I want to support "Sign in with Apple" for my macOS application. Currently, I'm using WKWebview to support this. I'm able to provide a sign in for the current mac user correctly. But some users try to login with another apple ID, which has FIDO certified keys added as 2FA. Now my WKWebView shows this : But nothing happens when they click on "Continue". I think I need to create some kind of interface in my application for this case, but no clear idea. I can't see much articles for this use case with security keys. Anybody has any idea ?

In iOS 17 beta 5, the alert controller that pops up when sharing cookies with Safari was different than it was in iOS 16. I'm not sure how many betas this was in, but it said: Do you want to also sign in to in Safari? This allows and in Safari to share information about you such as your account. will work without this. Cancel Sign in to <Your app> & Safari Only Sign in to <Your app> In the official release of iOS 17, the alert is back to having just Cancel and Continue and the text it had previously: Wants to Use to Sign In This allows the app and website to share information about you. Question is, was this a fluke in beta? Is the ability to for users to disable Safari cookies something that is coming back? Is it a setting? I can't seem to find any information about this at all. It was concerning for us in beta, because it seemed like it was going to be a potential source of login issues, but now I'm not sure what to make of it. Thank you!

Hi, I created a proof of concept app that leverages ASAuthorizationController to authenticate using FIDO2 security keys and passkeys. I get an auth challenge from an internal provider, and leverage the above API(s) to authenticate. Basically the same use case as the following (using existing account): https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys#3761984 Initially it worked fine, I got a pop-up with a user prompt. However, after canceling one of the requests (can't remember whether I force-closed the window or just clicked Cancel) I get an error on every subsequent request: response: {"error":"The operation couldn’t be completed. Request already in progress for specified application identifier."} log stream | grep fido2 output: 2023-10-17 16:52:52.740329+0100 0x3f329d Default 0x7d21c1 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.1, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:52.750530+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.3441, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, accessing={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, }, 2023-10-17 16:52:52.750603+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 2023-10-17 16:52:52.803355+0100 0x3f32ad Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0xa50a50 49962 com.meta.fido2macos.localDevelopment 2023-10-17 16:52:52.818560+0100 0x3f1eb0 Default 0x7c91e2 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos.localdevelopment token: f50000004b pid: 994 2023-10-17 16:52:52.846529+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos.localDevelopment token: 1c00000023 pid: 49962 2023-10-17 16:52:52.866484+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos.localDevelopment token: 1f00000020 pid: 49962 2023-10-17 16:52:53.027489+0100 0x3f329d Error 0x7d21c8 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement 2023-10-17 16:52:53.027604+0100 0x3f329d Default 0x7d21c8 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:53.059785+0100 0x3f2257 Default 0x7d21c7 77540 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment I also tried calling ASAuthorizationController::cancel (https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/3950923-cancel) in random places but that didn't help either. Happy to follow up more details / code if necessary. Thanks! Similar issue: https://developer.apple.com/forums/thread/723850

I have implemented Sign in with Apple in my app. The flow goes like this: User taps sign in button In the delegate method I take the auth code and post it to my server. My server sends an activation request to apple and gets an id, refresh, and access tokens. This is where I have a problem: A user requests account deletion. The server sends a request to revoke the access and refresh tokens User may or may not go to settings and revoke "Sign in with Apple" access to the app (the following happens either way) The user then load the app again and taps the Sign in with Apple button. The delegate method provides a valid id token, but the same original auth code instead of generating a new one. The server now gets an invalid response from apple as the auth code is had already expired, and so can't get a new refresh token. The server also can't use the old refresh token as it's been revoked during deletion. Can someone tell me where I'm going wrong? I can't find any documentation for regenerating a refresh token after revoking it. Thank you

after subscribing, I want to have users log in for a few reasons core to the functionality of the app. However, Apple has requirements about this, stating it needs to be optional. however, I want to have my backend layer secure so that we check a user session each time a request is made, without a check its basically open to the public which I don’t like. Without a login, there is no session To provide. we use RevenueCat for managing subscriptions But I don’t want to rely on their servers for checking subscription status…is that the only option? do I have an option to secure my api layer another way, without login session?

We are relying on ASWebAuthenticationSession to do web authentication. Since the API doesn't support POST requests directly we have to generate local file in ~/Library/Application Support/<foo.bar>/WebAuth.html containing the POST and use initial URL as file:///Users//Library/Application%20Support//WebAuth.html Problem is that Safari sometimes pops a dialog "Confirm the file to load" and sometimes it doesn't. This doesn't depend on "Full Disk access" TCC. Does anybody know a way to prevent this from happening? MDM option or something? Also styling of the popup is a rather poor UI choice - looks very confusing and like the user may choose another file to load. Chrome f.e. doesn't do such popups. I already have FB13340210 for this.

Hey, I'm looking for some help with ASAuthorizationController and passkeys. It seems that wildcards in applinks for subdomains break passkeys for the main domain. The app has the following entries in entitlements: webcredentials: mydomain.com applinks: mydomain.com applinks: *.mydomain.com mydomain.com is a placeholder for the actual domain The AASA file is hosted only at mydomain.com and contains a correctly formatted "webcredentials" entry. { "webcredentials": { "apps": [ "app-id-corretly-formatted" ] }, "applinks": { "apps": [], "details": [ // ... ] } } When I use ASAuthorizationController with the domain mydomain.com, it reports the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier X is not associated with domain mydomain.com" UserInfo={NSLocalizedFailureReason=Application with identifier X is not associated with domain mydomain.com If I remove the following line from the entitlements "applinks: *.mydomain.com", it works as expected: webcredentials: mydomain.com applinks: mydomain.com It appears that the problem is with the wildcard in the subdomains. Has someone experienced this issue?

I am using Okta Web Redirect Sign-in on my iPhone app. Even on Safari, same response. Ideally it should show me some message but it is not. It asks for username, password upon submit it stuck. And ask to download a file. Have a look at attached screenshot. How to resolve this issue? Thank you in advance.

I updated the app bundle ID of my app in my associated domains file on my server which can be viewed using the Apple CDN at (https://app-site-association.cdn-apple.com/a/v1/myApp.app) and on my server at (https://myApp.app/.well-known/apple-app-site-association). All I did was update the app Bundle ID of my app in Xcode and likewise in the associated domains file, and now it is no longer working and I'm getting the error Application with identifier ABCDE12345.app.myApp.MyApp is not associated with domain myApp.app. This error is thrown when attempting to use the webcredentials portion of the associated domain file for logging in via Passkey. I've waited for 6 days to let the changes propagate through the CDN but the issue is persisting. Strangely enough, it has worked a few times since I changed it but almost always fails. This intermittent behavior leads me to believe it might be something up with the CDN? The only thing I changed about my appID was the domain, e.g. ABCDE12345.io.oldDomain.MyApp to ABCDE12345.app.myApp.MyApp. My file is structured as so: { "applinks": { "apps": [], "details": [ { "appID": "ABCDE12345.app.myApp.MyApp", "components": [ ... ] } ] }, "webcredentials": { "apps": [ "ABCDE12345.app.myApp.MyApp" ] } } Likewise I updated the entitlements in my app to webcredentials:myApp.app from webcredentials:oldDomain.io and similarly for the appLinks. I've tried deleting the app, restarting Xcode, clean builds, all that jazz to no avail. Any advice you have for remedying this would be greatly appreciated. This has brought my beta to a halt because no one can log in or sign up. Thank you.

In my app user accounts are handled with Firebase Auth. When creating a user how can I get the system to suggest a Unique password (that prompt that comes up on the keyboard) and also how can i get it to save these details to the keychain. My app will have a website in the future so I want the details come up when the user tries to login there. When the user logs in i used the func below to save the details to the keychain, it says the details have been saved but it doesnt seem to come up in the passwords tab in Settings. func saveCredentialsToKeychain(email: String, password: String) { let query: [String: Any] = [ kSecClass as String: kSecClassInternetPassword, kSecAttrServer as String: "myWebsite.com", kSecAttrAccount as String: email, kSecValueData as String: password.data(using: .utf8)!, kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked ] let status = SecItemAdd(query as CFDictionary, nil) if status == errSecSuccess { print("Credentials saved to Keychain") } else { print("Error saving credentials to Keychain: \(status)") } }

I have been using workspace to incorporate the Firebase Auth functionality in my application. I am using Xcode 15.0.1 and Firebase 10.18.0. I have included the screenshot for that as well. In which you can see that I have typed fs and g on two separate lines and it should show me the error but it's now. Also I have commented out the import of Firebase so it should also display me the error that Auth.auth() is unidentified function. I have tried restarting my Xcode and mac as well.

It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation. If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client." What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device? Also, is there a plan to ever make those flags to be set to false in a future iOS release? Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?

I am trying to implement a third party passkey credential provider and I have been able to successfully setup the project for that. Below is a sample code which I am using - let passkeyRegistrationCredential = ASPasskeyRegistrationCredential(relyingParty: self.request?.credentialIdentity.serviceIdentifier.identifier ?? "", clientDataHash: self.request?.clientDataHash ?? Data(), credentialID: Data(credentialId), attestationObject: Data(attestationBytes) self.extensionContext.completeRegistrationRequest(using: passkeyRegistrationCredential) The attestationBytes object that I am generating and sending back to RP seems to work only if I set the "fmt" to "none", which basically requires "attStmt" to be sent as an empty value as per WebAuthn spec - https://www.w3.org/TR/webauthn-2/#sctn-none-attestation When trying to set the "fmt" to "packed" in attestation object and creating a self signed "attStmt" consisting of "alg" and "sig" key-values referring - https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation, it does not seem to work. The RP throws an error. I do not have "x5c" object as that supposedly is not mandatory in case of self attestation. I have "authData" also as part of the response properly setup. Is it not possible to use packed attestation or am I missing something in creating the attestation object? Also, does Apple modify the response being sent in the background before sending to RP if packed fmt is used?

After upgrading iOS from 17 to 17.1, the list of passkeys registered to the ASCredentialIdentityStore is not displayed in the Safari QuickType bar. (Google Chrome browser is ok)

Hello everybody, I'm trying to implement passkey provider for iOS device. I'm in the register phase of the passkey. Let's say this is my code to register request, what am I doing wrong?: import SwiftCBOR class CredentialProviderViewController: ASCredentialProviderViewController { . . . func generatePublicKeyCborEncoded() -> Data { let privateKey = P256.Signing.PrivateKey() let publicKey = privateKey.publicKey.x963Representation let decoded: [CBOR: CBOR] = [ CBOR.init(integerLiteral: 1): CBOR.init(integerLiteral: 2), CBOR.init(integerLiteral: 3): CBOR.init(integerLiteral: -7), CBOR.init(integerLiteral: -1): CBOR.init(integerLiteral: 1), CBOR.init(integerLiteral: -2): CBOR.byteString(publicKey[1..<33].map { $0 }), CBOR.init(integerLiteral: -3): CBOR.byteString(publicKey[33..<65].map { $0 }) ] return Data(CBOR.encode(decoded)) } @IBAction func onRegister(_ sender: UIButton) { NSLog("onRegister called 1") guard let request = newRegistrationRequest as? ASPasskeyCredentialRequest else {return} let attObj: Data = generatePublicKeyCborEncoded() let passkey: ASPasskeyRegistrationCredential = ASPasskeyRegistrationCredential( relyingParty: request.credentialIdentity.serviceIdentifier.identifier, clientDataHash: request.clientDataHash, credentialID: Data([67, 92, 125, 254, 60, 232, 238, 248, 14, 107, 245, 21, 85, 130, 40, 54], attestationObject: attObj ) extensionContext.completeRegistrationRequest(using: passkey){ endedWell in NSLog("onRegister called \(endedWell ? "" : "not") ended well") } } }

Hi community! I'm on the hunt for alternatives to digital onboarding and NFC reader libraries on iOS (and maybe on Android too). Do any of you know of alternatives to: https://github.com/AndyQ/NFCPassportReader They should be compatible with ICAO Doc 9303 MRTD - https://www.icao.int/publications/pages/publication.aspx?docnum=9303 Your insights and suggestions mean a lot! Thanks! Description: NFCPassportReader - This package handles reading an NFC Enabled passport using iOS 13 CoreNFC APIS Version 2 (and the main branch) now uses Swift Async/Await for communication. If you need an earlier version, please use 1.1.9 or below! Supported features: Basic Access Control (BAC) Secure Messaging Reads DG1 (MRZ data) and DG2 (Image) in both JPEG and JPEG2000 formats, DG7, DG11, DG12, DG14 and DG15 (also SOD and COM datagroups) Passive Authentication Active Authentication Chip Authentication (ECDH DES and AES keys tested, DH DES AES keys implemented ad should work but currently not tested) PACE - currently only Generic Mapping (GM) supported Ability to dump passport stream and read it back in Uses Async/Await

I developed an app that implements autofill extension with ASCredentialProviderViewController to provide passkeys. while it works smoothly on internal connections (e.g. register to webauthn.io on the same device where my app is installed), it fails when i'm scanning QR code on another device. I suspect it's a problem with the flags of the passkey attestation object as the only difference between the 2 requests (internal and hybrid) I've found is that the userVerificationPreference is changed from preferred (internal) to required (hybrid). i sent those flags (both on hybrid and internal connection): binary rep: 01011101 decimal rep: 93 is anyone has a clue what goes wrong?

I am working on two applications that provide complementary functionality - one is a main app with authentication flow and the other handles additional functionalities within my service. I would like to publish these as separate apps on the App Store but allow them to share data through an App Group, specifically to enable sign-in state to carry across. The flow would be: Main app authenticates the user and saves an authentication token to the shared App Group container Second app launches and checks the container for this token. If present, it signs the user in automatically. In this way the Main app handles all login functionality which enables certain features in the other app(s) when logged in state is present. My questions are: Would this violate any App Store guidelines around app functionality distribution or data sharing? I intend to provide a technical rationale during review on why two apps are necessary. Would Apple allow such an implementation? What best practices should I follow when submitting for app review approval? It would be great to hear thoughts around the viability of this app architecture. Please let me know if further technical details are needed as well. Looking forward to community feedback on whether Apple permits apps sharing sensitive data via App Group specifically for identity management. Reference: guideline 2.5.2 2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps. Educational apps designed to teach, develop, or allow students to test executable code may, in limited circumstances, download code provided that such code is not used for other purposes. Such apps must make the source code provided by the app completely viewable and editable by the user. https://developer.apple.com/documentation/xcode/configuring-app-groups