Hello, I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn. But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem? (The app is installed on the iPhone with iOS 17)

Hi, I have a problem with associated domains developing Passkeys app. Adding alternate mode(developer mode) to Associated Domains Entitlement, it works fine. But in non developer mode, CDN doesn't seem to read the AASA file. AASA file's path is: https://(host).(rootdomain)/.well-known/apple-app-site-associtation I checked the TLS certificate conditions and all conditions are met. https://support.apple.com/en-us/HT213464 https://support.apple.com/en-us/HT210176 https://support.apple.com/en-us/102028 Is there another reason why it only works in developer mode? Thanks for your reply.

I tried to use preferImmediatelyAvailableCredentials option in my sign in via Passkey process and expected to see this logic: If passkey isn’t available (for some reason, for example, user deleted it) the sign up modal sheet appears. But instead of this I got ‘Choose how you’d like in sign in’ sheet. As I understand, preferImmediatelyAvailableCredentials should allow me to fallback to sign up and skip this step but it doesn’t. My code is: func signIn(credId: String) { currentAuthController?.cancel() let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: domain) let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: domain) let assertionRequest = publicKeyCredentialProvider.createCredentialAssertionRequest(challenge: challengeData) let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: challengeData) if let data = Data(base64urlEncoded: credId) { let cred = ASAuthorizationPlatformPublicKeyCredentialDescriptor(credentialID: data) assertionRequest.allowedCredentials = [cred] } let requests = [assertionRequest, securityKeyRequest] let authController = ASAuthorizationController(authorizationRequests: requests) authController.delegate = self authController.presentationContextProvider = self currentAuthController = authController authController.performRequests(options: .preferImmediatelyAvailableCredentials) }

I just wrote code for our app to use ASWebAuthenticationSession for 3rd-party authentication (in particular, YUBIKEYS WOOHOO). Our app registers a URI scheme of x-com-kithrup for launch services events, so I used x-com-kithrup-yubi for ASWebAUthenticationSession. Only, I didn't change the back end, so it still redirects to x-com-kithrup://success on a successful login. And... ASWebAuthenticationSession is still calling the handler when it gets a URL with the x-com-kithrup URI, instead of the x-com-kithrup-yubi URI scheme.

Dear developers, In case I want to start building healthcare marketplace app (pharmacies, medical equipments and labs) where every users can search for specific medicine, some Medical equipment and lab test can get a list of pharmacies, labs who provide those products/service. Having said that what could be the best sign in option for (pharmacists, labs, physicians, people/users) on phone number or E-mail or any sign in option that will fit who want to join healthcare app? I want your though guys here as I am trying to have a universal healthcare app that can connect all healthcare people/product/service with people. Thanks in advance for any advice

Hi all! When building with macOS 14 SDK in macOS 14 RC, the Sign In With Apple button(SignInWithAppleButton) stretches its background to occupy the entire window content view. We expect it to be in the area with a red stroke(see the screenshot) Here's the code: struct ContentView: View { var body: some View { SignInWithAppleButton(.signIn, onRequest: { $0.requestedScopes = [.fullName, .email] }, onCompletion: { _ in }) .signInWithAppleButtonStyle(.black) .border(Color.red, width: 3) .padding(80) } } And screenshot: One important addition: the button works, and its hit area remains within that red rectangle. Any help is highly appreciated. Thank you!

Everything was working well in the beta version of iOS 17 and the registration and login were done correctly. However, after installing the public(release) version of iOS 17, the functions "completeRegistrationRequest" and "completeAssertionRequest" do not work properly and their completion result is false. and I faced the "Operation failed" error in the "webauthn" website. What's wrong?

Hi, so I'm trying to use security key authentication using physical keys via the native APIs documented on Apple's developer website but am running into errors I don't understand. The application runs on MacOS. The application is signed with an entitlement that contains the associated domain like so: <key>com.apple.developer.associated-domains</key> <array> <string>webcredentials:example.com?mode=developer</string> </array> I have tried with and without ?mode=developer. Here is the error I get: {"error":"The operation couldn’t be completed. The calling process does not have an application identifier. Make sure it is properly configured."} My application identifier is also configured in the .entitlements file. Here is a rough overview of what I'm trying to do (basically, the auth server I'm contacting provides a challenge, and I want to create an assertion and send it back for verification). Trying to replicate the example from the official docs. let options = try! JSONDecoder().decode(Request.self, from: options.data(using: .utf8)!).publicKey let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!) let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.decodeBase64Url()!) securityKeyRequest.userVerificationPreference = ASAuthorizationPublicKeyCredentialUserVerificationPreference(rawValue: options.userVerification ?? "preferred") securityKeyRequest.allowedCredentials = [] for credential in (options.allowCredentials ?? []) { let id = credential.id.decodeBase64Url()! let transports = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor.Transport.allSupported let descriptor = ASAuthorizationSecurityKeyPublicKeyCredentialDescriptor(credentialID: id, transports: transports) securityKeyRequest.allowedCredentials.append(descriptor) } securityKeyRequest.allowedCredentials = [] let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest]) return run(authController: authController) Happy to provide more context if necessary. Thanks in advance!

I want to support "Sign in with Apple" for my macOS application. Currently, I'm using WKWebview to support this. I'm able to provide a sign in for the current mac user correctly. But some users try to login with another apple ID, which has FIDO certified keys added as 2FA. Now my WKWebView shows this : But nothing happens when they click on "Continue". I think I need to create some kind of interface in my application for this case, but no clear idea. I can't see much articles for this use case with security keys. Anybody has any idea ?

In iOS 17 beta 5, the alert controller that pops up when sharing cookies with Safari was different than it was in iOS 16. I'm not sure how many betas this was in, but it said: Do you want to also sign in to in Safari? This allows and in Safari to share information about you such as your account. will work without this. Cancel Sign in to <Your app> & Safari Only Sign in to <Your app> In the official release of iOS 17, the alert is back to having just Cancel and Continue and the text it had previously: Wants to Use to Sign In This allows the app and website to share information about you. Question is, was this a fluke in beta? Is the ability to for users to disable Safari cookies something that is coming back? Is it a setting? I can't seem to find any information about this at all. It was concerning for us in beta, because it seemed like it was going to be a potential source of login issues, but now I'm not sure what to make of it. Thank you!

I have many questions about iOS passkey. I'm using my app extension to implement something similar to an iCloud passkey authenticator. I securely store my self-generated keys in the Secure Enclave (SE). I'd like to know how to make the extension execute the prepareInterfaceToProvideCredentialForRequest method instead of provideCredentialWithoutUserInteractionForIdentity. I need to display a UI to obtain my key. Please provide assistance. Thank you.

Hi, I created a proof of concept app that leverages ASAuthorizationController to authenticate using FIDO2 security keys and passkeys. I get an auth challenge from an internal provider, and leverage the above API(s) to authenticate. Basically the same use case as the following (using existing account): https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys#3761984 Initially it worked fine, I got a pop-up with a user prompt. However, after canceling one of the requests (can't remember whether I force-closed the window or just clicked Cancel) I get an error on every subsequent request: response: {"error":"The operation couldn’t be completed. Request already in progress for specified application identifier."} log stream | grep fido2 output: 2023-10-17 16:52:52.740329+0100 0x3f329d Default 0x7d21c1 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.1, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:52.750530+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.3441, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, accessing={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, }, 2023-10-17 16:52:52.750603+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 2023-10-17 16:52:52.803355+0100 0x3f32ad Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0xa50a50 49962 com.meta.fido2macos.localDevelopment 2023-10-17 16:52:52.818560+0100 0x3f1eb0 Default 0x7c91e2 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos.localdevelopment token: f50000004b pid: 994 2023-10-17 16:52:52.846529+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos.localDevelopment token: 1c00000023 pid: 49962 2023-10-17 16:52:52.866484+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos.localDevelopment token: 1f00000020 pid: 49962 2023-10-17 16:52:53.027489+0100 0x3f329d Error 0x7d21c8 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement 2023-10-17 16:52:53.027604+0100 0x3f329d Default 0x7d21c8 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:53.059785+0100 0x3f2257 Default 0x7d21c7 77540 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment I also tried calling ASAuthorizationController::cancel (https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/3950923-cancel) in random places but that didn't help either. Happy to follow up more details / code if necessary. Thanks! Similar issue: https://developer.apple.com/forums/thread/723850

I have implemented Sign in with Apple in my app. The flow goes like this: User taps sign in button In the delegate method I take the auth code and post it to my server. My server sends an activation request to apple and gets an id, refresh, and access tokens. This is where I have a problem: A user requests account deletion. The server sends a request to revoke the access and refresh tokens User may or may not go to settings and revoke "Sign in with Apple" access to the app (the following happens either way) The user then load the app again and taps the Sign in with Apple button. The delegate method provides a valid id token, but the same original auth code instead of generating a new one. The server now gets an invalid response from apple as the auth code is had already expired, and so can't get a new refresh token. The server also can't use the old refresh token as it's been revoked during deletion. Can someone tell me where I'm going wrong? I can't find any documentation for regenerating a refresh token after revoking it. Thank you

after subscribing, I want to have users log in for a few reasons core to the functionality of the app. However, Apple has requirements about this, stating it needs to be optional. however, I want to have my backend layer secure so that we check a user session each time a request is made, without a check its basically open to the public which I don’t like. Without a login, there is no session To provide. we use RevenueCat for managing subscriptions But I don’t want to rely on their servers for checking subscription status…is that the only option? do I have an option to secure my api layer another way, without login session?

Hello, We recently noticed that the passkeys that our application registers in the ASCredentialIdentityStore are removed after a while and we have to register them again. Do you have any ideas? Or is it possible that this happens automatically even though the application is terminated?

We are relying on ASWebAuthenticationSession to do web authentication. Since the API doesn't support POST requests directly we have to generate local file in ~/Library/Application Support/<foo.bar>/WebAuth.html containing the POST and use initial URL as file:///Users//Library/Application%20Support//WebAuth.html Problem is that Safari sometimes pops a dialog "Confirm the file to load" and sometimes it doesn't. This doesn't depend on "Full Disk access" TCC. Does anybody know a way to prevent this from happening? MDM option or something? Also styling of the popup is a rather poor UI choice - looks very confusing and like the user may choose another file to load. Chrome f.e. doesn't do such popups. I already have FB13340210 for this.

Hey, I'm looking for some help with ASAuthorizationController and passkeys. It seems that wildcards in applinks for subdomains break passkeys for the main domain. The app has the following entries in entitlements: webcredentials: mydomain.com applinks: mydomain.com applinks: *.mydomain.com mydomain.com is a placeholder for the actual domain The AASA file is hosted only at mydomain.com and contains a correctly formatted "webcredentials" entry. { "webcredentials": { "apps": [ "app-id-corretly-formatted" ] }, "applinks": { "apps": [], "details": [ // ... ] } } When I use ASAuthorizationController with the domain mydomain.com, it reports the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier X is not associated with domain mydomain.com" UserInfo={NSLocalizedFailureReason=Application with identifier X is not associated with domain mydomain.com If I remove the following line from the entitlements "applinks: *.mydomain.com", it works as expected: webcredentials: mydomain.com applinks: mydomain.com It appears that the problem is with the wildcard in the subdomains. Has someone experienced this issue?

I am using Okta Web Redirect Sign-in on my iPhone app. Even on Safari, same response. Ideally it should show me some message but it is not. It asks for username, password upon submit it stuck. And ask to download a file. Have a look at attached screenshot. How to resolve this issue? Thank you in advance.

I updated the app bundle ID of my app in my associated domains file on my server which can be viewed using the Apple CDN at (https://app-site-association.cdn-apple.com/a/v1/myApp.app) and on my server at (https://myApp.app/.well-known/apple-app-site-association). All I did was update the app Bundle ID of my app in Xcode and likewise in the associated domains file, and now it is no longer working and I'm getting the error Application with identifier ABCDE12345.app.myApp.MyApp is not associated with domain myApp.app. This error is thrown when attempting to use the webcredentials portion of the associated domain file for logging in via Passkey. I've waited for 6 days to let the changes propagate through the CDN but the issue is persisting. Strangely enough, it has worked a few times since I changed it but almost always fails. This intermittent behavior leads me to believe it might be something up with the CDN? The only thing I changed about my appID was the domain, e.g. ABCDE12345.io.oldDomain.MyApp to ABCDE12345.app.myApp.MyApp. My file is structured as so: { "applinks": { "apps": [], "details": [ { "appID": "ABCDE12345.app.myApp.MyApp", "components": [ ... ] } ] }, "webcredentials": { "apps": [ "ABCDE12345.app.myApp.MyApp" ] } } Likewise I updated the entitlements in my app to webcredentials:myApp.app from webcredentials:oldDomain.io and similarly for the appLinks. I've tried deleting the app, restarting Xcode, clean builds, all that jazz to no avail. Any advice you have for remedying this would be greatly appreciated. This has brought my beta to a halt because no one can log in or sign up. Thank you.

In my app user accounts are handled with Firebase Auth. When creating a user how can I get the system to suggest a Unique password (that prompt that comes up on the keyboard) and also how can i get it to save these details to the keychain. My app will have a website in the future so I want the details come up when the user tries to login there. When the user logs in i used the func below to save the details to the keychain, it says the details have been saved but it doesnt seem to come up in the passwords tab in Settings. func saveCredentialsToKeychain(email: String, password: String) { let query: [String: Any] = [ kSecClass as String: kSecClassInternetPassword, kSecAttrServer as String: "myWebsite.com", kSecAttrAccount as String: email, kSecValueData as String: password.data(using: .utf8)!, kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked ] let status = SecItemAdd(query as CFDictionary, nil) if status == errSecSuccess { print("Credentials saved to Keychain") } else { print("Error saving credentials to Keychain: \(status)") } }