. A certain our web page which set cookies is loaded, and immedeiately redirect to ASWebAuthenticationSession's callbackURLScheme url without user operation. ASWebAuthenticationSession's web browser dismissed. In this case, user does nothing on the web brwoser. So if the web browser does not appear on screen, we think user experience is much better. We find out that ASWebAuthenticationSession's web browser view controller can be hidden by using presentationAnchor(for:) method of ASWebAuthenticationPresentationContextProviding protocol. In this case, only alert dialog for user permission shows up. This is very good UX for our app. But we've found following statement on SFSafariViewController document. https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller Important In accordance with App Store Review Guidelines, this view controller must be used to visibly present information to users; the controller may not be hidden or obscured by other views or layers. Additionally, an app may not use SFSafariViewController to track users without their knowledge and consent. And App Store Review Guidelines saids https://developer.apple.com/app-store/review/guidelines/ (vii) SafariViewController must be used to visibly present information to users; the controller may not be hidden or obscured by other views or layers. Additionally, an app may not use SafariViewController to track users without their knowledge and consent. ASWebAuthenticationSession document saids nothing about like this. But we would like to make clear. Are these statements applied to ASWebAuthenticationSession also? If we hide ASWebAuthenticationSession's web browser, our app will be rejected?

Hi folks! I've been working on some UX improvements for our users and stumbled upon an issue. I extracted codes from our project into a separate project. Here's the link, so you can check it out: https://github.com/SergeyPetrachkov/ASAuthControllerIssueSample So, here's the issue: If I have both email-password and apple id records in my keychain for an app, and want to request that data to do auto-login, I can get email-password based accounts info fine. Apple ID does not work as expected though. I receive ASAuthorizationAppleIDCredential object with authorizationCode == nil. I do receive credential.identityToken and can decode the token. It's a valid one, but the thing is that I need authorizationCode. If I use stand-alone login function of AppleAuthenticator, it works correctly. ASAuthorizationController executes performRequests perfectly and I can get authorizationCode from ASAuthorizationAppleIDCredential. The issue is with AggregatedAuthenticator. It seems that ASAuthorizationController is sort of broken and cannot get all the data if there's more than one request passed to it. AggregatedAuthenticator(anchor: view.window!).startAutoLogin() // does not work with apple id but AppleAuthenticator(anchor: view.window!).login() // works The only difference is that AppleAuthenticator uses only one request in ASAuthorizationController. The only workaround that I could come up with is if I go to AggregatedAuthenticator and do the login again there, see the comment in code: public func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { switch authorization.credential { case let appleIDCredential as ASAuthorizationAppleIDCredential: // Question: here we receive the credential without authorizationCode, but why? appleAuthenticator.login(with: appleIDCredential) // BUT if I do: // appleAuthenticator.login() // it works fine, but it shows that bottom sheet again asking for your face/touch-id again, but only for apple id this time case let emailPasswordPair as ASPasswordCredential: emailAuthenticator.login(with: emailPasswordPair) default: print("Irrelevant stuff") } } Any ideas, folks?

'Sign In With Apple' is not working in the iOS 14 simulators and iOS 15 simulators.

I know that ASWebAuthenticationSession usually is used with OAuth and similar protocols, but now I' interested, does ASWebAuthenticationSession supports other auth types? I've made such tests (iOS 14.5, Xcode 12.5.1): Tested ASWebAuthenticationSession with kerberos/negotiate URL (with callback scheme http) - SFSafariViewController loads error page with 401 error and no alert for creds; completion handler of ASWebAuthenticationSession is not called; Tested ASWebAuthenticationSession with NTLM, Digest and Basic URLs (with callback scheme http) - SFSafariViewController shows alert for creds; with correct creds content is shown; completion handler of ASWebAuthenticationSession also is not called; Performed the same test with SFSafariViewController - same results. Do I understand correctly, that ASWebAuthenticationSession doesn't support such auth types, but SFSafariViewController supports them? Why SFSafariViewController doesn't show alert for creds in case of kerberos/negotiate auth?

Have a parent app where user would login using SAML and there are apps of different vendors installed on the same device. We would like to use the same SAML login session with other vendor apps as well. Is this flow possible to implement? Any pointers will be of great help. Thank you in advance.

When attempting to open an otpauth://totp URL on iOS 15 Beta 8 it opens the Password Manager. Based on the documentation & the tagged WWDC session it should only open the iOS Password Manager if the URL contains the apple- prefix. For example: apple-otpauth://totp This is currently breaking our Multi Factor Authentication setup flow. Will this behaviour be changed for the next beta & iOS 15 release?

My app checks to see if a user is logged into iCloud. Currently, I can throw a user to the Settings.app, or quit. Can I use Authentication Services instead? If not, any other possibilities? Thanks David

We're seeing Chrome browser crashing after using ASWebAuthenticationSession to authenticate. While the authentication succeeds, all the user's browser tabs are terminated and upon re-opening Chrome, it shows a popup message: "Chrome didn’t shut down correctly". System logs indicates that Chrome crashed (core dumped) with a Security Exception with macOS error code -67052.

Hi devs Hope we are all well. So I have found what could be a bug in Sign In With Apple and Firebase recently and im not sure if its actually my code or a bug. So when I SIWA I can auth correctly and get users name, create credential etc all this works, problem arises when I try to SIWA after removing the account. The credential is removed from Firebase Auth but when I try to SIWA it presents the ReAuth view not the New Auth SIWA view. After investigation into my iCloud account it shows as my app is still authorised to user SIWA even though the account is deleted on Firebase. This is seen in: iCloud > Password & Security > Apps Using Apple ID So I am wondering if this is a bug or my code. I have followed all relevant Firebase and Sign In With Apple references and the integration guide on Firebase but the iCloud part still remains after he account is removed from Firebase Auth. So how do I remove this from iCloud? Thanks

I've been using the Transporter app on my Mac to push our mobile builds to the app store. Recently, my company made account changes that requires 2FA with our live.com account. When I log into my apple account, I'm taken to a broken page at Microsoft. I've gotten around this with a secondary Apple Id. Unfortunately, today I launched Transporter, and it's doing the same thing. I have no way to enter in my secondary Apple Id. I've tried uninstalling and re-installing the app, but there must be a config file somewhere that's saving my last login credentials. Does anyone know how I can reset the app so I'm prompted for credentials again?

I am working on an a Game that authenticates user either through Game Center or Anonymously through Firebase. I want to reward player through codes that he can redeem online. I wanted to know if it is possible to get an Email ID once a player has logged in though Game Center. I can ask user to provide one while I do the same thing on Play Games. Please advice.

I have a class where I want to handle the Sign in with Apple logic. I have created an ASAuthorizationController, set the presentationContextProvider to be my view controller and set the delegate to the class itself. When I perform the requests, the system dialog shows up. But upon canceling, my delegate method does not get called. Here is my class: final class AppleSignInProvider: NSObject { typealias CompletionHandler = (Result<AuthCredential, Error>) -> Void enum AuthError: LocalizedError { case credential case nonce case identityToken case identityTokenString } private let completion: CompletionHandler private var authorizationController: ASAuthorizationController? init(completion: @escaping CompletionHandler) { self.completion = completion } private var currentNonce: String? private func sha256(nonce: String) -> String { let inputData = Data(nonce.utf8) let hashedData = SHA256.hash(data: inputData) let hashString = hashedData.compactMap { return String(format: "%02x", $0) }.joined() return hashString } func signIn(viewController: UIViewController) { let nonce = randomNonceString() currentNonce = nonce let request = ASAuthorizationAppleIDProvider().createRequest() request.requestedScopes = [ .fullName, .email ] request.nonce = sha256(nonce: nonce) let authorizationController = ASAuthorizationController(authorizationRequests: [request]) authorizationController.presentationContextProvider = viewController.view.window authorizationController.delegate = self authorizationController.performRequests() self.authorizationController = authorizationController } // Adapted from https://auth0.com/docs/api-auth/tutorials/nonce#generate-a-cryptographically-random-nonce private func randomNonceString(length: Int = 32) -> String { precondition(length > 0) let charset: [Character] = Array("0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvwxyz-._") var result = "" var remainingLength = length while remainingLength > 0 { let randoms: [UInt8] = (0 ..< 16).map { _ in var random: UInt8 = 0 let errorCode = SecRandomCopyBytes(kSecRandomDefault, 1, &random) guard errorCode == errSecSuccess else { fatalError("Unable to generate nonce. SecRandomCopyBytes failed with OSStatus \(errorCode)") } return random } randoms.forEach { random in if remainingLength == 0 { return } if random < charset.count { result.append(charset[Int(random)]) remainingLength -= 1 } } } return result } } extension AppleSignInProvider: ASAuthorizationControllerDelegate { func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) { do { guard let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential else { throw AuthError.credential } guard let nonce = currentNonce else { throw AuthError.nonce } guard let appleIDToken = appleIDCredential.identityToken else { throw AuthError.identityToken } guard let idTokenString = String(data: appleIDToken, encoding: .utf8) else { throw AuthError.identityTokenString } let credential = OAuthProvider.credential(withProviderID: "apple.com", idToken: idTokenString, rawNonce: nonce) completion(.success(credential)) } catch { completion(.failure(error)) } } func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { completion(.failure(error)) } } My delegate methods are called when the view controller is set as delegate, but that is not a fix for my issue.

When retrieving the ASAuthorizationPlatformPublicKeyCredentialRegistration, the decoded fmt value of rawAttestationObject is none instead of apple. Is this currently expected?

Hello, I'm currently struggling to figure out how I can make Apple sign in work with my app configuration. Maybe I'm just dumb, but I really can't figure out what I need to do to make it work. So I have a Next.js app setup server-side rendering my React frontend, and on a separate server, I have a Node.js (specifically Adonis.js) backend/api which I use to handle auth and sessions. I have both Facebook and Google OAuth2 logins setup and working perfectly, where I'm receiving a code as a query param in my callback url to my frontend, which the client then sends that code to my backend/api, which uses that code with the provider (FB or Google) to get their email, name, and any other data I could use to prevent the user from having to add later, and either create the user and log them in, or just log them in if they already exist using cookies. I don't need any sort of write access to their third party account, or anything more than reading their name and email so they don't have to enter it themselves, and so they don't have to enter a password on my site. There are 2 different questions I have. (and if there is a solution to the first one, it would make my life so much easier ha..) If I use these query params similar to how I would with Google or Facebook: response_type: 'code', client_id: Env.get('APPLE_APP_ID'), redirect_uri: 'https://example.com/auth/apple/callback' state: '', scope: '', response_mode: 'query' And I get redirected back to my frontend with the code in the url params, and I send it to my API like I do with Facebook/Google, is there any endpoint with Apple's system that I can use that code to request the user's email and name from? 2. From reading through doc after doc, and it still being fuzzy, I'm thinking I may need to use the form_post response mode kind of like this?: response_type: 'code id_token', client_id: Env.get('APPLE_APP_ID'), redirect_uri: 'https://example.com/auth/apple/callback', state: '', scope: ['email', 'name'].join(' '), response_mode: 'form_post' My impression is that it would post a token, and the user data to my callback url, and that I can get the user's email and name from the user's first request and attach the token received to the user in my database. I just do not for the life of me understand how I could use this pattern with how my app is setup. Would I have to have a post handler and a page setup on the same route (I don't even know if Next.js allows something like that), and then from that, I send that data to my backend server and create the account with the data received? Even if all that worked, I don't think I would be able to set the user's session since I rely on the request being made from my frontend to my backend utilizing the set-cookie header. Please let me know your thoughts, input, or clarifications. Thanks, Brody