According to the documentation - https://github.com/w3c/webauthn/pull/1491 of Apple's Anonymous Attestation Statement Format (fmt="apple"), the nonce generated from the authenticatorData the clientDataHash is embedded in an extension with OID ( 1.2.840.113635.100.8.2 ) in the certificate for the credential public key. If I try to validate a response generated after using touchID from my browser on my iOS14 device, I get a 38-byte value:   414:d=5  hl=2 l=   9 prim: OBJECT            :1.2.840.113635.100.8.2   425:d=5  hl=2 l=  38 prim: OCTET STRING      [HEX DUMP]:3024A1220420D9052FED7AA782C1B416C59B0AE15F309A336E22984E32505307A6339DDE52FD How can this be a SHA-256 hash value?

I'm trying to deprecate iOS 13 from my app. One of the compilation warnings I got as a result was: 'SecRequestSharedWebCredential' is deprecated: first deprecated in iOS 14.0 - Use ASAuthorizationController to make an ASAuthorizationPasswordRequest (AuthenticationServices framework) So I tried updating my code as follows let provider = ASAuthorizationPasswordProvider()             let request = provider.createRequest()             let authorizationController = ASAuthorizationController(authorizationRequests: [request])             authorizationController.delegate = self             authorizationController.presentationContextProvider = self             authorizationController.performRequests() But it always calls the delegate callback func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) with error Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1001 "No credentials available for login." UserInfo={NSLocalizedFailureReason=No credentials available for login.} Even though the device (or simulator) has a stored password for my website. I have my website as an "associated domain" for my app of type webcredentials. What am I doing wrong here?

I am facing one issue while trying to Sign in with Apple. error is as below: "The Operation couldn't be completed (com.apple.AuthenticationServices.AuthorizationError error 1000.)" I get this error as soon as the button is pressed it doesn't even get into the actual sign-in part. I have verified that entitlements file is there with the below content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC ""> <plist version="1.0"> <dict> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> </dict> </plist> I transferred the project and certificates from another machine. So deleted all the certificates and provisional profiles and recreated them from the new machine but faced an issue. Also, It only happens in exported (Archived build). When I directly install it from Xcode it is working fine. I have followed the official apple document to implement it. below is how I'm requesting the authentication: currentNonce = randomNonceString() let request = ASAuthorizationAppleIDProvider().createRequest() request.requestedScopes = [.fullName, .email] let controller = ASAuthorizationController(authorizationRequests: [request]) request.nonce = currentNonce?.sha256() controller.delegate = self controller.presentationContextProvider = self controller.performRequests() Below are delegates: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {         switch authorization.credential {         case let appleIDCredential as ASAuthorizationAppleIDCredential: //Authenticated             break         default:             break         } }     func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {         return self.view.window! }     func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { Utils.showAlert(withMessage: error.localizedDescription) } Any help would be appreciated

Hi devs!!! Calling createCredentialRegistrationRequestWithChallenge returns the following error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} What can be the potential reason?

I am creating a react app and am making use of Webauthn to use TouchID or FaceID for user authentication. I have built my app so that when the button is clicked, navigator.credentials.create is the only call made. With attestation set to none, there are no issues however as soon as I set attestation to direct I get an alert saying 'The operation can't be completed' and 'NotAllowedError: This request has been cancelled by the user.' is logged to console. The issue only presents itself on Safari and iOS devices however works perfectly on other browsers like Chrome. Has anyone encountered a similar issue and possibly know how to resolve it? Thanks Shay

Apple rejected our app because when we use the Apple Sign Up button, the full name in the response is empty, but we need the first and last name in our app registration, so, the Text inputs in the app, first and last name is filled empty and we let the users enter those values, but Apple wants the users not to enter the values because the service already returns them but in our case are empty. We are using React native react-native-apple-authentication. Can anyone help us or have the same issue with apple review and how did you fix it?

Hi, Currently, we do have native signin and home grown biometric solution leveraging Device biometrics within App and We have plans to adopt OAuth2.0 and OIDC using ASWebauthenticationsession. But we primarily wanted to know Perspectives from Apple with regards to UI/UX / Standards / Security while adopting OAuth2.0 and OIDC. Please note that we dont have Apple SignIn or any other social login within App currently.

I am trying to make simple app auth. In ContentView I have two tabs, each tab will have their own .task{} in which I will make an HTTP request to obtain some data. The problem that I am facing is when you open the app, switch tabs and tap "toggle" at the top, you will see in the console that both .task{} and .onAppear{} has been called event tho these views wren't visible at all. Why? And how to make API calls only when app states is logged As a workaround I could add extra check in each .task to check the app state but it doesn't seems right... import SwiftUI @main struct myApp: App { @StateObject private var auth: Auth = Auth() var body: some Scene { WindowGroup { if auth.isLogged { ContentView() .environmentObject(auth) } else { VStack { Button("toggle auth") { auth.isLogged.toggle() } } } } } } @MainActor class Auth: ObservableObject { @Published var isLogged: Bool = false } struct ContentView: View { // Annimatin Properties @State private var expanded: Bool = false @Namespace private var animation @EnvironmentObject var auth: Auth var body: some View { Button("toggle") { self.auth.isLogged.toggle() } TabView { SampleTab("Listen Now", "play.circle.fill") SampleTab("Browse", "square.grid.2x2.fill") } } @ViewBuilder func CustomBottomSheet() -> some View { // Animating sheet backgrund (To look like it's expanding from the Bottom) VStack { Text("Hello") } .frame(height: 70) .overlay(alignment: .bottom, content: { Rectangle() .fill(.gray.opacity(0.3)) .frame(height: 1) }) .offset(y: -49) } @ViewBuilder func SampleTab(_ title: String, _ icon: String) -> some View { // iOS Bug, it can be avoided by wrapping the view inside ScrollView ScrollView(.vertical, showsIndicators: false, content: { Text(title) .padding(.top, 25) }) .tabItem { Image(systemName: icon) Text(title) } .onAppear { print("======= onappear \(title)") } .task { // I am gonna make an HTPP request here... print("======= task \(title)") } } }

I keep receiving the error message when trying to login to the dev portal "service not available because of maintenance activities". Can someone help me to figure out what is going on?

The issue is about Passkeys. When the website (RP) is not using the default https port (443), the relyingPartyIdentifier for ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: "example.com") needs to contain the port number, otherwise it returns Application is not associated with the domain. That is incorrect behavior, the RP ID should not contain a port number. In WebAuthn sepc. (https://www.w3.org/TR/webauthn-2/#relying-party-identifier), it mentioned that a relying party identifier is a valid domain string. The definition of valid domain string doesn't contain a port number. (https://url.spec.whatwg.org/#valid-domain)

We need to append some values in the User-Agent HTTP header for our SSO flows. We use the ASWebAuthenticationSession class as you should, but I can't find any information on how to modify the headers in this web view. I have tried setting the "global" user agent via UserDefaults.standard.register(defaults: ["UserAgent": "fakeUserAgent"]) While it does change the User-Agent in WKWebView, it seemingly does not impact the ASWebAuthenticationSession. There are also no configuration settings to change headers or User-Agent on ASWebAuthenticationSession. Is it not possible by security design?

Hello. In order to respect the anonymity of the users of my web platform (by storing as little private data as possible in the database) I would like to know if OSx like its competitor Android proposes to use the internal security of the device (linked to a personal account - Apple or Android ID) to authenticate a user by requiring only his personal ID (or generated by the OS and intended for all browsers) for a double authentication and thus at the click of a button on the website send a text message on the phone (or all devices connected to the same account) to confirm to be the same person who accesses his personal account. using the same functionality as : . e.g. which would call the OS dual authentication system and ask the device (phone or tablet) to display a request for authentication confirmation either by simply clicking a button or by filling in a 6 digit code. Is it possible and does that exist ?

I have deployed an app in Xcode via USB to two devices and they are working fine including login and signup developed using CloudKit. I have also deployed the same app using TestFlight but the app deployed through testFlight is not responding to the signup and login

I have a bit of a tricky severe hang in my app launch processing code path. Here is the detail: I have a .task modifier from the main ContentView that calls into the signInWithAppleManager.checkUserAuth method, which is marked async. I've tried wrapping the offending line in a Task block to get it off of the main thread, but it still hangs, and is still running on the main thread. Ironically, I found the hang after watching "Analyze Hangs With Instruments" from WWDC 23. However, at the point in the video towards the end where he discusses shared singletons, he mentions resolving a similar issue by making the shared singleton async, and then skips over how he would do it, kind of seemingly presenting a gap in analysis and debugging, while also explaining idle state ... kind of more irony. Thanks in advance! Task { let appleIDProvider = ASAuthorizationAppleIDProvider() Is there anything else that I can do to resolve this? Here is the code: public class SignInWithAppleManager: ObservableObject { @Published public private(set) var userAuthenticationState: AuthState = .undefined public static let shared = SignInWithAppleManager() private init() { } func signOutUser() async { KeychainItem.deleteUserIdentifierFromKeychain() await SignInWithAppleManager.shared.updateUserAuthenticationState(authState: .signedOut) } @MainActor func userAuthenticated() async { self.userAuthenticationState = .signedIn } @MainActor func userSignedOut() async { self.userAuthenticationState = .undefined } func simulateAuthenticated() async -&gt; Bool { return false } public var isAuthenticated: Bool { return self.userAuthenticationState == .signedIn } @MainActor func updateUserAuthenticationState(authState: AuthState) async { debugPrint("Current authstate: \(self.userAuthenticationState) New auth state: \(authState)") self.userAuthenticationState = authState } public func checkUserAuth() async -&gt; AuthState { debugPrint(#function) //completion handler defines authstate if KeychainItem.currentUserIdentifier == "" || KeychainItem.currentUserIdentifier == "simulator" { debugPrint("User identifier is empty string") await updateUserAuthenticationState(authState: .undefined) //userid is not defined in User defaults bc empty, something went wrong } else { await updateUserAuthenticationState(authState: .signedIn) } if await !self.simulateAuthenticated() { // HERE: ‼️ hangs for 2 seconds let appleIDProvider = ASAuthorizationAppleIDProvider() // HERE: ‼️ hangs for 2 seconds do { let credentialState = try await appleIDProvider.credentialState(forUserID: KeychainItem.currentUserIdentifier) switch credentialState { case .authorized: debugPrint("checkUserAuth:authorized") // The Apple ID credential is valid. Show Home UI Here await updateUserAuthenticationState(authState: .signedIn) break case .revoked: debugPrint("checkUserAuth:revoked") // The Apple ID credential is revoked. Show SignIn UI Here. await updateUserAuthenticationState(authState: .undefined) break case .notFound: debugPrint("checkUserAuth:notFound") // No credential was found. Show SignIn UI Here. await updateUserAuthenticationState(authState: .signedOut) break default: debugPrint("checkUserAuth:undefined") await updateUserAuthenticationState(authState: .undefined) break } } catch { // Handle error debugPrint("checkUserAuth:error") debugPrint(error.localizedDescription) await updateUserAuthenticationState(authState: .undefined) } } return self.userAuthenticationState } }

Is there a way to release or generate a secret key when using passkeys? I want to build end-to-end encryption in my app but I also want to deliver a great user experience by leveraging the user's passkey. During authentication I want to also receive a secret that I can use to derive encryption keys. In the future on the web to do this you can leverage the WebAuthn pseudo-random function (PRF) extension. Is there an alternative to this in Authentication Services?