I am trying to set up a message filter extension that will use shared web credentials for basic auth when calling to its ILMessageFilterExtensionNetworkURL. I have associated domains set up for both "messagefilter:" and "webcredentials:" and the message filter IS correctly calling the ILMessageFilterExtensionNetworkURL with each message - so that part is working. As detailed here, I have set up Shared Web Credentials and my view controller is using SecAddSharedWebCredential() to save the creds to the correct domain. Using Authorization services, the creds are auto-filled into my app's login screen. When I go under Settings > Passwords, I see the creds are saved and they are the correct creds to the corrent website that matches ILMessageFilterExtensionNetworkURL. Regardless of all of this, the deferQueryRequestToNetwork() refuses to use the creds and implement Basic Auth in its URL call. It makes the call to the correct URL, it just won't use the Shared Web Creds for basic auth. Any help would be greatly appreciated.

Hi: I saw the post WWDC WebKit release notes said Safari will support largeblob extension from version 17. But when I create a credential with largeblob extension, different action takes according what authenticator used. The credential options is: "credCreateOptions": { "rp": { "name": "WebAuthn demo", "id": "webauthn.turinggear.com" }, "user": { "name": "Jonathon.Runte97@gmail.com", "displayName": "Jonathon.Runte97@gmail.com", "id": "bqShD9YGRicjM-1foXiBqrdCzTHTuG1bkmKaxzn7oEM" }, "challenge": "9BP4y2epk2b3MhRCRRS5tt4bdWYLPJcKBLMMiB_7p7E", "pubKeyCredParams": [ { "alg": -7, "type": "public-key" }, { "alg": -257, "type": "public-key" } ], "excludeCredentials": [], "authenticatorSelection": { "requireResidentKey": true, "residentKey": "required", "userVerification": "discouraged" }, "attestation": "none", "extensions": { "credProps": true, "largeBlob": { "support": "preferred" } } } When i choose use iPhone be my authenticator, it seems that largeblob act as it should be: "credential" : { "id": "ZRxBdH4LKE4eiVxbwcA4Kmn9VZk", "rawId": "ZRxBdH4LKE4eiVxbwcA4Kmn9VZk", "response": { "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YViYSETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5dAAAAAPv8MAcVTk7MjAtuAgVX170AFGUcQXR-CyhOHolcW8HAOCpp_VWZpQECAyYgASFYICY6gkqg6OG_v1BlGCPj7gSwsu_c0vTmVzmfd7TsqEh5Ilgg_Cn0mAiO8QCx7J1xw809VBq8iI-U5pgY0I947B7XF9g", "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiOVcta3RMbEswemZDSXpFb2hNd3E3OTgxQXJlRzV0aEVBdmRHdXNHcUsxcyIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aG4udHVyaW5nZ2Vhci5jb20ifQ", "transports": [ "internal", "hybrid" ], "publicKeyAlgorithm": -7, "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJjqCSqDo4b-_UGUYI-PuBLCy79zS9OZXOZ93tOyoSHn8KfSYCI7xALHsnXHDzT1UGryIj5TmmBjQj3jsHtcX2A", "authenticatorData": "SETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5dAAAAAPv8MAcVTk7MjAtuAgVX170AFGUcQXR-CyhOHolcW8HAOCpp_VWZpQECAyYgASFYICY6gkqg6OG_v1BlGCPj7gSwsu_c0vTmVzmfd7TsqEh5Ilgg_Cn0mAiO8QCx7J1xw809VBq8iI-U5pgY0I947B7XF9g" }, "type": "public-key", "clientExtensionResults": { "largeBlob": { "supported": true } }, "authenticatorAttachment": "platform" } Safari returns clientExtensionResults.largeBlob.supported= ture. But when I use an NFC authenticator with the same credCreateOptions, safari didnot return clientExtensionResults section. Response as follows(ignore the challenge and others random data): "credential" : { "id": "uEVMzgsINXj7bHFD5Z5xbMGJ7k6tnrMQSLjB4yB8_0GxbUPoWYUYX8E3D9XB24Cv-PMh6cRpCFt5klUHqsot2Yc48BVu5TN8sbabTgped2x46ljdsxFzaNCA8D2y9FZK8BHLLZTKHNuzJw4SCYUkzg", "rawId": "uEVMzgsINXj7bHFD5Z5xbMGJ7k6tnrMQSLjB4yB8_0GxbUPoWYUYX8E3D9XB24Cv-PMh6cRpCFt5klUHqsot2Yc48BVu5TN8sbabTgped2x46ljdsxFzaNCA8D2y9FZK8BHLLZTKHNuzJw4SCYUkzg", "response": { "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVj0SETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5FAAABeAAAAAAAAAAAAAAAAAAAAAAAcLhFTM4LCDV4-2xxQ-WecWzBie5OrZ6zEEi4weMgfP9BsW1D6FmFGF_BNw_VwduAr_jzIenEaQhbeZJVB6rKLdmHOPAVbuUzfLG2m04KXndseOpY3bMRc2jQgPA9svRWSvARyy2UyhzbsycOEgmFJM6lAQIDJiABIVggg2LXO5Q2U0ETrSxrLKxCfKKCTCitTCx9bpxD1Gw917ciWCDsxnw4Wd7M_UTiGQJ7swCMXN83nprsT8wkTlftXRizmw", "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiOUJQNHkyZXBrMmIzTWhSQ1JSUzV0dDRiZFdZTFBKY0tCTE1NaUJfN3A3RSIsIm9yaWdpbiI6Imh0dHBzOi8vd2ViYXV0aG4udHVyaW5nZ2Vhci5jb20ifQ", "transports": [ "nfc" ], "publicKeyAlgorithm": -7, "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg2LXO5Q2U0ETrSxrLKxCfKKCTCitTCx9bpxD1Gw917fsxnw4Wd7M_UTiGQJ7swCMXN83nprsT8wkTlftXRizmw", "authenticatorData": "SETDPyxegNfyH_fI_8t9iVRDn34LxYd8YH1k2u4xSk5FAAABeAAAAAAAAAAAAAAAAAAAAAAAcLhFTM4LCDV4-2xxQ-WecWzBie5OrZ6zEEi4weMgfP9BsW1D6FmFGF_BNw_VwduAr_jzIenEaQhbeZJVB6rKLdmHOPAVbuUzfLG2m04KXndseOpY3bMRc2jQgPA9svRWSvARyy2UyhzbsycOEgmFJM6lAQIDJiABIVggg2LXO5Q2U0ETrSxrLKxCfKKCTCitTCx9bpxD1Gw917ciWCDsxnw4Wd7M_UTiGQJ7swCMXN83nprsT8wkTlftXRizmw" }, "type": "public-key", "clientExtensionResults": {}, "authenticatorAttachment": "cross-platform" } Even without a clientExtensionResults.largeBlob.supported= false. According to w3c, it should return clientExtensionResults.largeBlob.supported= false ? The NFC authenticaor do support largeblob extensions and act write with the same credCreateOptions on edge on windows. Does safari need some extra parameters? My safari is the newest version of 17.5 (19618.2.12.11.6), mac version is Sonoma 14.5(23F79). Thank you very much.

I'm trying to set a Cookie on ASWebAuthenticationSession on iOS 17.4+ using the new available method additionalHeaderFields. I can use this method to set any header field but "Cookie". As soon as I try to set this header, I receive the following error: Cannot start ASWebAuthenticationSession: Error Domain=com.apple.AuthenticationServices.WebAuthenticationSession Code=1 "One or more provided headers are invalid." UserInfo={NSLocalizedFailureReason=One or more provided headers are invalid.} The same content, but with different name ("Foo") is inserted as a header in the request. So, are there any limitation about setting cookies on ASWebAuthenticationSession? I've found any information abut this

On macOS, in the Apple Passwords app (currently inside Settings but soon to be it's own full fledged app in Sequoia) the user is presented with a screen requesting that they touch the fingerprint reader (see attached). If we'd like to do something similar, e.g. unlock some sensitive/secure part of our app, by requesting the user touch the Touch ID sensor, but without doing the whole system prompt (LAContext.evaluatePolicy()), how can we do that? Is that possible for mere mortal developers, and if not, why not?

We currently have an Account Authentication Modification Extension in our iOS App so that users can update their passwords directly from within the Passwords section in the iOS Settings App. On iOS 18 beta3 the extension is not executed from the new Passwords app. Instead the URL associated with the credentials is opened when choosing to change a password. Will it still be possible to integrate with the new Passwords app or is this no longer supported? https://developer.apple.com/wwdc24/10125 only mentions https://example.com/.well-known/change-password Also, can we provide the information to the Passwords app that our service does not support verification codes? So that the "set up verification code" option is not displayed for our website in the Passwords app.

My App needs to send and receive messages to the server, but my server does not have SSL, so I can only disable ATS in the development stage. But if I want to put the app on the shelf, then I still disable ATS when I put it on the shelf, and the server still does not have SSL. Will it be packaged? Is pp warned and terminated by Xcode? Will it be rejected by the Apple audit department? Can it be put on the App Store normally and provided to all users? Note: My server is completely safe without any security risks. I didn't apply for SSL just because I didn't have enough funds.

I want to introduce client certificate authentication for communication between the iPad and the server. Since it is not possible to install a client certificate on the iPad using a p12 file, I am considering another method. I would like to know how to install the client certificate and private key issued by the certificate authority on the iPad without converting it to a p12 file. What are the different ways to do this?

"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients. I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)". For passwords: extensionContext.completeRequest(withSelectedCredential: ASPasswordCredential(), completionHandler: nil) -> Does trigger biometric/code authentication For passkeys: extensionContext.completeAssertionRequest(using: ASPasskeyAssertionCredential()) -> Does NOT trigger biometric/code authentication => Why authentication is managed by the system for password but not for passkeys ? And how to fix that?

I did implement "ASCredentialProviderViewController" class for my password manager in order to support passkey recently. Passkey registration and assertion works correctly but remote fullfilling is not working as expected. Use case: The user wants to sign in with passkey on some computer A QRCode is displayed and the user scan the QRCode Apple Authentication bottom sheet is opened and the client can pick my app as a provider ISSUE HERE: my app doesn't receive the passkey request parameters and is not able to generate the assertion answer I was hoping the following functions to be called but it's not the case: prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest) => Please, how can my app receive the passkey request parameters in order to generate the assertion answer in this situation?

We are using aws amplify for our social logins with signInWithRedirect. When a user selects apple login on iphone and cancels the appleId popup, the user can't click any social login buttons anymore, including the apple one. Refreshing the page resolves this.

Hi Folks, We've been using Xcode Cloud for a year without any issues. Recently, our IT team switched authentication from LDAP to Azure SAML SSO. Since then, we've been getting the following error whenever Xcode Cloud launches a build: "Run command: '/bin/rm -rf /Volumes/workspace/repository &> /dev/null && GIT_TRACE2_PERF=/tmp/git_trace2_perf GIT_TRACE2_EVENT=/tmp/git_trace2_event git init /Volumes/workspace/repository && GIT_TRACE2_PERF=.....etc." "could not read Username for 'http://bitbucket.***': Device not configured Command exited with non-zero exit-code: 128" Any idea what we need to change to get things working again? Thank you Cam

We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow. An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration. The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option? Thanks!

It is clearly stated here that automatically created passwords are 20 characters long, contain 2 hyphens and exactly one uppercase letter and one digit. I have only ever seen generated passwords where the arrangement is in 3 groups of 6 (separated by the hyphens). From the description in the page referred to above, it could be that the generated password might look like: nzomZhf-qnbqd-k8ibtt i.e., a 7-5-6 pattern This would comply with the definition (if that's what it is) on the aforementioned Support page. Is it guaranteed that auto generated passwords will conform to the 3 groups of 6 pattern?

We're using this (on a mac) to do 3rd party authentication. The completion handler is getting Authentication session got error: [The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 1.)], in domain: [com.apple.AuthenticationServices.WebAuthenticationSession] That seems to be generated if the auth window is closed. However... it's not being closed, so we end up spawning a second one to do it, and this one seems to work.

I want to add my testing app and prod app for release in associated domain file. How can I add them in apple-app-site-association. Can I add both separated by coma { "webcredentials": { "apps": [ "3ABCDEF.com.lalitha.release" , 3ABCDEF.com.lalitha.test] } } In Apple documentation example they haven't mention about adding multiple apps under web credentials [https://developer.apple.com/documentation/xcode/supporting-associated-domains]

Tried to implement the code snippets based on : https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys security key. The Sign In UI did popup but after which is either it timed-out or i cancelled the operation. The performRequest function doesn't seems to trigger my external security key. Not sure if FBSSystemApp / coreauthd are part of the logs i should be looking out to see where the issue(s) is/are?

I am trying to auth with a non-apple auth provider for a multi-platform service. I'm expecting to be able to use this to fetch the OAuth code after the user logs in to their auth provider. myRedirectHost = 'https' OR 'https://my.domain.com' where I also know the redirect path and query params and will extract them. ASWebAuthenticationSession(url: url, callbackURLScheme: myRedirectHost, completionHandler: handleAuthSessionResult) This works for iOS 17.4+ with that nice enum, but what about the rest of the users?

It seems that all macOS apps currently going through App Review which use ASWebAuthenticationSession (or SwiftUI webAuthenticationSession) are being rejected, because: Reason given: Guideline 4.0 - Design The user is taken to the default web browser to sign in or register for an account, which provides a poor user experience. See here for more details: https://forums.developer.apple.com/forums/thread/750400 If webAuthenticationSession is no longer permitted for production apps, what is the current recommended approach for implementing OAuth 2 authentication?

This method does not seem to work consistently: SFSafariViewControllerDelegate.safariViewController(_ controller: SFSafariViewController, initialLoadDidRedirectTo URL: URL) It was working 100% of the time until this week for me, now it has about a 1-5% success rate for detecting redirects. The docs are not clear: @discussion This method may be called even after -safariViewController:didCompleteInitialLoad: if the web page performs additional redirects without user interaction. Code snippet from calling UIViewController that conforms to SFSafariViewControllerDelegate: let config = SafariViewController.Configuration() config.entersReaderIfAvailable = false let vc = SFSafariViewController(url: url, configuration: config) vc.delegate = self self.safariViewController = vc print(self.safariViewController?.delegate) self.present(vc, animated: true) Did something change? How can I make this consistent again?

For some reason, not all of the time but most of the time, the SFSafariViewControllerDelegate method for initialLoadDidRedirectTo is not being triggered for subsequent reloads as specified in the docs. @discussion This method may be called even after -safariViewController:didCompleteInitialLoad: if the web page performs additional redirects without user interaction. I am allowing a user to log in with an OAuth 2.0 Provider on the Safari browser and expecting to detect the redirect to continue the flow from the app once their credentials have securely been consumed by the IdP in Safari. It was working consistently. It went from a 100% success rate up until this week to maybe 1/20 successful redirects. Code snippet: let config = SafariViewController.Configuration() config.entersReaderIfAvailable = false let vc = SFSafariViewController(url: url, configuration: config) vc.delegate = self self.safariViewController = vc print(self.safariViewController?.delegate) self.present(vc, animated: true) Why is it not always detecting the redirects?