I searched several times online for someone who is using the new ASWebAuthenticationSession init together with matchesURL but I haven't found any mention of it. Is anyone using this new initializer? If so, can someone please share a code example? I'm trying to use the new initializer with a https redirect URL. Thank you!

created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login. sudo # sudo: auth account password session auth include sudo_local auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so authorization # authorization: auth account auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass auth sufficient pam_smartcard.so use_first_pass account required pam_opendirectory.so Is it even allowed to add a custom PAM to \etc\pam.d\login or etc\pam.d\authorization ? Is it possible to create a mechanism with custom logic and replace it withbuiltin:authenticate,privileged in system.login.console authorization right ? Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.

Hello, I am facing a passkey authentication during cross device authentication. After I called completeAssertionRequest with passkeyCredential, I am encountering the issue attach and I am unable to find where the RPID mismatch is coming from and referencing from. It would be great if I could know the source of where RPID hash (found). Thanks. Returned credential failed validation: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=14 "RPID hash did not match expected value. Expected xMTokW1VIYg2DZVB9lCtheT+0n8NxHvx4HaxTPhH4bY=, found: eE1Ub2tXMVZJWWcyRFpWQjlsQ3RoZVQtMG44TnhIdng=." UserInfo={NSLocalizedFailureReason=RPID hash did not match expected value. Expected xMTokW1VIYg2DZVB9lCtheT+0n8NxHvx4HaxTPhH4bY=, found: eE1Ub2tXMVZJWWcyRFpWQjlsQ3RoZVQtMG44TnhIdng=.}

For apps with a login service, the App Review Guidelines require: The login option limits data collection to the user’s name and email address. The login option allows users to keep their email address private as part of setting up their account. The login option does not collect interactions with the app for advertising purposes without consent. I want to use Google Authentication using GIDSignIn pod as my sole authenticator, to avoid the hassle of dealing with username and password. Is it possible to configure GIDSignIn to adhere to these data collection requirements?

how we can implement music kit in flutter app?

I'm currently trying to add an OIDC connection to an iOS application. I'm using AppAuth, which will use ASWebAuthenticationSession (because we're targeting recent versions of iOS). We have a login web page that will write a cookie. We'd like this cookie to be shared between the application (using ASWebAuthenticationSession) and the system browser (Safari) so that the user can be recognized and avoid having to log in again. The web page writes a permanent cookie (with an expiry date) and the iOS application uses ASWebAuthenticationSession. And I did not set prefersEphemeralSession to true. So we should be OK with the documentation (SFSafariViewController no longer shares cookies, and session cookies are not shared between ASWebAuthenticationSession and Safari). It should work, if I understand the documentation correctly. Did I miss a point? Or is it a known problem? I also tried to create a simple web page that read and write a cookie to do dome tests. function writeCookie() { var value = "something"; var maxAge = "max-age=" + (365 * 24 * 60 * 60); var expiration = new Date(); expiration.setTime(expiration.getTime() + (365 * 24 * 60 * 60 * 1000)); var expires = "expires=" + expiration.toUTCString(); var sameSite = "SameSite=None"; var secure = ";Secure"; document.cookie = cookieName + "=" + value + ";" + maxAge + ";path=/;" + sameSite + secure; } function readCookie() { var cookies = document.cookie.split(';'); var value = ""; for (var i = 0; i < cookies.length; i++) { var cookie = cookies[i].trim(); if (cookie.indexOf(cookieName) == 0) { value = cookie.substring(cookieName.length + 1, cookie.length); break; } } if (value !== "") { alert("Cookie value : " + value); } } And iOS code: currentAuthorizationFlow = OIDAuthState.authState(byPresenting: request, presenting: viewController) { authState, error in if let authState = authState { print("Authorization succeed") self.authState = authState if let accessToken = authState.lastTokenResponse?.accessToken, let idToken = authState.lastTokenResponse?.idToken { completion(.success(TokenResponse(accessToken: accessToken, idToken: idToken))) return } } self.authState = nil completion(.failure(error)) }

It seems that all macOS apps currently going through App Review which use ASWebAuthenticationSession (or SwiftUI webAuthenticationSession) are being rejected, because: Reason given: Guideline 4.0 - Design The user is taken to the default web browser to sign in or register for an account, which provides a poor user experience. See here for more details: https://forums.developer.apple.com/forums/thread/750400 If webAuthenticationSession is no longer permitted for production apps, what is the current recommended approach for implementing OAuth 2 authentication?

When using an ASWebAuthenticationSession to log in, with prefersEphemeralSession = false to enable SSO, the system presents an alert asking if the user wants to allow "SomeApp" to Sign In with "someauthprovider.xyz". The system presents exactly the same alert when you want to log out, and it is confusing for users. It's my understanding that the system does this because the alert really means "would you like to allow this app to let some page access Safari's shared cookie vault?" in lay terms, and is not distinguishing between create, read, update, or delete. It would be splendid if Apple changes this dialog depending on the operation. I would also like to know if there is any other way to fix this.

We have recently rolled out a one-time-password only log in system for our app. Access to our app is by invite only and users are required to register outside of the app to set up their account (it is an app for events & conferences). The majority of users have requested this login system as it is more secure and easier than a traditional password. I submitted the app for review, but it was rejected as the Apple tester required the email access code that was sent when they entered the tester email address we have in the app description. Does anyone have any advice on how we can remedy this so that our app does not keep getting rejected for this reason? Thanks

Hi, I am creating simple app with ios 17. I want to authenticate via ios passcode. but I couldn't find any example about it. Where can I get some example about using ios passcode in ios 17? please help me.

Hello, My app uses OAuth to connect to two services. To get the authorization ocde, originally, they both allowed a URI in the form of "com.SmartVentsTwo://auth". Now, the second one changed and requires that the URI be a complete URL starting with HTTPS. Needless to say the second stopped working. I read several different articles and posts about this difference telling me a range of things to do from simply adding "https://com.SSmarVentsTwo://auth" to the URL types in the project settings, to creating a redirect from my website. It would seem the most secure would be the former since it doesn't require extra jumps, but it didn't work. When I tried it, after logging in and authorizing the request, i got a "could not find server" error. What are the exact steps I need to follow to accommodate the change? (Thank you very much!!)

Hello, I'm trying to enroll on the trader account program but after filling out the form, then entering the email verification code that was sent I don't ever receive the phone OTP code that I'm supposed to receive. I'm not from the US, my country code is +51 so I select that on the dial code combo-box then enter my number that is 9 digits long. However, I tried with a US phone from a friend and it works just fine, he does receive the confirmation code. How can I fix this? I already have an app stuck for over 1 week because of this. I've called apple support multiple times and they send me to send evidence via email which I have. They've told me it was "scaled" to the engineering them but of course that's gonna take a long while for it to be fixed. Has anyone encountered a similar problem? I believe there's gotta be a quirk or something in that form that will actually get the system to work.

I have noticed that there is a new initializer for ASWebAuthenticationSession in macOS 14.4. The standard initializer has been deprecated without further info. The new initializer looks as follows: init(url: URL, callback: ASWebAuthenticationSession.Callback, completionHandler: ASWebAuthenticationSession.CompletionHandler) This initializer takes a callback object for class ASWebAuthenticationSession.Callback. But this class cannot be initialized and also not be subclassed. When you try to do this there will be the following error in Xcode 'init()' is unavailable The documentation also does not give any hint on how to use it, it just defines 2 class methods and a method called func matchesURL(URL) -> Bool which could mean that by using this method you could match any arbitrary URL to continue the process. Has anyone figured out what to do with this?

My organization is using mutual TLS authentication for HTTPS, with PIV cards storing the certs. We observe that some OS X devices send only the leaf certs when establishing the mTLS connection, whereas others send the entire chain. We cannot validate the leaf cert without the intermediate cert, so those clients are rejected. What drives the decision whether to send the whole chain, vs the leaf cert only? For more details, and some things we observed. The PIV cards are US DoD CAC cards: https://www.cac.mil/common-access-card/ The client cert chain on the card looks like this: Leaf client cert, CN=LastName.Name Intermediate cert, CN=DOD ID CA-70 "Root" cert, CN=DoD Root CA 6 through 8.: Additional interoperability certs. Our system is set up to trust the "root" cert CN=DoD Root CA 6. Neither the leaf cert, nor other certs in the chain are trusted by Apple Keychain Trust Store by default. We find that most laptops will send the entire chain, 1 through 8, when establishing the mTLS connection with our servers. This allows us to validate them correctly. On a subset of OS X devices, Google Chrome will only send the leaf chain. This happens even when we use exact same PIV card, and exact same PIV reader as on working laptops. Safari will not send any cert at all. We found that if we explicitly add the CN=DoD Root CA 6 to the Apple Trust Store, Google Chrome and Safari will start sending a short chain, containing only certs 1 through 3. This allows the server to validate them. When we remove it from Trust Store, Chrome is back to sending only leaf, but Safari will not even send the leaf. Again, this only happens on some laptops; on most of the laptops, both Safari and Google Chrome will send the entire chain, regardless of whatever is set up in Trust Store. My suspicion is that for some reason, on those laptops, Safari will not send the client certs that OS X doesn't trust. This makes sense, but this is not the behavior we want. We want the same behavior on the working laptops, which is to send the whole chain. All of our laptops are on OS X 14.4

I'm getting ready to release the first version of our app, which is designed for existing (paying) customers of our service. The app will only have a Sign In functionality for the first few versions, ie users cannot create a new account through the app. We currently only have password or Google authentication through the website. I'm wondering how the app store guidelines apply here. It seems that since the March 4, 2020 update, Apple Sign In is required when using any other third party oauth providers (Google for our case). However I'm unclear if the listed exceptions cover this scenario. To state the obvious, users do not have a way currently to create an account with Apple Sign In, so exactly 0 users will ever succeed in logging in with that button if I'm required to put it. I understand the guidelines if we're talking about creating accounts, but since this is Sign In only, is it still required to provide as an option? Thanks in advance!

I would like implement certificate based authentication using MSCA as authenticator and along with 2FA as otp/push. Same I have achieve using authorization plugin where as first factor as user name and password and for second factor it going to my server for otp varification. In this case I would like to go to MACS for primary as certificate authentication and after that I would like to go to my server for second factor.

I’m looking to see if anybody else has noticed that iOS 17.4 seems to have broken password autofill for associated domains. Meaning if I open my app to the login page (web view) it recognizes the associated domains and they password in my keychain. If I tap on my user name my keychain is unlocked with biometrics (FaceID) and I’m returned to the page, but the user name and password field is not filed in. This just started happening in iOS 17.4 (17.3.1 works fine for example). Interestingly, if you choose the 🔑 icon on the right side of the keyboard and then choose your credentials you get a blank page until you tap in a text field then the username and password show up. I have filled out a bug report with Apple, but in the mean time I was curious if anybody else has seen this or have a solution.

I'm working my way through adding passkey support to my app. At app launch, I'd like to test to see if the user has already created a passkey for the service, and if not, immediately present the account creation UI. Is there an API call I can make to see if the user already has a credential? From the examples I’ve found, it seems I should just try to sign in, and I’ll get an error callback if there are no stored credentials. Is that right?

The below code used to compile for iOS 16.0 and above when using Xcode 15.2. Now it seems that ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.excludeCredentials is only available on iOS 17.4 an above in Xcode 15.3? Is there any reason that's the case? let request = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: id).createCredentialRegistrationRequest(challenge: challengeData, name: name, userID: userIDData) // ERROR: 'excludedCredentials' is only available in iOS 17.4 or newer request.excludedCredentials = registrationOptions.excludeCredentials

How do we find such info as attestationPreference through the prepareInterface() API? Is there a way to access ASAuthorizationPublicKeyCredentialRegistrationRequest? I don't seem to see how we can achieve this through ASPasskeyCredentialRequest in prepareInterface(forPasskeyRegistration:) for iOS. A more broader question is: do we even have access to the WebAuthn extensions in third-party passkey manager? Thanks, Joshua