I have implemented Sign in with Apple in my app. The flow goes like this: User taps sign in button In the delegate method I take the auth code and post it to my server. My server sends an activation request to apple and gets an id, refresh, and access tokens. This is where I have a problem: A user requests account deletion. The server sends a request to revoke the access and refresh tokens User may or may not go to settings and revoke "Sign in with Apple" access to the app (the following happens either way) The user then load the app again and taps the Sign in with Apple button. The delegate method provides a valid id token, but the same original auth code instead of generating a new one. The server now gets an invalid response from apple as the auth code is had already expired, and so can't get a new refresh token. The server also can't use the old refresh token as it's been revoked during deletion. Can someone tell me where I'm going wrong? I can't find any documentation for regenerating a refresh token after revoking it. Thank you

Hi, I created a proof of concept app that leverages ASAuthorizationController to authenticate using FIDO2 security keys and passkeys. I get an auth challenge from an internal provider, and leverage the above API(s) to authenticate. Basically the same use case as the following (using existing account): https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys#3761984 Initially it worked fine, I got a pop-up with a user prompt. However, after canceling one of the requests (can't remember whether I force-closed the window or just clicked Cancel) I get an error on every subsequent request: response: {"error":"The operation couldn’t be completed. Request already in progress for specified application identifier."} log stream | grep fido2 output: 2023-10-17 16:52:52.740329+0100 0x3f329d Default 0x7d21c1 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.1, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:52.750530+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=402.3441, attribution={responsible={TCCDProcess: identifier=com.facebook.fbvscode, pid=3687, auid=501, euid=501, responsible_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron, binary_path=/Applications/VS Code @ FB.app/Contents/MacOS/Electron}, accessing={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, requesting={TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer}, }, 2023-10-17 16:52:52.750603+0100 0x3f329d Default 0x7cde39 404 0 tccd: [com.apple.TCC:access] requestor: TCCDProcess: identifier=com.apple.WindowServer, pid=402, auid=88, euid=88, binary_path=/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer is checking access for accessor TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 2023-10-17 16:52:52.803355+0100 0x3f32ad Default 0x0 376 0 launchservicesd: [com.apple.launchservices:cas] CHECKIN:0x0-0xa50a50 49962 com.meta.fido2macos.localDevelopment 2023-10-17 16:52:52.818560+0100 0x3f1eb0 Default 0x7c91e2 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.sharedfilelist.change object: com.apple.LSSharedFileList.ApplicationRecentDocuments/com.meta.fido2macos.localdevelopment token: f50000004b pid: 994 2023-10-17 16:52:52.846529+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.xctest.FakeForceTouchDevice object: com.meta.fido2macos.localDevelopment token: 1c00000023 pid: 49962 2023-10-17 16:52:52.866484+0100 0x3f1eb0 Default 0x0 930 0 distnoted: [com.apple.distnoted:diagnostic] register name: com.apple.nsquiet_safe_quit_give_reason object: com.meta.fido2macos.localDevelopment token: 1f00000020 pid: 49962 2023-10-17 16:52:53.027489+0100 0x3f329d Error 0x7d21c8 404 0 tccd: [com.apple.TCC:access] TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2 attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement 2023-10-17 16:52:53.027604+0100 0x3f329d Default 0x7d21c8 404 0 tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=49962.2, attribution={accessing={TCCDProcess: identifier=com.knollsoft.Rectangle, pid=1134, auid=501, euid=501, binary_path=/Applications/Rectangle.app/Contents/MacOS/Rectangle}, requesting={TCCDProcess: identifier=com.meta.fido2macos.localDevelopment, pid=49962, auid=501, euid=501, binary_path=/Users/ardi/fbsource/buck-out/v2/gen/fbsource/a6ea8844740f176d/fbobjc/Apps/Internal/FIDO2/__FIDO2__/FIDO2.app/Contents/MacOS/FIDO2}, }, 2023-10-17 16:52:53.059785+0100 0x3f2257 Default 0x7d21c7 77540 0 AuthenticationServicesAgent: (AuthenticationServicesCore) [com.apple.AuthenticationServicesCore:Authorization] Received connection from V9WTTPBFK9.com.meta.fido2macos.localDevelopment I also tried calling ASAuthorizationController::cancel (https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/3950923-cancel) in random places but that didn't help either. Happy to follow up more details / code if necessary. Thanks! Similar issue: https://developer.apple.com/forums/thread/723850

According to the documentation - https://github.com/w3c/webauthn/pull/1491 of Apple's Anonymous Attestation Statement Format (fmt="apple"), the nonce generated from the authenticatorData the clientDataHash is embedded in an extension with OID ( 1.2.840.113635.100.8.2 ) in the certificate for the credential public key. If I try to validate a response generated after using touchID from my browser on my iOS14 device, I get a 38-byte value:   414:d=5  hl=2 l=   9 prim: OBJECT            :1.2.840.113635.100.8.2   425:d=5  hl=2 l=  38 prim: OCTET STRING      [HEX DUMP]:3024A1220420D9052FED7AA782C1B416C59B0AE15F309A336E22984E32505307A6339DDE52FD How can this be a SHA-256 hash value?

Hi all! When building with macOS 14 SDK in macOS 14 RC, the Sign In With Apple button(SignInWithAppleButton) stretches its background to occupy the entire window content view. We expect it to be in the area with a red stroke(see the screenshot) Here's the code: struct ContentView: View { var body: some View { SignInWithAppleButton(.signIn, onRequest: { $0.requestedScopes = [.fullName, .email] }, onCompletion: { _ in }) .signInWithAppleButtonStyle(.black) .border(Color.red, width: 3) .padding(80) } } And screenshot: One important addition: the button works, and its hit area remains within that red rectangle. Any help is highly appreciated. Thank you!

In iOS 17 beta 5, the alert controller that pops up when sharing cookies with Safari was different than it was in iOS 16. I'm not sure how many betas this was in, but it said: Do you want to also sign in to in Safari? This allows and in Safari to share information about you such as your account. will work without this. Cancel Sign in to <Your app> & Safari Only Sign in to <Your app> In the official release of iOS 17, the alert is back to having just Cancel and Continue and the text it had previously: Wants to Use to Sign In This allows the app and website to share information about you. Question is, was this a fluke in beta? Is the ability to for users to disable Safari cookies something that is coming back? Is it a setting? I can't seem to find any information about this at all. It was concerning for us in beta, because it seemed like it was going to be a potential source of login issues, but now I'm not sure what to make of it. Thank you!

Apple rejected our app because when we use the Apple Sign Up button, the full name in the response is empty, but we need the first and last name in our app registration, so, the Text inputs in the app, first and last name is filled empty and we let the users enter those values, but Apple wants the users not to enter the values because the service already returns them but in our case are empty. We are using React native react-native-apple-authentication. Can anyone help us or have the same issue with apple review and how did you fix it?

I want to support "Sign in with Apple" for my macOS application. Currently, I'm using WKWebview to support this. I'm able to provide a sign in for the current mac user correctly. But some users try to login with another apple ID, which has FIDO certified keys added as 2FA. Now my WKWebView shows this : But nothing happens when they click on "Continue". I think I need to create some kind of interface in my application for this case, but no clear idea. I can't see much articles for this use case with security keys. Anybody has any idea ?

Everything was working well in the beta version of iOS 17 and the registration and login were done correctly. However, after installing the public(release) version of iOS 17, the functions "completeRegistrationRequest" and "completeAssertionRequest" do not work properly and their completion result is false. and I faced the "Operation failed" error in the "webauthn" website. What's wrong?

Hello, I used the new "Autofill Passkey" feature in my app, and all the registration steps were done well, Finally credential is registered in WebAuthn. But the problem is that when I tap on the "GetAssertion" button, instead of showing my autofill extension UI, a QR code is displayed and the function "prepareInterfaceToProvideCredentialForRequest" is not called. what is the problem? (The app is installed on the iPhone with iOS 17)

I just wrote code for our app to use ASWebAuthenticationSession for 3rd-party authentication (in particular, YUBIKEYS WOOHOO). Our app registers a URI scheme of x-com-kithrup for launch services events, so I used x-com-kithrup-yubi for ASWebAUthenticationSession. Only, I didn't change the back end, so it still redirects to x-com-kithrup://success on a successful login. And... ASWebAuthenticationSession is still calling the handler when it gets a URL with the x-com-kithrup URI, instead of the x-com-kithrup-yubi URI scheme.

Dear developers, In case I want to start building healthcare marketplace app (pharmacies, medical equipments and labs) where every users can search for specific medicine, some Medical equipment and lab test can get a list of pharmacies, labs who provide those products/service. Having said that what could be the best sign in option for (pharmacists, labs, physicians, people/users) on phone number or E-mail or any sign in option that will fit who want to join healthcare app? I want your though guys here as I am trying to have a universal healthcare app that can connect all healthcare people/product/service with people. Thanks in advance for any advice

I am facing one issue while trying to Sign in with Apple. error is as below: "The Operation couldn't be completed (com.apple.AuthenticationServices.AuthorizationError error 1000.)" I get this error as soon as the button is pressed it doesn't even get into the actual sign-in part. I have verified that entitlements file is there with the below content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC ""> <plist version="1.0"> <dict> <key>aps-environment</key> <string>development</string> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> </dict> </plist> I transferred the project and certificates from another machine. So deleted all the certificates and provisional profiles and recreated them from the new machine but faced an issue. Also, It only happens in exported (Archived build). When I directly install it from Xcode it is working fine. I have followed the official apple document to implement it. below is how I'm requesting the authentication: currentNonce = randomNonceString() let request = ASAuthorizationAppleIDProvider().createRequest() request.requestedScopes = [.fullName, .email] let controller = ASAuthorizationController(authorizationRequests: [request]) request.nonce = currentNonce?.sha256() controller.delegate = self controller.presentationContextProvider = self controller.performRequests() Below are delegates: func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {         switch authorization.credential {         case let appleIDCredential as ASAuthorizationAppleIDCredential: //Authenticated             break         default:             break         } }     func presentationAnchor(for controller: ASAuthorizationController) -> ASPresentationAnchor {         return self.view.window! }     func authorizationController(controller: ASAuthorizationController, didCompleteWithError error: Error) { Utils.showAlert(withMessage: error.localizedDescription) } Any help would be appreciated

Hi, I have a problem with associated domains developing Passkeys app. Adding alternate mode(developer mode) to Associated Domains Entitlement, it works fine. But in non developer mode, CDN doesn't seem to read the AASA file. AASA file's path is: https://(host).(rootdomain)/.well-known/apple-app-site-associtation I checked the TLS certificate conditions and all conditions are met. https://support.apple.com/en-us/HT213464 https://support.apple.com/en-us/HT210176 https://support.apple.com/en-us/102028 Is there another reason why it only works in developer mode? Thanks for your reply.

My App just uses Phone Number Authentication only . There is no Email/Password , Google , FaceBook, Apple or any other Social Authentication. So i just wanted to ask that will my app be accepted by Appstore based on Appstore Guidelines as I am not using Apple Authentication & only using Phone Number Authentication. Your help will mean a lot.

Hi devs!!! Calling createCredentialRegistrationRequestWithChallenge returns the following error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} What can be the potential reason?