I am trying to auth with a non-apple auth provider for a multi-platform service. I'm expecting to be able to use this to fetch the OAuth code after the user logs in to their auth provider. myRedirectHost = 'https' OR 'https://my.domain.com' where I also know the redirect path and query params and will extract them. ASWebAuthenticationSession(url: url, callbackURLScheme: myRedirectHost, completionHandler: handleAuthSessionResult) This works for iOS 17.4+ with that nice enum, but what about the rest of the users?

Tried to implement the code snippets based on : https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys security key. The Sign In UI did popup but after which is either it timed-out or i cancelled the operation. The performRequest function doesn't seems to trigger my external security key. Not sure if FBSSystemApp / coreauthd are part of the logs i should be looking out to see where the issue(s) is/are?

I want to add my testing app and prod app for release in associated domain file. How can I add them in apple-app-site-association. Can I add both separated by coma { "webcredentials": { "apps": [ "3ABCDEF.com.lalitha.release" , 3ABCDEF.com.lalitha.test] } } In Apple documentation example they haven't mention about adding multiple apps under web credentials [https://developer.apple.com/documentation/xcode/supporting-associated-domains]

We are using aws amplify for our social logins with signInWithRedirect. When a user selects apple login on iphone and cancels the appleId popup, the user can't click any social login buttons anymore, including the apple one. Refreshing the page resolves this.

It is clearly stated here that automatically created passwords are 20 characters long, contain 2 hyphens and exactly one uppercase letter and one digit. I have only ever seen generated passwords where the arrangement is in 3 groups of 6 (separated by the hyphens). From the description in the page referred to above, it could be that the generated password might look like: nzomZhf-qnbqd-k8ibtt i.e., a 7-5-6 pattern This would comply with the definition (if that's what it is) on the aforementioned Support page. Is it guaranteed that auto generated passwords will conform to the 3 groups of 6 pattern?

We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow. An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration. The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option? Thanks!

Hi Folks, We've been using Xcode Cloud for a year without any issues. Recently, our IT team switched authentication from LDAP to Azure SAML SSO. Since then, we've been getting the following error whenever Xcode Cloud launches a build: "Run command: '/bin/rm -rf /Volumes/workspace/repository &> /dev/null && GIT_TRACE2_PERF=/tmp/git_trace2_perf GIT_TRACE2_EVENT=/tmp/git_trace2_event git init /Volumes/workspace/repository && GIT_TRACE2_PERF=.....etc." "could not read Username for 'http://bitbucket.***': Device not configured Command exited with non-zero exit-code: 128" Any idea what we need to change to get things working again? Thank you Cam

I want to introduce client certificate authentication for communication between the iPad and the server. Since it is not possible to install a client certificate on the iPad using a p12 file, I am considering another method. I would like to know how to install the client certificate and private key issued by the certificate authority on the iPad without converting it to a p12 file. What are the different ways to do this?

My App needs to send and receive messages to the server, but my server does not have SSL, so I can only disable ATS in the development stage. But if I want to put the app on the shelf, then I still disable ATS when I put it on the shelf, and the server still does not have SSL. Will it be packaged? Is pp warned and terminated by Xcode? Will it be rejected by the Apple audit department? Can it be put on the App Store normally and provided to all users? Note: My server is completely safe without any security risks. I didn't apply for SSL just because I didn't have enough funds.

"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients. I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)". For passwords: extensionContext.completeRequest(withSelectedCredential: ASPasswordCredential(), completionHandler: nil) -> Does trigger biometric/code authentication For passkeys: extensionContext.completeAssertionRequest(using: ASPasskeyAssertionCredential()) -> Does NOT trigger biometric/code authentication => Why authentication is managed by the system for password but not for passkeys ? And how to fix that?

On macOS, in the Apple Passwords app (currently inside Settings but soon to be it's own full fledged app in Sequoia) the user is presented with a screen requesting that they touch the fingerprint reader (see attached). If we'd like to do something similar, e.g. unlock some sensitive/secure part of our app, by requesting the user touch the Touch ID sensor, but without doing the whole system prompt (LAContext.evaluatePolicy()), how can we do that? Is that possible for mere mortal developers, and if not, why not?

We currently have an Account Authentication Modification Extension in our iOS App so that users can update their passwords directly from within the Passwords section in the iOS Settings App. On iOS 18 beta3 the extension is not executed from the new Passwords app. Instead the URL associated with the credentials is opened when choosing to change a password. Will it still be possible to integrate with the new Passwords app or is this no longer supported? https://developer.apple.com/wwdc24/10125 only mentions https://example.com/.well-known/change-password Also, can we provide the information to the Passwords app that our service does not support verification codes? So that the "set up verification code" option is not displayed for our website in the Passwords app.

I am trying to set up a message filter extension that will use shared web credentials for basic auth when calling to its ILMessageFilterExtensionNetworkURL. I have associated domains set up for both "messagefilter:" and "webcredentials:" and the message filter IS correctly calling the ILMessageFilterExtensionNetworkURL with each message - so that part is working. As detailed here, I have set up Shared Web Credentials and my view controller is using SecAddSharedWebCredential() to save the creds to the correct domain. Using Authorization services, the creds are auto-filled into my app's login screen. When I go under Settings > Passwords, I see the creds are saved and they are the correct creds to the corrent website that matches ILMessageFilterExtensionNetworkURL. Regardless of all of this, the deferQueryRequestToNetwork() refuses to use the creds and implement Basic Auth in its URL call. It makes the call to the correct URL, it just won't use the Shared Web Creds for basic auth. Any help would be greatly appreciated.

Hi: I saw the post WWDC WebKit release notes said Safari will support largeblob extension from version 17. But when I create a credential with largeblob extension, different action takes according what authenticator used. The credential options is: "credCreateOptions": { "rp": { "name": "WebAuthn demo", "id": "webauthn.turinggear.com" }, "user": { "name": "Jonathon.Runte97@gmail.com", "displayName": "Jonathon.Runte97@gmail.com", "id": "bqShD9YGRicjM-1foXiBqrdCzTHTuG1bkmKaxzn7oEM" }, "challenge": "9BP4y2epk2b3MhRCRRS5tt4bdWYLPJcKBLMMiB_7p7E", "pubKeyCredParams": [ { "alg": -7, "type": "public-key" }, { "alg": -257, "type": "public-key" } ], "excludeCredentials": [], "authenticatorSelection": { "requireResidentKey": true, "residentKey": "required", "userVerification": "discouraged" }, "attestation": "none", "extensions": { "credProps": true, "largeBlob": { "support": "preferred" } } } When i choose use iPhone be my authenticator, it seems that largeblob act as it should be: "credential" : { "id": "ZRxBdH4LKE4eiVxbwcA4Kmn9VZk", "rawId": "ZRxBdH4LKE4eiVxbwcA4Kmn9VZk", "response": { "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYSETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5dAAAAAPv8MAcVTk7MjAtuAgVX170AFGUcQXR-CyhOHolcW8HAOCpp_VWZpQECAyYgASFYICY6gkqg6OG_v1BlGCPj7gSwsu_c0vTmVzmfd7TsqEh5Ilgg_Cn0mAiO8QCx7J1xw809VBq8iI-U5pgY0I947B7XF9g", "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiOVcta3RMbEswemZDSXpFb2hNd3E3OTgxQXJlRzV0aEVBdmRHdXNHcUsxcyIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aG4udHVyaW5nZ2Vhci5jb20ifQ", "transports": [ "internal", "hybrid" ], "publicKeyAlgorithm": -7, "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJjqCSqDo4b-_UGUYI-PuBLCy79zS9OZXOZ93tOyoSHn8KfSYCI7xALHsnXHDzT1UGryIj5TmmBjQj3jsHtcX2A", "authenticatorData": "SETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5dAAAAAPv8MAcVTk7MjAtuAgVX170AFGUcQXR-CyhOHolcW8HAOCpp_VWZpQECAyYgASFYICY6gkqg6OG_v1BlGCPj7gSwsu_c0vTmVzmfd7TsqEh5Ilgg_Cn0mAiO8QCx7J1xw809VBq8iI-U5pgY0I947B7XF9g" }, "type": "public-key", "clientExtensionResults": { "largeBlob": { "supported": true } }, "authenticatorAttachment": "platform" } Safari returns clientExtensionResults.largeBlob.supported= ture. But when I use an NFC authenticator with the same credCreateOptions, safari didnot return clientExtensionResults section. Response as follows(ignore the challenge and others random data): "credential" : { "id": "uEVMzgsINXj7bHFD5Z5xbMGJ7k6tnrMQSLjB4yB8_0GxbUPoWYUYX8E3D9XB24Cv-PMh6cRpCFt5klUHqsot2Yc48BVu5TN8sbabTgped2x46ljdsxFzaNCA8D2y9FZK8BHLLZTKHNuzJw4SCYUkzg", "rawId": "uEVMzgsINXj7bHFD5Z5xbMGJ7k6tnrMQSLjB4yB8_0GxbUPoWYUYX8E3D9XB24Cv-PMh6cRpCFt5klUHqsot2Yc48BVu5TN8sbabTgped2x46ljdsxFzaNCA8D2y9FZK8BHLLZTKHNuzJw4SCYUkzg", "response": { "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVj0SETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5FAAABeAAAAAAAAAAAAAAAAAAAAAAAcLhFTM4LCDV4-2xxQ-WecWzBie5OrZ6zEEi4weMgfP9BsW1D6FmFGF_BNw_VwduAr_jzIenEaQhbeZJVB6rKLdmHOPAVbuUzfLG2m04KXndseOpY3bMRc2jQgPA9svRWSvARyy2UyhzbsycOEgmFJM6lAQIDJiABIVggg2LXO5Q2U0ETrSxrLKxCfKKCTCitTCx9bpxD1Gw917ciWCDsxnw4Wd7M_UTiGQJ7swCMXN83nprsT8wkTlftXRizmw", "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiOUJQNHkyZXBrMmIzTWhSQ1JSUzV0dDRiZFdZTFBKY0tCTE1NaUJfN3A3RSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aG4udHVyaW5nZ2Vhci5jb20ifQ", "transports": [ "nfc" ], "publicKeyAlgorithm": -7, "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg2LXO5Q2U0ETrSxrLKxCfKKCTCitTCx9bpxD1Gw917fsxnw4Wd7M_UTiGQJ7swCMXN83nprsT8wkTlftXRizmw", "authenticatorData": "SETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5FAAABeAAAAAAAAAAAAAAAAAAAAAAAcLhFTM4LCDV4-2xxQ-WecWzBie5OrZ6zEEi4weMgfP9BsW1D6FmFGF_BNw_VwduAr_jzIenEaQhbeZJVB6rKLdmHOPAVbuUzfLG2m04KXndseOpY3bMRc2jQgPA9svRWSvARyy2UyhzbsycOEgmFJM6lAQIDJiABIVggg2LXO5Q2U0ETrSxrLKxCfKKCTCitTCx9bpxD1Gw917ciWCDsxnw4Wd7M_UTiGQJ7swCMXN83nprsT8wkTlftXRizmw" }, "type": "public-key", "clientExtensionResults": {}, "authenticatorAttachment": "cross-platform" } Even without a clientExtensionResults.largeBlob.supported= false. According to w3c, it should return clientExtensionResults.largeBlob.supported= false ? The NFC authenticaor do support largeblob extensions and act write with the same credCreateOptions on edge on windows. Does safari need some extra parameters? My safari is the newest version of 17.5 (19618.2.12.11.6), mac version is Sonoma 14.5(23F79). Thank you very much.

I'm trying to set a Cookie on ASWebAuthenticationSession on iOS 17.4+ using the new available method additionalHeaderFields. I can use this method to set any header field but "Cookie". As soon as I try to set this header, I receive the following error: Cannot start ASWebAuthenticationSession: Error Domain=com.apple.AuthenticationServices.WebAuthenticationSession Code=1 "One or more provided headers are invalid." UserInfo={NSLocalizedFailureReason=One or more provided headers are invalid.} The same content, but with different name ("Foo") is inserted as a header in the request. So, are there any limitation about setting cookies on ASWebAuthenticationSession? I've found any information abut this