Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.

All subtopics
Posts under Privacy & Security topic

Post

Replies

Boosts

Views

Activity

Privacy & Security Resources
General: Forums topic: Privacy & Security Privacy Resources Security Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
0
969
Jul ’25
Sign in with Apple fails with "Sign-Up not completed" (ASAuthorizationError 1001) for all apps of our team, on all devices — other teams' apps work fine
Sign in with Apple fails with the system alert "Sign-Up not completed" for every app belonging to our developer team, on every device we tested. The app itself only receives ASAuthorizationError code 1001 with an empty userInfo dictionary, so there is nothing actionable on the client side. We have systematically ruled out every configuration cause we could think of: Sign in with Apple capability is enabled on each App ID, set as primary (verified via the App Store Connect API) com.apple.developer.applesignin entitlement is present in the signed binaries and in the provisioning profiles (verified with codesign and security cms) Two-factor authentication is active on the test Apple ID No pending agreements (Paid Apps accepted; one of our apps is live on the App Store) Reproduction matrix — ALL of these combinations fail identically: Devices: two different physical devices (iPhone, iPad) Signing: development-signed AND TestFlight (App Store distribution) builds Network: Wi-Fi AND cellular App IDs: existing ones (capability enabled more than 48 hours ago) AND a minimal reproduction app whose App ID + capability were created minutes before the test Control test that WORKS: on the same devices, with the same Apple ID, a brand-new Sign in with Apple sign-up in App Store apps from other teams completes without any issue. The failure is therefore strictly scoped to apps of our team. The device log (log collect) shows the following akd sequence at the moment of every attempt: akd: [com.apple.authkit:siwa] Encountered error while fetching developer team: Error Domain=AKSQLError Code=-6003 akd: [com.apple.aaafoundation:log] Error fetching keychain items - NSOSStatusErrorDomain Code=-25300 "no matching items found" akd: [com.apple.authkit:siwa] Using personal credential state - 2, error - AKAuthenticationError Code=-7074 akd: [com.apple.AppleIDAuthSupport:general] AppleIDAuthSupport: setError: 2:M2 missing (bad password) akd: [com.apple.authkit:core] SRP authentication with server failed! (com.apple.AppleIDAuthSupport Code=2) akd: [com.apple.authkit:siwa] Error performing auth request: AKAuthenticationError Code=-7003 Given that a freshly created App ID reproduces the failure immediately while other teams' apps work on the same devices with the same Apple ID, this looks like a broken server-side Sign in with Apple provisioning/registration state for our team rather than anything we can fix ourselves. Has anyone seen this resolved? Is there anything on the account/team level that can get a team's Sign in with Apple provisioning re-initialized? Happy to share the Team ID and full .logarchive with Apple folks via DTS/support.
0
0
25
13h
Possible lockdown mode box cellular call health no service while Wi-Fi works
Hi Everyone I’m using an iPhone running the latest version of iOS with a physical team after enabling lockdown mode. I have noticed what appears to be unusual issued. 1: wi-Fi works normally. 2: outgoing cellular calls fail wit “call failed.” 3: shortly after the status bar changes to “no service.” 4: I still receive SMS notifications from my courier informing me of missed calls. I’ve already: . Nothing nice. updated to the latest iOS. . Restarted the iPhone. . Confirm that Wi-Fi is functioning normally. From Apple‘s documentation, I understand that lockdown mode is intended to harden the device against sophisticated cyber rates. I should not normally disable voice call service as everyone else experience this after enabling lockdown mode? If so: Which iPhone model are you using? Which iOS version? Which carrie? Did you find a solution? I’m also interested in knowing whether Apple is aware of this as a potential software bug or whether it could be related to a carrier compatibility issue. Thank you
0
0
27
1d
same passkey synced on 2 devices generate different prf outputs for the same salt
Steps to reproduce: register a passkey on device A authenticate on device A, using the prf extension and a constant salt. Note the prf output go to device B. wait for iCloud sync authenticate on device B using the prf extension and the same constant salt. Note the prf output The prf outputs are different. Note: Repeat the authentication on each device. The prf output is identical for a given device, which seems to point towards the inclusion of a device specific component in the prf derivation. In my scenario, I need the prf output to be the same regardless of the device since I use it as the recovery key for my app data. Could you confirm that this is the expected behavior or not? Thanks,
3
1
710
1d
Sign in with Apple: "Sign Up Not Completed" for every App ID in our team — framework returns canceled (1001) with empty userInfo
Sign in with Apple fails for every App ID in our team (K9UFUZF2XW), on every device and every Apple ID we have tried. The system sheet appears, the user authenticates successfully, the sheet then shows "Sign Up Not Completed", and no credential is returned. The failure happens after authentication — this is not a client-side rejection. I have spent several days isolating this and have ruled out everything on my side. Posting the full evidence in case an Apple engineer can look at the server-side state for our team, and in case it helps others hitting the same wall. WHAT THE FRAMEWORK ACTUALLY RETURNS The client library we use (expo-apple-authentication) discards the original NSError, so I patched its native layer to surface the raw error verbatim. This is what ASAuthorizationController hands back to didCompleteWithError, immediately after the user authenticated and the sheet displayed "Sign Up Not Completed": ASAuthorizationError .canceled (rawValue = 1001) domain = com.apple.AuthenticationServices.AuthorizationError code = 1001 desc = The operation couldn't be completed. (com.apple.AuthenticationServices.AuthorizationError, error 1001) userInfo: NSUnderlyingError: So the framework reports a user cancellation that never happened, with a completely empty userInfo and no underlying error. There is no diagnostic information on the client at all — I cannot debug this any further from my side, because the information does not exist there. Note: the same failure surfaces as a different error code depending on the client library version — .unknown (1000) with the older version, .canceled (1001) with the current one. The user-visible behaviour ("Sign Up Not Completed") is identical in both. So the error code is not a reliable signal here. WHAT I RULED OUT Not the App ID. I created a brand-new App ID (kz.auraai.ios) with Sign in with Apple enabled as a primary App ID, built a fresh binary, tested on the same device with the same Apple ID — identical failure. Two independent App IDs in the same team fail the same way. Not the entitlement. Verified inside the signed binary, not just in the portal: application-identifier = K9UFUZF2XW.kz.auraai.ios com.apple.developer.applesignin = ["Default"] I also tried the workaround suggested elsewhere on these forums (removing the entitlement while keeping the capability in the portal). That made it strictly worse: iOS then rejects the request instantly, without showing the sheet at all. Which confirms iOS reads the entitlement correctly, the sheet works, and the user authenticates — the failure is downstream of all of that. No stray or wildcard App IDs. A commonly cited cause is other App IDs in the team lacking the entitlement. I enumerated the whole team via the App Store Connect API: it contains exactly two App IDs, both with APPLE_ID_AUTH = PRIMARY_APP_CONSENT. No wildcard identifiers exist. Not the Apple ID, the device, or the iOS version. The same Apple ID, on the same device, with the same iOS, signs in successfully through another app belonging to a different team (Expo Go, host.exp.Exponent) — a valid identity token is returned. A second, unrelated Apple ID on another device fails in my app in exactly the same way. So this is not scoped to one account: it affects every user of the app. Agreements and membership are in good standing. Program License Agreement accepted 30 June 2026; Developer Agreement accepted 26 June 2026; membership active. Both distribution types fail. TestFlight and ad-hoc. WHAT IS LEFT After all of the above, the only variable that differs between the working case (a different team's app, same device, same Apple ID) and the failing case (my app) is the Apple Developer team itself. This exact signature — sheet renders fully, final server submit fails, "Sign Up Not Completed", delegate reports canceled with no userInfo, not reproducible in other apps on the same device — is documented in thread 122458 ("Error: Sign-Up Not Completed"). In that case it affected multiple developers, including Apple's own sample app, and was ultimately resolved by Apple on the server side, with a recurrence reported in June 2025. THE ASK Could someone from Apple check the server-side Sign in with Apple registration for team K9UFUZF2XW (App IDs kz.auraai.app and kz.auraai.ios)? I am not looking for configuration advice — I have exhausted the client side and there is nothing left to configure. This looks like the same server-side state that was fixed in the referenced cases. Feedback Assistant: FB23716661 (includes sysdiagnose with the Accounts/AuthKit profile, timestamp, and video of the failure). This is currently blocking us: because Sign in with Apple works for none of our users, guideline 4.8 prevents us from offering Google Sign-In, so we are shipping with email-only login. Happy to provide the binary, entitlements dump, or a fresh sysdiagnose on request.
0
0
24
1d
Sign in with Apple works on device but fails in Simulator (AuthorizationError 1000) — App Review keeps rejecting
Sign in with Apple works correctly on a physical iPhone in my Capacitor-based app, but fails in the Simulator, and this appears to be causing repeated App Store review rejections. I'm trying to figure out how to get past review.... What happens On a physical iPhone, Sign in with Apple works as expected. In the Simulator, if the user signs into their Apple ID (Settings) and returns to the app, tapping "Sign up with Apple" fails immediately with: The operation couldn't be completed. (com.apple.AuthenticationServices.AuthorizationError error 1000.) (Screenshot attached.) The native Apple sheet never appears — the error returns right away. The actual problem Every time I submit to App Store review, the app gets rejected because Sign in with Apple fails for the reviewer — I believe they're testing in an environment (Simulator, or a device not signed into iCloud) where it returns error 1000. It works on real hardware, so I keep getting stuck in a review loop over something I can't reproduce on device. What I've already checked Sign In with Apple capability is present in Signing & Capabilities for both Debug and Release, and the entitlement is in the built product. The App ID has Sign In with Apple enabled in the Developer portal, and the Services ID / return URLs are configured for Clerk. Resolved an earlier iPad-specific issue where connectedScenes was empty (added a UIApplicationSceneManifest + AppDelegate.window fallback), so ASAuthorizationController now has a valid presentation anchor. Questions Is error 1000 (ASAuthorizationError.unknown) in the Simulator a known environment issue (e.g. no usable Apple ID for the authorization flow) rather than an app bug — given it works on physical devices? For anyone who has been rejected because Sign in with Apple failed in the reviewer's environment: what actually got you through review? Reviewer notes explaining it works on device? Replying in Resolution Center with a screen recording from a real device? Something else? Any guidance appreciated — I'd rather fix the root cause than keep resubmitting.
0
0
29
1d
How can an iOS browser app request the Web Browser Public Key Credential entitlement for Passkeys?
Hello Apple Developer Team, I am developing a general-purpose web browser for iOS using WKWebView. Current status: • The app is distributed through TestFlight (Internal Testing). • The app is registered in App Store Connect. • The browser supports standard web browsing with multiple tabs and arbitrary websites. My goal is to support WebAuthn passkey authentication for websites such as Google, GitHub, Microsoft, and other websites that support passkeys. While reviewing Apple's documentation, I found: "Passkey use in web browsers" "Authenticating people by using passkeys in browser apps" These documents mention that browser apps on iOS can support passkeys using: ASAuthorizationWebBrowserPublicKeyCredentialManager and the entitlement: com.apple.developer.web-browser.public-key-credential However, I could only find a request form titled: "Request the macOS Web Browser Public Key Credential Entitlement" which specifically asks: "Is your app a web browser on macOS?" My application is an iOS web browser, not a macOS browser. In addition, I previously requested the Default Web Browser entitlement, but my request was declined. My questions are: Is there a separate application process for requesting the Web Browser Public Key Credential entitlement for an iOS browser? Is approval of the Default Web Browser entitlement required before an iOS browser can use WebAuthn passkeys? Can an iOS browser request only the Web Browser Public Key Credential entitlement without becoming the system default browser? Is there any official documentation describing the entitlement request process for iOS browser apps? I know that third-party browsers such as Aloha Browser appear to support system Passkeys on iOS, so I would like to understand the correct implementation and entitlement process for an iOS browser. Thank you very much for your guidance.
1
0
57
2d
Identifying system OCSP/CRL traffic in Network Extension.
Hi! We're developing a security product that uses both EndpointSecurity.framework to intercept and authorize process and file events; and NetworkExtension.framework o intercept and inspect network connections. We're occasionally seeing crashes caused by Endpoint Security timeouts. After investigating several crash reports, we believe we've identified a deadlock involving code signature verification: our Network Extension intercepts connections initiated by nsurlsessiond to retrieve OCSP/CRL data (we believe these requests are made on behalf of trustd during code signature validation). To determine which policy should be applied to an intercepted connection, our Network Extension verifies the code signature of the originating process. However, that code signature verification itself blocks while waiting for the OCSP/CRL requests to complete. Since those requests are being intercepted by our Network Extension, we end up with a circular dependency: A process requires code signature verification. Signature verification triggers OCSP/CRL network requests. Those requests are intercepted by our Network Extension. Our Network Extension attempts to verify the initiator's code signature before allowing the connection. That verification waits for the same OCSP/CRL requests to complete. As a result, code signature verification becomes blocked process-wide, including verification performed while handling Endpoint Security events. Eventually, our Endpoint Security client exceeds the allowed response timeout and is terminated. We're considering bypassing interception for OCSP/CRL traffic to avoid this deadlock, but we'd like to understand whether this is the recommended or most robust approach. Questions Is there a reliable way to identify network connections that are fetching OCSP or CRL data for code signature validation? What is the relationship between trustd and nsurlsessiond for these requests? Is there a dedicated nsurlsessiond instance serving trustd, or are these requests performed by the shared system/session-wide nsurlsessiond? Would it be a reasonable and future-proof approach to identify these requests by checking NEAppProxyFlow.remoteHostname (for example, ocsp.apple.com and crl.apple.com) and bypassing interception for those connections? Is there another recommended approach to avoid this deadlock when combining Endpoint Security and Network Extension in this way? Any guidance or best practices would be greatly appreciated. Thank you!
1
0
61
2d
Token endpoint returns invalid_client for real authorization codes, but invalid_grant (client auth accepted) for identical credentials with a test code
Sign in with Apple (web flow) fails 100% reproducibly at the token exchange for our newly created identifiers. POST to https://appleid.apple.com/auth/token with a REAL authorization code → 400 {"error":"invalid_client"}. The exact same client_id + client_secret from the same production server with a dummy code → {"error":"invalid_grant"} — i.e. client authentication passes and only the code is rejected, as expected. 16/16 probe requests across both registered redirect_uris. The authorization phase succeeds (user completes the appleid.apple.com sheet; code arrives via form_post to the registered return URL) and the exchange happens within ~1 second, so code expiry is not the cause. client_secret is an ES256 JWT with correct iss/sub/aud, validity ~6 months, sent via client_secret_post with no Authorization header. I have reviewed TN3107 — none of the documented invalid_client causes fit, given the invalid_grant asymmetry above. Persisted 24+ hours and survived: recreating the Services ID under a new identifier with a freshly minted secret; toggling the Sign in with Apple capability off/on (as primary) on the App ID; re-saving the Services ID configuration (domains and both return URLs re-confirmed). Team ID: CGSLWL988T Primary App ID: app.bookagym (created 2026-07-10) Services ID: app.bookagym.signin (an earlier Services ID app.bookagym.web behaved identically) Key ID: C99J756C86 This looks like stuck or unpropagated server-side provisioning for these identifiers rather than a client-side error. Per the "Gathering required information for troubleshooting Sign in with Apple authorization and token requests" post, I have filed the full details (including the failing request with all parameter values and a long-lived client secret) in Feedback Assistant: FB23692739
0
0
79
4d
Unable to verify the app
Hey guys, I am having issue, unable to verify the app. An internet connection is required to verify trust of the developer .... I am connected to the internet, date and time is correct. I did some google, some one reported this link: https://ppq-ext.v.aaplimg.com/ ssl expired, which is causing this issue. Can anyone help? I am testing to test my app on Iphone 15 pro max.
0
0
103
6d
Native Sign in with Apple in Capacitor + NextAuth
I'm building an iOS app using Capacitor with a Next.js 14 backend. Authentication currently uses: NextAuth Prisma Sign in with Apple Google Sign-In Magic Link The web version works correctly. For the native iOS app, tapping Continue with Apple currently opens the NextAuth endpoint (/api/auth/signin/apple), which launches the web authentication flow. App Review rejected the app because the Sign in with Apple flow leaves the native experience and opens a web view/browser during sign in. My goal is to keep Sign in with Apple fully native while continuing to use the same Prisma user database and authentication system used by the web application. What is Apple's recommended architecture for this scenario? Should I: Perform native Sign in with Apple in the Capacitor app. Send the returned identity token to my backend. Verify the token server-side. Create my own authenticated session instead of using the NextAuth Apple provider. Or is there another approach Apple recommends for hybrid apps using Capacitor? Any guidance would be greatly appreciated.
0
0
106
6d
Validating Signature Of XPC Process
Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks
8
0
8.5k
6d
resetKeys() also resets sharedDeviceSigningKey unexpectedly
I am using ASAuthorizationProviderExtensionLoginManager.resetKeys() to generate new user-specific keys, specifically userDeviceSigningKey and userDeviceEncryptionKey. Based on the documentation, my understanding was that resetKeys() only resets keys associated with a particular user account: https://developer.apple.com/documentation/authenticationservices/asauthorizationproviderextensionloginmanager/resetkeys/ However, during testing, I observed that calling resetKeys() also resets sharedDeviceSigningKey. I had assumed that shared device keys would only be reset via resetDeviceKeys().
1
1
682
1w
macOS 27 beta: LocalAuthenticationView causes LAContext policy evaluation to fail with LAErrorDomain -1007
I’m seeing a regression in macOS 27 beta when using SwiftUI LocalAuthenticationView. When an LAContext is attached to LocalAuthenticationView, subsequent policy evaluation fails immediately with: Error Domain=com.apple.LocalAuthentication Code=-1007 NSDebugDescription="Caller is not Apple signed." NSLocalizedDescription="Authentication denied." The same policies work when evaluated on a plain LAContext that has not been attached to LocalAuthenticationView. Minimal shape of the failing path: @State private var context = LAContext() LocalAuthenticationView(context: context) { EmptyView() } context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Unlock") { success, error in print(success, error as Any) } This affects Touch ID unlock in our macOS app. We currently work around it by detecting LAErrorDomain / -1007, removing LocalAuthenticationView, and asking the user to manually start Touch ID with a fresh LAContext. Filed as Feedback: FB23262713 Could someone from the beta / LocalAuthentication team confirm whether this is an intended restriction for LocalAuthenticationView, or a macOS 27 beta regression?
3
2
361
1w
Sign in with Apple Failure, AKAuthenticationServerError=-24000
Apple Developer Support Request - Sign in with Apple Failure Date prepared: 2026-07-08 App name: LingJing / XiaoLing Bundle ID: com.jachymchen.xiaoling Apple Developer Team ID: 765B64SW9Z Platform: iOS Summary Sign in with Apple fails before the app receives a usable Apple identity token. The user-facing Apple system sheet ends with the Chinese alert "未完成注册" ("Sign Up Not Completed"). The app callback does not receive an identityToken, so our backend auth provider is not reached successfully. We reproduced the same failure in a minimal native Swift app that only uses AuthenticationServices and the same Bundle ID / provisioning profile, without Supabase or any app-specific backend code. This suggests the failure is likely in the Apple Sign in with Apple authorization flow, account/device state, or App ID/provisioning configuration recognized by Apple's auth services, rather than in our app's backend implementation. Environment Mac: macOS 26.5 Apple Silicon MacBook Pro Xcode 26.5 iPhone: Real device connected over USB Device name: 硬糖的iPhone iOS 26.5.1 Device UDID: 00008150-000344540C99401C App: Bundle ID: com.jachymchen.xiaoling App version currently used for testing: 0.1.0 App Store Connect app ID observed during TestFlight work: 6784075688 TestFlight build upload previously succeeded for version 0.1.0 build 2 Provisioning / Entitlements Checked Development provisioning profile: Profile name: XiaoLing Dev application-identifier: 765B64SW9Z.com.jachymchen.xiaoling com.apple.developer.applesignin: [Default] com.apple.developer.team-identifier: 765B64SW9Z get-task-allow: true keychain-access-groups includes: 765B64SW9Z.* com.apple.token Profile includes the test device UDID: 00008150-000344540C99401C Expiration: 2027-06-27 Distribution / TestFlight provisioning profile: Profile name: XiaoLing AppStore application-identifier: 765B64SW9Z.com.jachymchen.xiaoling com.apple.developer.applesignin: [Default] beta-reports-active: true get-task-allow: false Signed app entitlements were checked from the executable and matched the expected Bundle ID / Team ID / Sign in with Apple entitlement. Important note: Running codesign -d --entitlements :- XiaoLing.app against the .app bundle may print an "invalid entitlements blob" style result. Running codesign against the actual executable inside the .app is the useful check, and that showed the expected entitlements. Reproduction Steps Install and launch the iOS app with Bundle ID com.jachymchen.xiaoling on the real iPhone. Tap "Sign in with Apple". Complete the Apple ID system prompt. The Apple system flow fails and shows "未完成注册". The app does not receive a valid ASAuthorizationAppleIDCredential identity token. Observed Result The Apple authorization flow fails before returning a usable credential to the app. The system UI shows "未完成注册" ("Sign Up Not Completed"). Expected Result AuthenticationServices should return an ASAuthorizationAppleIDCredential with an identityToken so the app can continue its own backend sign-in. Key Device Logs Observed During real-device attempts, the following log lines appeared around the failure: AuthKit continuation-key-creation token is missing AppleIDAuthSupport: setError: 2:M2 missing (bad password) SRP authentication with server failed AUTH_ALERT_SIGN_UP_NOT_COMPLETED -> 未完成注册 AKRemoteViewController did complete with authorization (null) AKAuthenticationServerError Code=-24000 The private framework error code by itself is not enough to identify the root cause, but the flow consistently fails inside Apple's AuthKit / Apple ID authorization path before our app receives an identity token. Minimal Native Demo Test To exclude app-specific implementation and backend issues, we created a minimal native SwiftUI app using only: AuthenticationServices SignInWithAppleButton ASAuthorizationAppleIDProvider The same Bundle ID: com.jachymchen.xiaoling The same Team ID / provisioning entitlement setup No Supabase No custom backend No React Native No third-party auth library The minimal native demo produced the same user-facing failure: "未完成注册". This strongly suggests the issue is not caused by Supabase, nonce hashing, OAuth handling, React Native, or our app UI. The failure happens before any backend auth exchange can occur. Additional Context The tester tried another Apple ID and still reproduced the failure. The tester stated the Apple ID itself is otherwise usable. The app's Bundle ID is intended to be exactly: com.jachymchen.xiaoling We specifically checked for provisioning profile / Bundle ID mismatch and did not find a mismatch in the installed build. Questions for Apple Developer Support Can Apple check whether App ID 765B64SW9Z.com.jachymchen.xiaoling has any server-side Sign in with Apple configuration issue? Can Apple explain what conditions produce: AUTH_ALERT_SIGN_UP_NOT_COMPLETED AKAuthenticationServerError Code=-24000 "M2 missing (bad password)" "AuthKit continuation-key-creation token is missing" in a native AuthenticationServices Sign in with Apple flow? Is there any known issue on iOS 26.5.1 or with development-signed apps where Sign in with Apple fails before returning an ASAuthorizationAppleIDCredential? Are there account-level or device-level requirements beyond normal Apple ID login that can cause Sign in with Apple to show "Sign Up Not Completed"? Can Apple verify whether this Bundle ID / Team ID is correctly enabled for Sign in with Apple on Apple's backend? Minimal Code Shape Used for Native Demo The native demo used a standard SignInWithAppleButton: SignInWithAppleButton(.signIn) { request in request.requestedScopes = [.fullName, .email] } onCompletion: { result in switch result { case .success(let authorization): // Check authorization.credential as ASAuthorizationAppleIDCredential // and read identityToken. case .failure(let error): // Log NSError domain, code, localizedDescription, and userInfo. } } Support Request Please help determine why Apple's Sign in with Apple authorization flow fails for Bundle ID com.jachymchen.xiaoling before returning a credential, despite the app having the Sign in with Apple entitlement and matching provisioning profile / Bundle ID.
0
0
61
1w
Sign in with Apple fails with "Sign-Up Not Completed" — reproduces for multiple independent Apple ID accounts, blocking App Store submission
App: Subio - Quản lý đăng ký Bundle ID: io.ausynclab.subio Team ID: DMB7A87LM9 App Store Connect App ID: 6785710632 SUMMARY Sign in with Apple in our app consistently fails during the account-creation flow with the system error "Sign-Up Not Completed" (shown by iOS's own native AuthenticationServices UI, before any of our app code runs). This has caused App Review to reject our app 5+ times over the past week (builds 16, 17, 19, 20, 21, 22), each citing Guideline 2.1(a) with this exact error. KEY EVIDENCE THIS IS SERVER-SIDE, NOT APP-SIDE The failure reproduces for TWO COMPLETELY INDEPENDENT Apple ID accounts: Our own developer test account (used repeatedly since build 16) Apple App Review's own test account/device (different devices each time: iPad Air 11" M3, iPad Air 11" M4, iPhone 17 Pro Max — running iPadOS 26.5.2 and iOS 27.0) Two unrelated accounts hitting the identical failure strongly suggests the issue is in our app's Sign-In-With-Apple server-side registration (tied to our Team ID/Bundle ID), not any individual user's account state. Our backend receives ZERO HTTP requests at the moment of failure, confirmed via server-side logging. This proves the failure occurs entirely within iOS's native account-creation sheet, before our JavaScript code (or the identityToken) is ever produced. TROUBLESHOOTING ALREADY COMPLETED (to save engineering time) We have verified all of the following are correctly configured, and the issue persists regardless: Bundle ID capability: APPLE_ID_AUTH is enabled with APPLE_ID_AUTH_APP_CONSENT = PRIMARY_APP_CONSENT (confirmed via App Store Connect API) Provisioning profile: App Store distribution type, contains com.apple.developer.applesignin entitlement (Default), correct Team ID Signing certificate: valid iOS Distribution cert, serial number matches the certificate linked to the provisioning profile in App Store Connect Entitlements embedded in the actual signed, submitted binary (extracted directly from the .ipa and inspected with codesign -d --entitlements) match expectations exactly Tried requesting full scopes (FULL_NAME + EMAIL), reduced scopes (FULL_NAME only), and zero scopes at all (requestedScopes: []) — the failure is identical in all three configurations Added a guard to prevent concurrent/duplicate calls to signInAsync() (in case of rapid double-taps) — failure persists Confirmed the failure occurs both when the button is presented inside a React Native Modal and when presented on a plain (non-modal) screen — ruling out a presentation-context conflict WHAT WE'D LIKE APPLE'S HELP WITH Please check, on your side, whether there is a stuck, incomplete, or corrupted Sign-In-With-Apple account-linking record associated with Bundle ID io.ausynclab.subio / Team ID DMB7A87LM9 that could be causing account-creation requests to fail at the server level. We are happy to provide additional logs, device details, or a screen recording if useful. We would greatly appreciate guidance, as this is blocking our very first App Store submission and we've been unable to identify anything further to fix from the client side. Thank you for your time.
0
0
77
1w
way to attest that a Secure Enclave key is hardware-bound on macOS
We generate Secure Enclave keys via SecKeyCreateRandomKey with kSecAttrTokenIDSecureEnclave on macOS. We need to prove to a remote server that the key is genuinely hardware-bound, not a software key claiming to be one. Is there any API on macOS for an app to obtain an Apple-signed certificate or attestation statement for such a Secure Enclave key, similar to how ASAuthorizationProviderExtensionLoginManager.attestKey() works within Platform SSO but available to general apps? Or other possible workaround for this? Thank you!
5
0
1.1k
1w
Sign In with Apple: AuthorizationError 1000, empty userInfo, delegate never receives authorization
Subject: Sign In with Apple consistently fails with AuthorizationError 1000 (empty userInfo) immediately after successful biometric authentication — native delegate logging confirms failure occurs before authorization is returned to app App ID: com.andresalecina.vant
Team ID: C6GK7Z5GY2
Services ID: com.andresalecina.vant.signin Summary:
Sign In with Apple fails 100% of the time in our native iOS app (Capacitor 7 wrapper) with error code 1000 and completely empty userInfo. The native authentication sheet displays correctly and the user completes Face ID successfully, but authentication fails immediately afterward. Critical new evidence (delegate-level logging):
We instrumented both ASAuthorizationControllerDelegate callback methods directly with NSLog to determine exactly where the failure occurs: authorizationController(controller:didCompleteWithAuthorization:) — never fires. Confirmed across multiple fresh test attempts. authorizationController(controller:didCompleteWithError:) — fires every time, receiving: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" with completely empty userInfo. This confirms the failure originates inside AuthenticationServices itself, before any authorization object is ever returned to our app. Our app code is not receiving a token, credential, or authorization of any kind to process — there is nothing for our code to mishandle. Everything already verified clean on our end: Sign In with Apple capability present in Xcode target and confirmed in Apple Developer Portal (Primary App ID, not grouped) Entitlement com.apple.developer.applesignin confirmed present in both the development-signed binary and the App Store distribution provisioning profile Team ID in the compiled binary matches the entitlement (verified via codesign -dv and codesign -d --entitlements) Provisioning profile freshly regenerated after capability was added Apple Developer Program License Agreement and Developer Agreement both fully accepted, no pending items Reproduces identically on two separate physical devices (one iOS 27 beta, one non-beta), on both WiFi and cellular Reproduces with a completely clean Apple ID test account (no prior Family Sharing/managed account involvement, confirmed adult standard account) Device clock, timezone, and Screen Time/Content & Privacy Restrictions confirmed not a factor Native plugin code reviewed line-by-line: uses stock ASAuthorizationAppleIDProvider().createRequest(), standard .fullName/.email scopes only, robust presentation anchor resolution (no detached/fake UIWindow) Timeline:
The Sign In with Apple capability was added to this App ID within the past 24–48 hours (it was missing entirely on our initial rejected App Store submission). Error 1000 has persisted consistently across many rebuilds since the capability was added, which raises the possibility of a propagation delay on Apple's authentication backend, but this has now exceeded typical propagation windows for other capabilities we've observed (Push Notifications, Associated Domains). What we're asking:
Can you verify, on Apple's side, whether App ID com.andresalecina.vant under Team C6GK7Z5GY2 is fully provisioned and active on Apple's Sign In with Apple authentication backend? All client-side, code-side, and account-side factors we can verify are confirmed correct; the delegate-level logging above confirms the failure is occurring before any authorization is returned to the client, which points to a state on Apple's servers that isn't visible to us through the standard Developer Portal UI. Happy to provide device sysdiagnose logs, the full Xcode archive, or a minimal reproduction project (bare SwiftUI, no Capacitor/Supabase) if useful.
1
0
320
1w
Privacy & Security Resources
General: Forums topic: Privacy & Security Privacy Resources Security Resources Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
Replies
0
Boosts
0
Views
969
Activity
Jul ’25
Sign in with Apple fails with "Sign-Up not completed" (ASAuthorizationError 1001) for all apps of our team, on all devices — other teams' apps work fine
Sign in with Apple fails with the system alert "Sign-Up not completed" for every app belonging to our developer team, on every device we tested. The app itself only receives ASAuthorizationError code 1001 with an empty userInfo dictionary, so there is nothing actionable on the client side. We have systematically ruled out every configuration cause we could think of: Sign in with Apple capability is enabled on each App ID, set as primary (verified via the App Store Connect API) com.apple.developer.applesignin entitlement is present in the signed binaries and in the provisioning profiles (verified with codesign and security cms) Two-factor authentication is active on the test Apple ID No pending agreements (Paid Apps accepted; one of our apps is live on the App Store) Reproduction matrix — ALL of these combinations fail identically: Devices: two different physical devices (iPhone, iPad) Signing: development-signed AND TestFlight (App Store distribution) builds Network: Wi-Fi AND cellular App IDs: existing ones (capability enabled more than 48 hours ago) AND a minimal reproduction app whose App ID + capability were created minutes before the test Control test that WORKS: on the same devices, with the same Apple ID, a brand-new Sign in with Apple sign-up in App Store apps from other teams completes without any issue. The failure is therefore strictly scoped to apps of our team. The device log (log collect) shows the following akd sequence at the moment of every attempt: akd: [com.apple.authkit:siwa] Encountered error while fetching developer team: Error Domain=AKSQLError Code=-6003 akd: [com.apple.aaafoundation:log] Error fetching keychain items - NSOSStatusErrorDomain Code=-25300 "no matching items found" akd: [com.apple.authkit:siwa] Using personal credential state - 2, error - AKAuthenticationError Code=-7074 akd: [com.apple.AppleIDAuthSupport:general] AppleIDAuthSupport: setError: 2:M2 missing (bad password) akd: [com.apple.authkit:core] SRP authentication with server failed! (com.apple.AppleIDAuthSupport Code=2) akd: [com.apple.authkit:siwa] Error performing auth request: AKAuthenticationError Code=-7003 Given that a freshly created App ID reproduces the failure immediately while other teams' apps work on the same devices with the same Apple ID, this looks like a broken server-side Sign in with Apple provisioning/registration state for our team rather than anything we can fix ourselves. Has anyone seen this resolved? Is there anything on the account/team level that can get a team's Sign in with Apple provisioning re-initialized? Happy to share the Team ID and full .logarchive with Apple folks via DTS/support.
Replies
0
Boosts
0
Views
25
Activity
13h
Possible lockdown mode box cellular call health no service while Wi-Fi works
Hi Everyone I’m using an iPhone running the latest version of iOS with a physical team after enabling lockdown mode. I have noticed what appears to be unusual issued. 1: wi-Fi works normally. 2: outgoing cellular calls fail wit “call failed.” 3: shortly after the status bar changes to “no service.” 4: I still receive SMS notifications from my courier informing me of missed calls. I’ve already: . Nothing nice. updated to the latest iOS. . Restarted the iPhone. . Confirm that Wi-Fi is functioning normally. From Apple‘s documentation, I understand that lockdown mode is intended to harden the device against sophisticated cyber rates. I should not normally disable voice call service as everyone else experience this after enabling lockdown mode? If so: Which iPhone model are you using? Which iOS version? Which carrie? Did you find a solution? I’m also interested in knowing whether Apple is aware of this as a potential software bug or whether it could be related to a carrier compatibility issue. Thank you
Replies
0
Boosts
0
Views
27
Activity
1d
same passkey synced on 2 devices generate different prf outputs for the same salt
Steps to reproduce: register a passkey on device A authenticate on device A, using the prf extension and a constant salt. Note the prf output go to device B. wait for iCloud sync authenticate on device B using the prf extension and the same constant salt. Note the prf output The prf outputs are different. Note: Repeat the authentication on each device. The prf output is identical for a given device, which seems to point towards the inclusion of a device specific component in the prf derivation. In my scenario, I need the prf output to be the same regardless of the device since I use it as the recovery key for my app data. Could you confirm that this is the expected behavior or not? Thanks,
Replies
3
Boosts
1
Views
710
Activity
1d
Sign in with Apple: "Sign Up Not Completed" for every App ID in our team — framework returns canceled (1001) with empty userInfo
Sign in with Apple fails for every App ID in our team (K9UFUZF2XW), on every device and every Apple ID we have tried. The system sheet appears, the user authenticates successfully, the sheet then shows "Sign Up Not Completed", and no credential is returned. The failure happens after authentication — this is not a client-side rejection. I have spent several days isolating this and have ruled out everything on my side. Posting the full evidence in case an Apple engineer can look at the server-side state for our team, and in case it helps others hitting the same wall. WHAT THE FRAMEWORK ACTUALLY RETURNS The client library we use (expo-apple-authentication) discards the original NSError, so I patched its native layer to surface the raw error verbatim. This is what ASAuthorizationController hands back to didCompleteWithError, immediately after the user authenticated and the sheet displayed "Sign Up Not Completed": ASAuthorizationError .canceled (rawValue = 1001) domain = com.apple.AuthenticationServices.AuthorizationError code = 1001 desc = The operation couldn't be completed. (com.apple.AuthenticationServices.AuthorizationError, error 1001) userInfo: NSUnderlyingError: So the framework reports a user cancellation that never happened, with a completely empty userInfo and no underlying error. There is no diagnostic information on the client at all — I cannot debug this any further from my side, because the information does not exist there. Note: the same failure surfaces as a different error code depending on the client library version — .unknown (1000) with the older version, .canceled (1001) with the current one. The user-visible behaviour ("Sign Up Not Completed") is identical in both. So the error code is not a reliable signal here. WHAT I RULED OUT Not the App ID. I created a brand-new App ID (kz.auraai.ios) with Sign in with Apple enabled as a primary App ID, built a fresh binary, tested on the same device with the same Apple ID — identical failure. Two independent App IDs in the same team fail the same way. Not the entitlement. Verified inside the signed binary, not just in the portal: application-identifier = K9UFUZF2XW.kz.auraai.ios com.apple.developer.applesignin = ["Default"] I also tried the workaround suggested elsewhere on these forums (removing the entitlement while keeping the capability in the portal). That made it strictly worse: iOS then rejects the request instantly, without showing the sheet at all. Which confirms iOS reads the entitlement correctly, the sheet works, and the user authenticates — the failure is downstream of all of that. No stray or wildcard App IDs. A commonly cited cause is other App IDs in the team lacking the entitlement. I enumerated the whole team via the App Store Connect API: it contains exactly two App IDs, both with APPLE_ID_AUTH = PRIMARY_APP_CONSENT. No wildcard identifiers exist. Not the Apple ID, the device, or the iOS version. The same Apple ID, on the same device, with the same iOS, signs in successfully through another app belonging to a different team (Expo Go, host.exp.Exponent) — a valid identity token is returned. A second, unrelated Apple ID on another device fails in my app in exactly the same way. So this is not scoped to one account: it affects every user of the app. Agreements and membership are in good standing. Program License Agreement accepted 30 June 2026; Developer Agreement accepted 26 June 2026; membership active. Both distribution types fail. TestFlight and ad-hoc. WHAT IS LEFT After all of the above, the only variable that differs between the working case (a different team's app, same device, same Apple ID) and the failing case (my app) is the Apple Developer team itself. This exact signature — sheet renders fully, final server submit fails, "Sign Up Not Completed", delegate reports canceled with no userInfo, not reproducible in other apps on the same device — is documented in thread 122458 ("Error: Sign-Up Not Completed"). In that case it affected multiple developers, including Apple's own sample app, and was ultimately resolved by Apple on the server side, with a recurrence reported in June 2025. THE ASK Could someone from Apple check the server-side Sign in with Apple registration for team K9UFUZF2XW (App IDs kz.auraai.app and kz.auraai.ios)? I am not looking for configuration advice — I have exhausted the client side and there is nothing left to configure. This looks like the same server-side state that was fixed in the referenced cases. Feedback Assistant: FB23716661 (includes sysdiagnose with the Accounts/AuthKit profile, timestamp, and video of the failure). This is currently blocking us: because Sign in with Apple works for none of our users, guideline 4.8 prevents us from offering Google Sign-In, so we are shipping with email-only login. Happy to provide the binary, entitlements dump, or a fresh sysdiagnose on request.
Replies
0
Boosts
0
Views
24
Activity
1d
Sign in with Apple works on device but fails in Simulator (AuthorizationError 1000) — App Review keeps rejecting
Sign in with Apple works correctly on a physical iPhone in my Capacitor-based app, but fails in the Simulator, and this appears to be causing repeated App Store review rejections. I'm trying to figure out how to get past review.... What happens On a physical iPhone, Sign in with Apple works as expected. In the Simulator, if the user signs into their Apple ID (Settings) and returns to the app, tapping "Sign up with Apple" fails immediately with: The operation couldn't be completed. (com.apple.AuthenticationServices.AuthorizationError error 1000.) (Screenshot attached.) The native Apple sheet never appears — the error returns right away. The actual problem Every time I submit to App Store review, the app gets rejected because Sign in with Apple fails for the reviewer — I believe they're testing in an environment (Simulator, or a device not signed into iCloud) where it returns error 1000. It works on real hardware, so I keep getting stuck in a review loop over something I can't reproduce on device. What I've already checked Sign In with Apple capability is present in Signing & Capabilities for both Debug and Release, and the entitlement is in the built product. The App ID has Sign In with Apple enabled in the Developer portal, and the Services ID / return URLs are configured for Clerk. Resolved an earlier iPad-specific issue where connectedScenes was empty (added a UIApplicationSceneManifest + AppDelegate.window fallback), so ASAuthorizationController now has a valid presentation anchor. Questions Is error 1000 (ASAuthorizationError.unknown) in the Simulator a known environment issue (e.g. no usable Apple ID for the authorization flow) rather than an app bug — given it works on physical devices? For anyone who has been rejected because Sign in with Apple failed in the reviewer's environment: what actually got you through review? Reviewer notes explaining it works on device? Replying in Resolution Center with a screen recording from a real device? Something else? Any guidance appreciated — I'd rather fix the root cause than keep resubmitting.
Replies
0
Boosts
0
Views
29
Activity
1d
How can an iOS browser app request the Web Browser Public Key Credential entitlement for Passkeys?
Hello Apple Developer Team, I am developing a general-purpose web browser for iOS using WKWebView. Current status: • The app is distributed through TestFlight (Internal Testing). • The app is registered in App Store Connect. • The browser supports standard web browsing with multiple tabs and arbitrary websites. My goal is to support WebAuthn passkey authentication for websites such as Google, GitHub, Microsoft, and other websites that support passkeys. While reviewing Apple's documentation, I found: "Passkey use in web browsers" "Authenticating people by using passkeys in browser apps" These documents mention that browser apps on iOS can support passkeys using: ASAuthorizationWebBrowserPublicKeyCredentialManager and the entitlement: com.apple.developer.web-browser.public-key-credential However, I could only find a request form titled: "Request the macOS Web Browser Public Key Credential Entitlement" which specifically asks: "Is your app a web browser on macOS?" My application is an iOS web browser, not a macOS browser. In addition, I previously requested the Default Web Browser entitlement, but my request was declined. My questions are: Is there a separate application process for requesting the Web Browser Public Key Credential entitlement for an iOS browser? Is approval of the Default Web Browser entitlement required before an iOS browser can use WebAuthn passkeys? Can an iOS browser request only the Web Browser Public Key Credential entitlement without becoming the system default browser? Is there any official documentation describing the entitlement request process for iOS browser apps? I know that third-party browsers such as Aloha Browser appear to support system Passkeys on iOS, so I would like to understand the correct implementation and entitlement process for an iOS browser. Thank you very much for your guidance.
Replies
1
Boosts
0
Views
57
Activity
2d
Identifying system OCSP/CRL traffic in Network Extension.
Hi! We're developing a security product that uses both EndpointSecurity.framework to intercept and authorize process and file events; and NetworkExtension.framework o intercept and inspect network connections. We're occasionally seeing crashes caused by Endpoint Security timeouts. After investigating several crash reports, we believe we've identified a deadlock involving code signature verification: our Network Extension intercepts connections initiated by nsurlsessiond to retrieve OCSP/CRL data (we believe these requests are made on behalf of trustd during code signature validation). To determine which policy should be applied to an intercepted connection, our Network Extension verifies the code signature of the originating process. However, that code signature verification itself blocks while waiting for the OCSP/CRL requests to complete. Since those requests are being intercepted by our Network Extension, we end up with a circular dependency: A process requires code signature verification. Signature verification triggers OCSP/CRL network requests. Those requests are intercepted by our Network Extension. Our Network Extension attempts to verify the initiator's code signature before allowing the connection. That verification waits for the same OCSP/CRL requests to complete. As a result, code signature verification becomes blocked process-wide, including verification performed while handling Endpoint Security events. Eventually, our Endpoint Security client exceeds the allowed response timeout and is terminated. We're considering bypassing interception for OCSP/CRL traffic to avoid this deadlock, but we'd like to understand whether this is the recommended or most robust approach. Questions Is there a reliable way to identify network connections that are fetching OCSP or CRL data for code signature validation? What is the relationship between trustd and nsurlsessiond for these requests? Is there a dedicated nsurlsessiond instance serving trustd, or are these requests performed by the shared system/session-wide nsurlsessiond? Would it be a reasonable and future-proof approach to identify these requests by checking NEAppProxyFlow.remoteHostname (for example, ocsp.apple.com and crl.apple.com) and bypassing interception for those connections? Is there another recommended approach to avoid this deadlock when combining Endpoint Security and Network Extension in this way? Any guidance or best practices would be greatly appreciated. Thank you!
Replies
1
Boosts
0
Views
61
Activity
2d
Token endpoint returns invalid_client for real authorization codes, but invalid_grant (client auth accepted) for identical credentials with a test code
Sign in with Apple (web flow) fails 100% reproducibly at the token exchange for our newly created identifiers. POST to https://appleid.apple.com/auth/token with a REAL authorization code → 400 {"error":"invalid_client"}. The exact same client_id + client_secret from the same production server with a dummy code → {"error":"invalid_grant"} — i.e. client authentication passes and only the code is rejected, as expected. 16/16 probe requests across both registered redirect_uris. The authorization phase succeeds (user completes the appleid.apple.com sheet; code arrives via form_post to the registered return URL) and the exchange happens within ~1 second, so code expiry is not the cause. client_secret is an ES256 JWT with correct iss/sub/aud, validity ~6 months, sent via client_secret_post with no Authorization header. I have reviewed TN3107 — none of the documented invalid_client causes fit, given the invalid_grant asymmetry above. Persisted 24+ hours and survived: recreating the Services ID under a new identifier with a freshly minted secret; toggling the Sign in with Apple capability off/on (as primary) on the App ID; re-saving the Services ID configuration (domains and both return URLs re-confirmed). Team ID: CGSLWL988T Primary App ID: app.bookagym (created 2026-07-10) Services ID: app.bookagym.signin (an earlier Services ID app.bookagym.web behaved identically) Key ID: C99J756C86 This looks like stuck or unpropagated server-side provisioning for these identifiers rather than a client-side error. Per the "Gathering required information for troubleshooting Sign in with Apple authorization and token requests" post, I have filed the full details (including the failing request with all parameter values and a long-lived client secret) in Feedback Assistant: FB23692739
Replies
0
Boosts
0
Views
79
Activity
4d
Unable to verify the app
Hey guys, I am having issue, unable to verify the app. An internet connection is required to verify trust of the developer .... I am connected to the internet, date and time is correct. I did some google, some one reported this link: https://ppq-ext.v.aaplimg.com/ ssl expired, which is causing this issue. Can anyone help? I am testing to test my app on Iphone 15 pro max.
Replies
0
Boosts
0
Views
103
Activity
6d
Native Sign in with Apple in Capacitor + NextAuth
I'm building an iOS app using Capacitor with a Next.js 14 backend. Authentication currently uses: NextAuth Prisma Sign in with Apple Google Sign-In Magic Link The web version works correctly. For the native iOS app, tapping Continue with Apple currently opens the NextAuth endpoint (/api/auth/signin/apple), which launches the web authentication flow. App Review rejected the app because the Sign in with Apple flow leaves the native experience and opens a web view/browser during sign in. My goal is to keep Sign in with Apple fully native while continuing to use the same Prisma user database and authentication system used by the web application. What is Apple's recommended architecture for this scenario? Should I: Perform native Sign in with Apple in the Capacitor app. Send the returned identity token to my backend. Verify the token server-side. Create my own authenticated session instead of using the NextAuth Apple provider. Or is there another approach Apple recommends for hybrid apps using Capacitor? Any guidance would be greatly appreciated.
Replies
0
Boosts
0
Views
106
Activity
6d
Validating Signature Of XPC Process
Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID. While looking for something completely unrelated, I found this in the SecCode.h file OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED target); Would this be the preferred way to do this now? At least from 11.0 and up. Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it. Thanks
Replies
8
Boosts
0
Views
8.5k
Activity
6d
resetKeys() also resets sharedDeviceSigningKey unexpectedly
I am using ASAuthorizationProviderExtensionLoginManager.resetKeys() to generate new user-specific keys, specifically userDeviceSigningKey and userDeviceEncryptionKey. Based on the documentation, my understanding was that resetKeys() only resets keys associated with a particular user account: https://developer.apple.com/documentation/authenticationservices/asauthorizationproviderextensionloginmanager/resetkeys/ However, during testing, I observed that calling resetKeys() also resets sharedDeviceSigningKey. I had assumed that shared device keys would only be reset via resetDeviceKeys().
Replies
1
Boosts
1
Views
682
Activity
1w
macOS 27 beta: LocalAuthenticationView causes LAContext policy evaluation to fail with LAErrorDomain -1007
I’m seeing a regression in macOS 27 beta when using SwiftUI LocalAuthenticationView. When an LAContext is attached to LocalAuthenticationView, subsequent policy evaluation fails immediately with: Error Domain=com.apple.LocalAuthentication Code=-1007 NSDebugDescription="Caller is not Apple signed." NSLocalizedDescription="Authentication denied." The same policies work when evaluated on a plain LAContext that has not been attached to LocalAuthenticationView. Minimal shape of the failing path: @State private var context = LAContext() LocalAuthenticationView(context: context) { EmptyView() } context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Unlock") { success, error in print(success, error as Any) } This affects Touch ID unlock in our macOS app. We currently work around it by detecting LAErrorDomain / -1007, removing LocalAuthenticationView, and asking the user to manually start Touch ID with a fresh LAContext. Filed as Feedback: FB23262713 Could someone from the beta / LocalAuthentication team confirm whether this is an intended restriction for LocalAuthenticationView, or a macOS 27 beta regression?
Replies
3
Boosts
2
Views
361
Activity
1w
Sign in with Apple Failure, AKAuthenticationServerError=-24000
Apple Developer Support Request - Sign in with Apple Failure Date prepared: 2026-07-08 App name: LingJing / XiaoLing Bundle ID: com.jachymchen.xiaoling Apple Developer Team ID: 765B64SW9Z Platform: iOS Summary Sign in with Apple fails before the app receives a usable Apple identity token. The user-facing Apple system sheet ends with the Chinese alert "未完成注册" ("Sign Up Not Completed"). The app callback does not receive an identityToken, so our backend auth provider is not reached successfully. We reproduced the same failure in a minimal native Swift app that only uses AuthenticationServices and the same Bundle ID / provisioning profile, without Supabase or any app-specific backend code. This suggests the failure is likely in the Apple Sign in with Apple authorization flow, account/device state, or App ID/provisioning configuration recognized by Apple's auth services, rather than in our app's backend implementation. Environment Mac: macOS 26.5 Apple Silicon MacBook Pro Xcode 26.5 iPhone: Real device connected over USB Device name: 硬糖的iPhone iOS 26.5.1 Device UDID: 00008150-000344540C99401C App: Bundle ID: com.jachymchen.xiaoling App version currently used for testing: 0.1.0 App Store Connect app ID observed during TestFlight work: 6784075688 TestFlight build upload previously succeeded for version 0.1.0 build 2 Provisioning / Entitlements Checked Development provisioning profile: Profile name: XiaoLing Dev application-identifier: 765B64SW9Z.com.jachymchen.xiaoling com.apple.developer.applesignin: [Default] com.apple.developer.team-identifier: 765B64SW9Z get-task-allow: true keychain-access-groups includes: 765B64SW9Z.* com.apple.token Profile includes the test device UDID: 00008150-000344540C99401C Expiration: 2027-06-27 Distribution / TestFlight provisioning profile: Profile name: XiaoLing AppStore application-identifier: 765B64SW9Z.com.jachymchen.xiaoling com.apple.developer.applesignin: [Default] beta-reports-active: true get-task-allow: false Signed app entitlements were checked from the executable and matched the expected Bundle ID / Team ID / Sign in with Apple entitlement. Important note: Running codesign -d --entitlements :- XiaoLing.app against the .app bundle may print an "invalid entitlements blob" style result. Running codesign against the actual executable inside the .app is the useful check, and that showed the expected entitlements. Reproduction Steps Install and launch the iOS app with Bundle ID com.jachymchen.xiaoling on the real iPhone. Tap "Sign in with Apple". Complete the Apple ID system prompt. The Apple system flow fails and shows "未完成注册". The app does not receive a valid ASAuthorizationAppleIDCredential identity token. Observed Result The Apple authorization flow fails before returning a usable credential to the app. The system UI shows "未完成注册" ("Sign Up Not Completed"). Expected Result AuthenticationServices should return an ASAuthorizationAppleIDCredential with an identityToken so the app can continue its own backend sign-in. Key Device Logs Observed During real-device attempts, the following log lines appeared around the failure: AuthKit continuation-key-creation token is missing AppleIDAuthSupport: setError: 2:M2 missing (bad password) SRP authentication with server failed AUTH_ALERT_SIGN_UP_NOT_COMPLETED -> 未完成注册 AKRemoteViewController did complete with authorization (null) AKAuthenticationServerError Code=-24000 The private framework error code by itself is not enough to identify the root cause, but the flow consistently fails inside Apple's AuthKit / Apple ID authorization path before our app receives an identity token. Minimal Native Demo Test To exclude app-specific implementation and backend issues, we created a minimal native SwiftUI app using only: AuthenticationServices SignInWithAppleButton ASAuthorizationAppleIDProvider The same Bundle ID: com.jachymchen.xiaoling The same Team ID / provisioning entitlement setup No Supabase No custom backend No React Native No third-party auth library The minimal native demo produced the same user-facing failure: "未完成注册". This strongly suggests the issue is not caused by Supabase, nonce hashing, OAuth handling, React Native, or our app UI. The failure happens before any backend auth exchange can occur. Additional Context The tester tried another Apple ID and still reproduced the failure. The tester stated the Apple ID itself is otherwise usable. The app's Bundle ID is intended to be exactly: com.jachymchen.xiaoling We specifically checked for provisioning profile / Bundle ID mismatch and did not find a mismatch in the installed build. Questions for Apple Developer Support Can Apple check whether App ID 765B64SW9Z.com.jachymchen.xiaoling has any server-side Sign in with Apple configuration issue? Can Apple explain what conditions produce: AUTH_ALERT_SIGN_UP_NOT_COMPLETED AKAuthenticationServerError Code=-24000 "M2 missing (bad password)" "AuthKit continuation-key-creation token is missing" in a native AuthenticationServices Sign in with Apple flow? Is there any known issue on iOS 26.5.1 or with development-signed apps where Sign in with Apple fails before returning an ASAuthorizationAppleIDCredential? Are there account-level or device-level requirements beyond normal Apple ID login that can cause Sign in with Apple to show "Sign Up Not Completed"? Can Apple verify whether this Bundle ID / Team ID is correctly enabled for Sign in with Apple on Apple's backend? Minimal Code Shape Used for Native Demo The native demo used a standard SignInWithAppleButton: SignInWithAppleButton(.signIn) { request in request.requestedScopes = [.fullName, .email] } onCompletion: { result in switch result { case .success(let authorization): // Check authorization.credential as ASAuthorizationAppleIDCredential // and read identityToken. case .failure(let error): // Log NSError domain, code, localizedDescription, and userInfo. } } Support Request Please help determine why Apple's Sign in with Apple authorization flow fails for Bundle ID com.jachymchen.xiaoling before returning a credential, despite the app having the Sign in with Apple entitlement and matching provisioning profile / Bundle ID.
Replies
0
Boosts
0
Views
61
Activity
1w
Sign in with Apple fails with "Sign-Up Not Completed" — reproduces for multiple independent Apple ID accounts, blocking App Store submission
App: Subio - Quản lý đăng ký Bundle ID: io.ausynclab.subio Team ID: DMB7A87LM9 App Store Connect App ID: 6785710632 SUMMARY Sign in with Apple in our app consistently fails during the account-creation flow with the system error "Sign-Up Not Completed" (shown by iOS's own native AuthenticationServices UI, before any of our app code runs). This has caused App Review to reject our app 5+ times over the past week (builds 16, 17, 19, 20, 21, 22), each citing Guideline 2.1(a) with this exact error. KEY EVIDENCE THIS IS SERVER-SIDE, NOT APP-SIDE The failure reproduces for TWO COMPLETELY INDEPENDENT Apple ID accounts: Our own developer test account (used repeatedly since build 16) Apple App Review's own test account/device (different devices each time: iPad Air 11" M3, iPad Air 11" M4, iPhone 17 Pro Max — running iPadOS 26.5.2 and iOS 27.0) Two unrelated accounts hitting the identical failure strongly suggests the issue is in our app's Sign-In-With-Apple server-side registration (tied to our Team ID/Bundle ID), not any individual user's account state. Our backend receives ZERO HTTP requests at the moment of failure, confirmed via server-side logging. This proves the failure occurs entirely within iOS's native account-creation sheet, before our JavaScript code (or the identityToken) is ever produced. TROUBLESHOOTING ALREADY COMPLETED (to save engineering time) We have verified all of the following are correctly configured, and the issue persists regardless: Bundle ID capability: APPLE_ID_AUTH is enabled with APPLE_ID_AUTH_APP_CONSENT = PRIMARY_APP_CONSENT (confirmed via App Store Connect API) Provisioning profile: App Store distribution type, contains com.apple.developer.applesignin entitlement (Default), correct Team ID Signing certificate: valid iOS Distribution cert, serial number matches the certificate linked to the provisioning profile in App Store Connect Entitlements embedded in the actual signed, submitted binary (extracted directly from the .ipa and inspected with codesign -d --entitlements) match expectations exactly Tried requesting full scopes (FULL_NAME + EMAIL), reduced scopes (FULL_NAME only), and zero scopes at all (requestedScopes: []) — the failure is identical in all three configurations Added a guard to prevent concurrent/duplicate calls to signInAsync() (in case of rapid double-taps) — failure persists Confirmed the failure occurs both when the button is presented inside a React Native Modal and when presented on a plain (non-modal) screen — ruling out a presentation-context conflict WHAT WE'D LIKE APPLE'S HELP WITH Please check, on your side, whether there is a stuck, incomplete, or corrupted Sign-In-With-Apple account-linking record associated with Bundle ID io.ausynclab.subio / Team ID DMB7A87LM9 that could be causing account-creation requests to fail at the server level. We are happy to provide additional logs, device details, or a screen recording if useful. We would greatly appreciate guidance, as this is blocking our very first App Store submission and we've been unable to identify anything further to fix from the client side. Thank you for your time.
Replies
0
Boosts
0
Views
77
Activity
1w
way to attest that a Secure Enclave key is hardware-bound on macOS
We generate Secure Enclave keys via SecKeyCreateRandomKey with kSecAttrTokenIDSecureEnclave on macOS. We need to prove to a remote server that the key is genuinely hardware-bound, not a software key claiming to be one. Is there any API on macOS for an app to obtain an Apple-signed certificate or attestation statement for such a Secure Enclave key, similar to how ASAuthorizationProviderExtensionLoginManager.attestKey() works within Platform SSO but available to general apps? Or other possible workaround for this? Thank you!
Replies
5
Boosts
0
Views
1.1k
Activity
1w
How to share a keychain item between a mac os app and cli app
Hi, I would like to share a keychain item common for mac os app (sandboxed) and swift cli app (non sandboxed). Is there a recommended way for doing this? Thanks
Replies
1
Boosts
0
Views
212
Activity
1w
Sign In with Apple: AuthorizationError 1000, empty userInfo, delegate never receives authorization
Subject: Sign In with Apple consistently fails with AuthorizationError 1000 (empty userInfo) immediately after successful biometric authentication — native delegate logging confirms failure occurs before authorization is returned to app App ID: com.andresalecina.vant
Team ID: C6GK7Z5GY2
Services ID: com.andresalecina.vant.signin Summary:
Sign In with Apple fails 100% of the time in our native iOS app (Capacitor 7 wrapper) with error code 1000 and completely empty userInfo. The native authentication sheet displays correctly and the user completes Face ID successfully, but authentication fails immediately afterward. Critical new evidence (delegate-level logging):
We instrumented both ASAuthorizationControllerDelegate callback methods directly with NSLog to determine exactly where the failure occurs: authorizationController(controller:didCompleteWithAuthorization:) — never fires. Confirmed across multiple fresh test attempts. authorizationController(controller:didCompleteWithError:) — fires every time, receiving: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" with completely empty userInfo. This confirms the failure originates inside AuthenticationServices itself, before any authorization object is ever returned to our app. Our app code is not receiving a token, credential, or authorization of any kind to process — there is nothing for our code to mishandle. Everything already verified clean on our end: Sign In with Apple capability present in Xcode target and confirmed in Apple Developer Portal (Primary App ID, not grouped) Entitlement com.apple.developer.applesignin confirmed present in both the development-signed binary and the App Store distribution provisioning profile Team ID in the compiled binary matches the entitlement (verified via codesign -dv and codesign -d --entitlements) Provisioning profile freshly regenerated after capability was added Apple Developer Program License Agreement and Developer Agreement both fully accepted, no pending items Reproduces identically on two separate physical devices (one iOS 27 beta, one non-beta), on both WiFi and cellular Reproduces with a completely clean Apple ID test account (no prior Family Sharing/managed account involvement, confirmed adult standard account) Device clock, timezone, and Screen Time/Content & Privacy Restrictions confirmed not a factor Native plugin code reviewed line-by-line: uses stock ASAuthorizationAppleIDProvider().createRequest(), standard .fullName/.email scopes only, robust presentation anchor resolution (no detached/fake UIWindow) Timeline:
The Sign In with Apple capability was added to this App ID within the past 24–48 hours (it was missing entirely on our initial rejected App Store submission). Error 1000 has persisted consistently across many rebuilds since the capability was added, which raises the possibility of a propagation delay on Apple's authentication backend, but this has now exceeded typical propagation windows for other capabilities we've observed (Push Notifications, Associated Domains). What we're asking:
Can you verify, on Apple's side, whether App ID com.andresalecina.vant under Team C6GK7Z5GY2 is fully provisioned and active on Apple's Sign In with Apple authentication backend? All client-side, code-side, and account-side factors we can verify are confirmed correct; the delegate-level logging above confirms the failure is occurring before any authorization is returned to the client, which points to a state on Apple's servers that isn't visible to us through the standard Developer Portal UI. Happy to provide device sysdiagnose logs, the full Xcode archive, or a minimal reproduction project (bare SwiftUI, no Capacitor/Supabase) if useful.
Replies
1
Boosts
0
Views
320
Activity
1w