We have special use case, We have two apps, App A (Electron) and App B (Swift). App B when run independently works completely fine but when bundles with App A and shipped as dmg, App B doesn't prompt for microphone permission anymore. What can be issue? What's right way to ship both app together such that App B is hidden and launched through App A only? How can I figure out what changes after App B is bundled and comes with App A. Even if I produce dmg of App A and install it on same system, App B doesn't ask for microphone permission anymore.
General
RSS for tagPrioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Wondering if others have encountered this issue with PSSO 2.0.
We are observing that if, after registration, a user changes their IDP password, they may be prompted for their previous password in order to unlock the Keychain. We are trying to determine if this is expected behavior or if there is a way to avoid it.
To reproduce this, the flow would be as follows:
user registers with PSSO
user logs out and logs back in with their IDP password
user is authenticated (and not prompted for previous password)
user logs out
user changes their IDP password on another machine
user logs in and is prompted to use their previous password to unlock the Keychain.
Failure to provide the previous password nukes the Keychain, which is not an outcome we want.
Any insight anyone has on this issue would be most welcome.
Thanks
Hello, I'm having a problem with taxes calculation for US, the thing is, for some very specific addresses the taxes are coming wrong because we don't have the full address before the authorization with Adyen (our payment provider), for example, when I put the address "1 Infinite Loop, CA, US, 95014" in my wallet, I'm not receiving the value "1 Infinite Loop" (addressLines[0]) in backend until we authorize in Adyen, but I need this field to calculate the taxes and show to the customer before the authorization. My question is, is there any way to have this field before the authorization? If not, you have any idea how other ecommerces that use ApplePay and Adyen handle with this problem?
Thanks in advance!
Hello Developers,
I have ran into a problem while sending mail to apple private relay email. We have built a mobile application where user can sign up through apple and they can sign up using hide-my-email feature. Which provides private relay address for us. Now we want to communicate with them using private relay mail address. The technology we are using to send emails are amazon SES, have done SPF, DMIK, DMARC and added domains in apple identity services for mail communication, passed an SPF check as well. But still mail is not getting delivered
what am i doing wrong or apple doesn't support third party apps for sending emails to private relay? Is there any other way to achieve this please let me know
Using the same body as attached in image is working fine for rest emails.
I am trying to generate public and private keys for an ECDH handshake.
Back end is using p256 for public key. I am getting a failed request with status 0
public func makeHandShake(completion: @escaping (Bool, String?) -> ()) {
guard let config = self.config else { completion(false,APP_CONFIG_ERROR)
return
}
var rData = HandshakeRequestTwo()
let sessionValue = AppUtils().generateSessionID()
rData.session = sessionValue
//generating my ECDH Key Pair
let sPrivateKey = P256.KeyAgreement.PrivateKey()
let sPublicKey = sPrivateKey.publicKey
let privateKeyBase64 = sPrivateKey.rawRepresentation.base64EncodedString()
print("My Private Key (Base64): \(privateKeyBase64)")
let publicKeyBase64 = sPublicKey.rawRepresentation.base64EncodedString()
print("My Public Key (Base64): \(publicKeyBase64)")
rData.value = sPublicKey.rawRepresentation.base64EncodedString()
let encoder = JSONEncoder()
do {
let jsonData = try encoder.encode(rData)
if let jsonString = String(data: jsonData, encoding: .utf8) {
print("Request Payload: \(jsonString)")
}
} catch {
print("Error encoding request model to JSON: \(error)")
completion(false, "Error encoding request model")
return
}
self.rsaReqResponseHandler(config: config, endpoint: config.services.handShake.endpoint, model: rData) { resToDecode, error in
print("Response received before guard : \(resToDecode ?? "No response")")
guard let responseString = resToDecode else {
print("response string is nil")
completion(false,error)
return
}
print("response received: \(responseString)")
let decoder = JSONDecoder()
do {
let request = try decoder.decode(DefaultResponseTwo.self, from: Data(responseString.utf8))
let msg = request.message
let status = request.status == 1 ? true : false
completion(status,msg)
guard let serverPublicKeyBase64 = request.data?.value else {
print("Server response is missing the value")
completion(false, config.messages.serviceError)
return
}
print("Server Public Key (Base64): \(serverPublicKeyBase64)")
if serverPublicKeyBase64.isEmpty {
print("Server public key is an empty string.")
completion(false, config.messages.serviceError)
return
}
guard let serverPublicKeyData = Data(base64Encoded: serverPublicKeyBase64) else {
print("Failed to decode server public key from Base64. Data is invalid.")
completion(false, config.messages.serviceError)
return
}
print("Decoded server public key data: \(serverPublicKeyData)")
guard let serverPublicKey = try? P256.KeyAgreement.PublicKey(rawRepresentation: serverPublicKeyData) else {
print("Decoded server public key data is invalid for P-256 format.")
completion(false, config.messages.serviceError)
return
}
// Derive Shared Secret and AES Key
let sSharedSecret = try sPrivateKey.sharedSecretFromKeyAgreement(with: serverPublicKey)
// Derive AES Key from Shared Secret
let symmetricKey = sSharedSecret.hkdfDerivedSymmetricKey(
using: SHA256.self,
salt: "AES".data(using: .utf8) ?? Data(),
sharedInfo: Data(),
outputByteCount: 32
)
// Storing AES Key in Config
let symmetricKeyBase64 = symmetricKey.withUnsafeBytes { Data($0) }.base64EncodedString()
print("Derived Key: \(symmetricKeyBase64)")
self.config?.cryptoConfig.key = symmetricKeyBase64
AppUtils.Log(from: self, with: "Handshake Successful, AES Key Established")
} catch {
AppUtils.Log(from: self, with: "Handshake Failed :: \(error)")
completion(false, self.config?.messages.serviceError)
}
}
} this is request struct model public struct HandshakeRequestTwo: Codable {
public var session: String?
public var value: String?
public enum CodingKeys: CodingKey {
case session
case value
}
public init(session: String? = nil, value: String? = nil) {
self.session = session
self.value = value
}
} This is backend's response {"message":"Success","status":1,"data":{"senderId":"POSTBANK","value":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErLxbfQzX+xnYVT1LLP5VOKtkMRVPRCoqYHcCRTM64EMEOaRU16yzsN+2PZMJc0HpdKNegJQZMmswZtg6U9JGVw=="}} This is my response struct model public struct DefaultResponseTwo: Codable {
public var message: String?
public var status: Int?
public var data: HandshakeData?
public init(message: String? = nil, status: Int? = nil, data: HandshakeData? = nil) {
self.message = message
self.status = status
self.data = data
}
}
public struct HandshakeData: Codable {
public var senderId: String?
public var value: String?
public init(senderId: String? = nil, value: String? = nil) {
self.senderId = senderId
self.value = value
}
}
Hi everyone,
I’m currently developing an MFA authorization plugin for macOS and am looking to implement a passwordless feature. The goal is to store the user's password securely when they log into the system through the authorization plugin.
However, I’m facing an issue with using the system's login keychain (Data Protection Keychain), as it runs in the user context, which isn’t suitable for my case. Therefore, I need to store the password in a file-based keychain instead.
Does anyone have experience or code snippets for objective-c for securely storing passwords in a file-based keychain (outside of the login keychain) on macOS? Specifically, I'm looking for a solution that would work within the context of a system-level authorization plugin.
Any advice or sample code would be greatly appreciated!
Thanks in advance!
We get a "The application "Finder" does not have permission to open "(null)“" error message in macOS 15.1 when trying to open unsigned applications.
Is this a known bug in macOS 15.1 ? If so any indications of whether it will be fixed in the future.
In macOS 15.0.1 the workaround for launching unsigned applications still worked.
hello.
I am using the app with webview.
When I log in to Apple, a typeerror appears.
How can I solve this?
TypeError: this.attr(...).serialize is not a function
at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511)
at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485)
at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608)
at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378)
at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277)
at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200)
at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888)
at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827)
at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194)
at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930)
TypeError: Cannot read properties of undefined (reading 'serialize')
at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897)
at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673)
at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204)
at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258)
at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412)
at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129)
at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985)
at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
hello.
I am using the app with webview.
When I log in to Apple, a typeerror appears.
How can I solve this?
TypeError: this.attr(...).serialize is not a function
at u.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:77511)
at t.getValueAndBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:1485)
at e.Compute._on (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3608)
at e.Compute.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2378)
at e.Compute._bindsetup (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:145:3277)
at e.bindAndSetup [as bind] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:131:200)
at e.Compute.temporarilyBind (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:3888)
at e.Compute.get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:311:2827)
at Object.u [as compute] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:117:194)
at u.___get (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:59:1930)
TypeError: Cannot read properties of undefined (reading 'serialize')
at u.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:691:116897)
at HTMLElement.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:187:673)
at HTMLElement.dispatch (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:39204)
at v.handle (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:37199)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:67752)
at Object.trigger (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:258)
at e.inserted (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:290:412)
at t.each.e.fn.<computed> [as append] (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:224:2129)
at O.fn.init.<anonymous> (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:46985)
at W (https://appleid.cdn-apple.com/appleauth/static/jsj/N1506946403/profile/app.js:248:28565)
Hi everyone,
I'm looking for a way to configure Passkey on iOS so that authentication is only possible using FaceID or TouchID. Specifically, I want to disable the use of passcodes and QR codes for authentication. Additionally, is there a method to detect if the authentication was done using a passcode or QR code?
Thanks for your help!
Hello community,
In our application, we've implemented Apple ID for user authentication. Unfortunately, we forgot to register the associated domains and communication email addresses. This oversight has led to complications in email delivery via the private relay service.
We've taken steps to fix the issue by reconfiguring the domains and communication email addresses. Post-adjustment, new user registrations are functioning properly. However, for users who registered before this fix, the problem persists.
We followed the instructions provided on https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/communicating_using_the_private_email_relay_service, and we also have SPF configured, which has passed validation in our administration.
Has anyone encountered a similar issue, and if so, how did you resolve it? Any insights or guidance would be greatly appreciated.
I'm trying to set up Sign In With Apple on my .NET 7 Web App (Not sure how many people here use this). I followed the guide by Scott Brady here: https://www.scottbrady91.com/openid-connect/implementing-sign-in-with-apple-in-aspnet-core
It reaches Apple Sign In OK, authenticates, and passes back to my server, but the callback responds with this error.
OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'.
Googling hasn't helped much, other than I saw a post saying to wait 48 hours, which I have now done (not that that makes sense anyway).
Any idea whats been done wrong? Code below, replacing sensitive data.
Startup.cs
.AddOpenIdConnect("apple", async options =>
{
options.Authority = "https://appleid.apple.com"; // disco doc: https://appleid.apple.com/.well-known/openid-configuration
options.ClientId = "com.rackemapp.applelogin"; // Service ID
options.CallbackPath = "/signin-apple"; // corresponding to your redirect URI
options.ResponseType = "code id_token"; // hybrid flow due to lack of PKCE support
options.ResponseMode = "form_post"; // form post due to prevent PII in the URL
options.UsePkce = false; // apple does not currently support PKCE (April 2021)
options.DisableTelemetry = true;
options.Scope.Clear(); // apple does not support the profile scope
options.Scope.Add("openid");
options.Scope.Add("email");
options.Scope.Add("name");
options.Events.OnAuthorizationCodeReceived = context =>
{
context.TokenEndpointRequest.ClientSecret = AppleTokenGenerator.CreateNewToken();
return Task.CompletedTask;
};
});
Apple Token Generator
public static class AppleTokenGenerator
{
public static string CreateNewToken()
{
const string iss = "[MyTeamId]"; // your account's team ID found in the dev portal
const string aud = "https://appleid.apple.com";
const string sub = "com.rackemapp.applelogin"; // same as client_id
var now = DateTime.UtcNow;
// contents of your .p8 file
const string privateKey = "[MyKey]";
var ecdsa = ECDsa.Create();
ecdsa?.ImportPkcs8PrivateKey(Convert.FromBase64String(privateKey), out _);
var handler = new JsonWebTokenHandler();
return handler.CreateToken(new SecurityTokenDescriptor
{
Issuer = iss,
Audience = aud,
Claims = new Dictionary<string, object> { { "sub", sub } },
Expires = now.AddMinutes(5), // expiry can be a maximum of 6 months - generate one per request or re-use until expiration
IssuedAt = now,
NotBefore = now,
SigningCredentials = new SigningCredentials(new ECDsaSecurityKey(ecdsa), SecurityAlgorithms.EcdsaSha256)
});
}
}
Also attached, images of my keys and setp in developer portal
Hello,
we implemented Apple Sign-In in our website long ago, and it worked well.
Recently we have found a strange behaviour.
The first time we make the request to the /auth/token endpoint we get an invalid_client error.
Our client id is com.spicysparks.service.id
If we make a request another time with exactly the same data it works fine.
We noticed we get this error only when we try a newly generated client secret for the first time.
We have a game that provides a mechanism to log into the game with Sign in with Apple in a direct integration between the game and Apple (first mechanism). We also provide a mechanism to log into the game using OpenID connect with authorization from Apple but using a server in the middle that drives the process (second mechanism). It is important to mention that both mechanisms use the same oauth client.
We have been able to switch from the first mechanism to the second successfully, but there is a problem with id_token.
In the second mechanism we request the scopes "email", "openid" and "name", but in the retrieved id_token there is no information about the email. It happens for all users who previously signed in with Apple using the first mechanism (therefore there is a current link between the game and the user in AppleId). It does not happen with users who had no link between the game and the user and use the second mechanism, in this case we can retrieve the user information in the callback of the first call and the email in the id_token, as stated in the documentation.
However, if users who had a link between the game and the AppleId delete the app and then log back in using the second mechanism, then we can get the email information with the exact same request.
The request we use to obtain the authorized endpoint information (https://appleid.apple.com/auth/authorize) has these parameters:
response_mode: query
scope: email openid profile
nonce: ...
state: ...
response_type: code
Then we get the authentication code and get an id_token like this:
{
"iss":"https://appleid.apple.com",
"aud":"{aud}",
"exp":1705584621,
"iat":1705498221,
"sub":"{sub}",
"nonce":"7f-PqBoXgxeDMOEu5Ysov0FjE9GvSYfq",
"at_hash":"3kLcPBlwZP6aj_mscww5zA",
"authentication_time":1705498218,
"nonce_supported":true
}
Is there a way to retrieve the email for users who had the link and don't want to delete it or log back into the app? In the official Apple documentation it is stated that the id_token should have the email but this is not the case.
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773
Apple documentation is specific about the possible types of email_verified property
A string or Boolean value that indicates whether the service verifies the email. The value can either be a string ("true" or "false") or a Boolean (true or false). The system may not verify email addresses for Sign in with Apple at Work & School users, and this claim is "false" or false for those users.
Actually we made a mistake by supporting only String type and today had the very bad surprise to notice that we started receiving Bool types for the first time.
Do you have any info about changes on the API ?
Thanks
Julien
Problem Situation
User membership withdrawal request → revoke API call
It always returns status code 200, but once out of 5~10, it remains an app linked to the user's Apple ID.
Re-request user Apple login → Email is returned as null
Currently, the only solution is for users to manually delete apps linked to their Apple ID. Email sent when re-requesting Apple login
When the above problem occurs, even if the Revoke API is called multiple times, the app linked to the user's Apple ID is not deleted, and when requesting Refresh Token validation, it has already expired.
Releated Issues
https://forums.developer.apple.com/forums/thread/707181
Hello. On my game I have Apple Sing In option that is required to keep user high score, show name in game, and for other app functionality.
Game is made on Unity.
Now when I'm trying to port the game to Vision Pro, Im getting error that Authentication is not supported on this platform. It may be the plugin issue that I'm using(not sure yet). But I also didn't find any documentation for native code ( so I could make plugin that unity game could use).
Question: does VisionOS support Apple Sing In in the applications?
if yes please give me some resources.
if no - is there any plans to add that functionality?
Thanks.
在我的蜂窝数据中出现了一个名为BusinessExtensionsWrapper的程序组件,是个灰色的点不动,我好奇这是什么程序组件,既然是系统自带的,为什么要隐藏呢?对隐私有威胁吗?
Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint.
At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields:
**Fields I would like to use:
**
rp (Relying Party)
I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them?
authenticatorSelection
How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields?
timeout
Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS?
attestation
The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field.
extensions
If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps?
pubKeyCredParams
Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request?
excludeCredentials
I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated.
**Current Code
**
Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above.
let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(
relyingPartyIdentifier: "www.example.com"
)
let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest(
challenge: challenge,
name: userId,
userID: userIdData
)
let authController = ASAuthorizationController(authorizationRequests: [registrationRequest])
authController.delegate = self
authController.presentationContextProvider = self
authController.performRequests()
In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of.
If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!
Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process.
Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device.
If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance.
Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario.
If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.