I'm getting ready to release the first version of our app, which is designed for existing (paying) customers of our service. The app will only have a Sign In functionality for the first few versions, ie users cannot create a new account through the app. We currently only have password or Google authentication through the website. I'm wondering how the app store guidelines apply here. It seems that since the March 4, 2020 update, Apple Sign In is required when using any other third party oauth providers (Google for our case). However I'm unclear if the listed exceptions cover this scenario. To state the obvious, users do not have a way currently to create an account with Apple Sign In, so exactly 0 users will ever succeed in logging in with that button if I'm required to put it. I understand the guidelines if we're talking about creating accounts, but since this is Sign In only, is it still required to provide as an option? Thanks in advance!

My organization is using mutual TLS authentication for HTTPS, with PIV cards storing the certs. We observe that some OS X devices send only the leaf certs when establishing the mTLS connection, whereas others send the entire chain. We cannot validate the leaf cert without the intermediate cert, so those clients are rejected. What drives the decision whether to send the whole chain, vs the leaf cert only? For more details, and some things we observed. The PIV cards are US DoD CAC cards: https://www.cac.mil/common-access-card/ The client cert chain on the card looks like this: Leaf client cert, CN=LastName.Name Intermediate cert, CN=DOD ID CA-70 "Root" cert, CN=DoD Root CA 6 through 8.: Additional interoperability certs. Our system is set up to trust the "root" cert CN=DoD Root CA 6. Neither the leaf cert, nor other certs in the chain are trusted by Apple Keychain Trust Store by default. We find that most laptops will send the entire chain, 1 through 8, when establishing the mTLS connection with our servers. This allows us to validate them correctly. On a subset of OS X devices, Google Chrome will only send the leaf chain. This happens even when we use exact same PIV card, and exact same PIV reader as on working laptops. Safari will not send any cert at all. We found that if we explicitly add the CN=DoD Root CA 6 to the Apple Trust Store, Google Chrome and Safari will start sending a short chain, containing only certs 1 through 3. This allows the server to validate them. When we remove it from Trust Store, Chrome is back to sending only leaf, but Safari will not even send the leaf. Again, this only happens on some laptops; on most of the laptops, both Safari and Google Chrome will send the entire chain, regardless of whatever is set up in Trust Store. My suspicion is that for some reason, on those laptops, Safari will not send the client certs that OS X doesn't trust. This makes sense, but this is not the behavior we want. We want the same behavior on the working laptops, which is to send the whole chain. All of our laptops are on OS X 14.4

I have noticed that there is a new initializer for ASWebAuthenticationSession in macOS 14.4. The standard initializer has been deprecated without further info. The new initializer looks as follows: init(url: URL, callback: ASWebAuthenticationSession.Callback, completionHandler: ASWebAuthenticationSession.CompletionHandler) This initializer takes a callback object for class ASWebAuthenticationSession.Callback. But this class cannot be initialized and also not be subclassed. When you try to do this there will be the following error in Xcode 'init()' is unavailable The documentation also does not give any hint on how to use it, it just defines 2 class methods and a method called func matchesURL(URL) -> Bool which could mean that by using this method you could match any arbitrary URL to continue the process. Has anyone figured out what to do with this?

Hello, I'm trying to enroll on the trader account program but after filling out the form, then entering the email verification code that was sent I don't ever receive the phone OTP code that I'm supposed to receive. I'm not from the US, my country code is +51 so I select that on the dial code combo-box then enter my number that is 9 digits long. However, I tried with a US phone from a friend and it works just fine, he does receive the confirmation code. How can I fix this? I already have an app stuck for over 1 week because of this. I've called apple support multiple times and they send me to send evidence via email which I have. They've told me it was "scaled" to the engineering them but of course that's gonna take a long while for it to be fixed. Has anyone encountered a similar problem? I believe there's gotta be a quirk or something in that form that will actually get the system to work.

Hello, My app uses OAuth to connect to two services. To get the authorization ocde, originally, they both allowed a URI in the form of "com.SmartVentsTwo://auth". Now, the second one changed and requires that the URI be a complete URL starting with HTTPS. Needless to say the second stopped working. I read several different articles and posts about this difference telling me a range of things to do from simply adding "https://com.SSmarVentsTwo://auth" to the URL types in the project settings, to creating a redirect from my website. It would seem the most secure would be the former since it doesn't require extra jumps, but it didn't work. When I tried it, after logging in and authorizing the request, i got a "could not find server" error. What are the exact steps I need to follow to accommodate the change? (Thank you very much!!)

Hi, I am creating simple app with ios 17. I want to authenticate via ios passcode. but I couldn't find any example about it. Where can I get some example about using ios passcode in ios 17? please help me.

We have recently rolled out a one-time-password only log in system for our app. Access to our app is by invite only and users are required to register outside of the app to set up their account (it is an app for events & conferences). The majority of users have requested this login system as it is more secure and easier than a traditional password. I submitted the app for review, but it was rejected as the Apple tester required the email access code that was sent when they entered the tester email address we have in the app description. Does anyone have any advice on how we can remedy this so that our app does not keep getting rejected for this reason? Thanks

When using an ASWebAuthenticationSession to log in, with prefersEphemeralSession = false to enable SSO, the system presents an alert asking if the user wants to allow "SomeApp" to Sign In with "someauthprovider.xyz". The system presents exactly the same alert when you want to log out, and it is confusing for users. It's my understanding that the system does this because the alert really means "would you like to allow this app to let some page access Safari's shared cookie vault?" in lay terms, and is not distinguishing between create, read, update, or delete. It would be splendid if Apple changes this dialog depending on the operation. I would also like to know if there is any other way to fix this.

It seems that all macOS apps currently going through App Review which use ASWebAuthenticationSession (or SwiftUI webAuthenticationSession) are being rejected, because: Reason given: Guideline 4.0 - Design The user is taken to the default web browser to sign in or register for an account, which provides a poor user experience. See here for more details: https://forums.developer.apple.com/forums/thread/750400 If webAuthenticationSession is no longer permitted for production apps, what is the current recommended approach for implementing OAuth 2 authentication?

I'm currently trying to add an OIDC connection to an iOS application. I'm using AppAuth, which will use ASWebAuthenticationSession (because we're targeting recent versions of iOS). We have a login web page that will write a cookie. We'd like this cookie to be shared between the application (using ASWebAuthenticationSession) and the system browser (Safari) so that the user can be recognized and avoid having to log in again. The web page writes a permanent cookie (with an expiry date) and the iOS application uses ASWebAuthenticationSession. And I did not set prefersEphemeralSession to true. So we should be OK with the documentation (SFSafariViewController no longer shares cookies, and session cookies are not shared between ASWebAuthenticationSession and Safari). It should work, if I understand the documentation correctly. Did I miss a point? Or is it a known problem? I also tried to create a simple web page that read and write a cookie to do dome tests. function writeCookie() { var value = "something"; var maxAge = "max-age=" + (365 * 24 * 60 * 60); var expiration = new Date(); expiration.setTime(expiration.getTime() + (365 * 24 * 60 * 60 * 1000)); var expires = "expires=" + expiration.toUTCString(); var sameSite = "SameSite=None"; var secure = ";Secure"; document.cookie = cookieName + "=" + value + ";" + maxAge + ";path=/;" + sameSite + secure; } function readCookie() { var cookies = document.cookie.split(';'); var value = ""; for (var i = 0; i < cookies.length; i++) { var cookie = cookies[i].trim(); if (cookie.indexOf(cookieName) == 0) { value = cookie.substring(cookieName.length + 1, cookie.length); break; } } if (value !== "") { alert("Cookie value : " + value); } } And iOS code: currentAuthorizationFlow = OIDAuthState.authState(byPresenting: request, presenting: viewController) { authState, error in if let authState = authState { print("Authorization succeed") self.authState = authState if let accessToken = authState.lastTokenResponse?.accessToken, let idToken = authState.lastTokenResponse?.idToken { completion(.success(TokenResponse(accessToken: accessToken, idToken: idToken))) return } } self.authState = nil completion(.failure(error)) }

how we can implement music kit in flutter app?

For apps with a login service, the App Review Guidelines require: The login option limits data collection to the user’s name and email address. The login option allows users to keep their email address private as part of setting up their account. The login option does not collect interactions with the app for advertising purposes without consent. I want to use Google Authentication using GIDSignIn pod as my sole authenticator, to avoid the hassle of dealing with username and password. Is it possible to configure GIDSignIn to adhere to these data collection requirements?

Hello, I am facing a passkey authentication during cross device authentication. After I called completeAssertionRequest with passkeyCredential, I am encountering the issue attach and I am unable to find where the RPID mismatch is coming from and referencing from. It would be great if I could know the source of where RPID hash (found). Thanks. Returned credential failed validation: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=14 "RPID hash did not match expected value. Expected xMTokW1VIYg2DZVB9lCtheT+0n8NxHvx4HaxTPhH4bY=, found: eE1Ub2tXMVZJWWcyRFpWQjlsQ3RoZVQtMG44TnhIdng=." UserInfo={NSLocalizedFailureReason=RPID hash did not match expected value. Expected xMTokW1VIYg2DZVB9lCtheT+0n8NxHvx4HaxTPhH4bY=, found: eE1Ub2tXMVZJWWcyRFpWQjlsQ3RoZVQtMG44TnhIdng=.}

created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login. sudo # sudo: auth account password session auth include sudo_local auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so authorization # authorization: auth account auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass auth sufficient pam_smartcard.so use_first_pass account required pam_opendirectory.so Is it even allowed to add a custom PAM to \etc\pam.d\login or etc\pam.d\authorization ? Is it possible to create a mechanism with custom logic and replace it withbuiltin:authenticate,privileged in system.login.console authorization right ? Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.

I searched several times online for someone who is using the new ASWebAuthenticationSession init together with matchesURL but I haven't found any mention of it. Is anyone using this new initializer? If so, can someone please share a code example? I'm trying to use the new initializer with a https redirect URL. Thank you!

The App Search API Validation tool is down again, and it seems it has been for a while already. Trying to access https://developer.apple.com/ios/search/ or https://search.developer.apple.com/ only redirects to https://developer.apple.com/ or https://developer.apple.com/ios/ We need the tool to verify the correctness of our AASA file See also https://developer.apple.com/forums/thread/46838 Could anyone confirm? Thank you

I did implement "ASCredentialProviderViewController" class for my password manager in order to support passkey recently. Passkey registration and assertion works correctly but remote fullfilling is not working as expected. Use case: The user wants to sign in with passkey on some computer A QRCode is displayed and the user scan the QRCode Apple Authentication bottom sheet is opened and the client can pick my app as a provider ISSUE HERE: my app doesn't receive the passkey request parameters and is not able to generate the assertion answer I was hoping the following functions to be called but it's not the case: prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest) => Please, how can my app receive the passkey request parameters in order to generate the assertion answer in this situation?

For some reason, not all of the time but most of the time, the SFSafariViewControllerDelegate method for initialLoadDidRedirectTo is not being triggered for subsequent reloads as specified in the docs. @discussion This method may be called even after -safariViewController:didCompleteInitialLoad: if the web page performs additional redirects without user interaction. I am allowing a user to log in with an OAuth 2.0 Provider on the Safari browser and expecting to detect the redirect to continue the flow from the app once their credentials have securely been consumed by the IdP in Safari. It was working consistently. It went from a 100% success rate up until this week to maybe 1/20 successful redirects. Code snippet: let config = SafariViewController.Configuration() config.entersReaderIfAvailable = false let vc = SFSafariViewController(url: url, configuration: config) vc.delegate = self self.safariViewController = vc print(self.safariViewController?.delegate) self.present(vc, animated: true) Why is it not always detecting the redirects?

This method does not seem to work consistently: SFSafariViewControllerDelegate.safariViewController(_ controller: SFSafariViewController, initialLoadDidRedirectTo URL: URL) It was working 100% of the time until this week for me, now it has about a 1-5% success rate for detecting redirects. The docs are not clear: @discussion This method may be called even after -safariViewController:didCompleteInitialLoad: if the web page performs additional redirects without user interaction. Code snippet from calling UIViewController that conforms to SFSafariViewControllerDelegate: let config = SafariViewController.Configuration() config.entersReaderIfAvailable = false let vc = SFSafariViewController(url: url, configuration: config) vc.delegate = self self.safariViewController = vc print(self.safariViewController?.delegate) self.present(vc, animated: true) Did something change? How can I make this consistent again?

We're using this (on a mac) to do 3rd party authentication. The completion handler is getting Authentication session got error: [The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 1.)], in domain: [com.apple.AuthenticationServices.WebAuthenticationSession] That seems to be generated if the auth window is closed. However... it's not being closed, so we end up spawning a second one to do it, and this one seems to work.