I am implementing passkeys for my Project. We hosted apple-app-site-association file in 2 different sites for my project maintenance. One is with ww.sitename.com and another is www3.sitename.com. In Xcode adding each of them and testing individually. It's working good at first site and throwing error for second one like below Application with identifier <> is not associated with domain <>

import AppleProvider from 'next-auth/providers/apple'; export const appleProvider = AppleProvider({ name: 'Apple', clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string, clientSecret: process.env.NEXT_PUBLIC_APPLE_CLIENT_SECRET as string, idToken: true, authorization: { url: 'https://appleid.apple.com/auth/authorize', params: { clientId: process.env.NEXT_PUBLIC_APPLE_CLIENT_ID as string, scope: 'openid email name', response_type: 'code', response_mode: 'form_post', }, }, token: { url: 'https://appleid.apple.com/auth/token', async request(context) { console.log('----context', { context }); const url = https://appleid.apple.com/auth/token + ?code=${context.params.code} + &client_id=${context.provider.clientId} + &client_secret=${context.provider.clientSecret} + &redirect_uri=${context.provider.callbackUrl} + &grant_type=authorization_code; const response = await fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, }); console.log('----response', { response }); const tokens = await response.json(); console.log('----tokens', { tokens }); return { tokens }; }, }, });

I know how to set up a parental gate to keep a child user away from a web portal for parents or guardians. But is it even OK with Apple (or just in general) to open a browser from inside a kids app? I can think of two ways to do this: Launch a browser with UIApplication.shared.open(). This takes the user (presumably an adult) out of the app. Will Apple object to this? Use an in-app browser with WKWebView. (Wrapped in UIViewRepresentable because I'm using SwiftUI.) Option 2 has some problems with Google SSO, which is a requirement for me. Some details in stackoverflow 2016 and stackoverflow 2019 and gitHub. I can't figure out how to apply the solutions in those posts to the SwiftUI architecture or even the UIViewRepresentable.

Hello, I need to verify my domain and email with spf I need to use Signin with apple with private relay service Here is my records of DNS Service(AWS Route53) My domain is metapocket.io DKIM record : sig1._domainkey.metapocket.io value : sig1.dkim.metapocket.io.at.icloudmailadmin.com. SPF "v=spf1 include:zoho.com ~all" "v=spf1 include:icloud.com ~all" "v=spf1 include:metapocket.io ~all" "v=spf1 include:amazonses.com ~all" TXT "zoho-verification=zb03635298.zmverify.zoho.com" "apple-domain-verification=RaNdOmLeTtErSaNdNuMbErS" "apple-domain=4oc6zwBOLpmdRGr9" Something wrong here?? Why i got failed spf verification.. Please help me

We're using this (on a mac) to do 3rd party authentication. The completion handler is getting Authentication session got error: [The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 1.)], in domain: [com.apple.AuthenticationServices.WebAuthenticationSession] That seems to be generated if the auth window is closed. However... it's not being closed, so we end up spawning a second one to do it, and this one seems to work.

I have a bunch of certificate related things, along with a bunch of secure notes stored in the keychain. These, like previously in System Preferences, don’t show up in the new Passwords app (as tested in iOS). So before I risk losing all that information by installing Sequoia, I wonder if the KeychainAccess.app is still around, allowing me to access these items. In case Apple is listening: do NOT remove that app, until all the critical functionality is also in Passwords, or some other app….

Hi, It may be a stupid question, but we really wonder if there is a way for MDM to push a unique mTLS cert to our iOS application or if it can populate a client certificate in the iOS where our application can access it. Like browser app, how do browser mTLS certs get pushed? Thanks, Ying

Hello All, I am new to iOS development and would like to detect the smart card readers connected to USB-C port on iOS (16+) devices. The smart card reader is a custom hardware and not MFi certified. So as per my understanding, I cannot use ExternalAccessory.framework without MFi certification. Correct? How else can I achieve this? Does TKSmartCardSlotManager works for this purpose (or is it only for NFC devices?)? Is there any example for how to use this interface? I couldn't find any example for this as a starting point... Thanks in advance.

Hello forums, I have a problem with Autofill multiply SecureFields. I created a SwiftUI view with 2 SecureFields, createPassword and confirmPassword. Does not matter how I change the textContentType, AutoFill will only fill the first SecureField. For testing, I set the first SecureField textContentType to .none / .userName/ .email, and second SecureField sets to .newPassword, but AutoFill still fills password in first SecureField. As I know Apple advises to put both SecureField textContentType to .newPassword but it seems only working in UIKit: Enabling Password AutoFill on a text input view struct ContentView: View { @State private var createPassword = "" @State private var confirmPassword = "" var body: some View { VStack { SecureField("Password", text: $createPassword) .textContentType(.newPassword) SecureField("Password confirmation", text: $confirmPassword) .textContentType(.newPassword) } .padding() } } Thank you!

Hi, I just watched session "10203" on "Meet AccessorySetupKit". In 09:13, it was mentioned that there is special UI for entering PIN codes / passphrases. How exactly is this UI triggered? And is there any UI for setting a pin during initial setup? I couldn't find any further information about any of this in the documentation. Best, Klemens

I have a unique need here and hope there is someone out there that might be of help. There is a backend server that will send an x509 certificate and private key (as strings) after the mobile apps on-boarding process. Additionally, the app includes an AWS SDK that is used to talk to their IoT system. This SDK requires PKCS12 certificate format to pass authentication. (I believe the common method is to have bundled the cert into the app which is not an option for me here sadly) I suspect it may be possible to use some openSSL iOS framework to do this conversion at runtime but have not personally tried it yet as my go-to is usually trying things first with Apples APIs. So my question becomes is there a way to meet this requirement using any of the security APIs or other APIs that apple has like swift-nio-ssl? Thank you very much for your time. Best, Michael

Private Access Tokens (PATs) are headlined as something that can eliminate CAPTCHAs, but also includes app-to-server communications in its use cases. Because of this, they seem to perform a very similar function to DeviceCheck, since both aim to attest to the health of the device in question. I don't really understand the difference between the two and find this confusing. Since PATs are newer and more general, I'm more inclined to adopt them, but where does this leave DeviceCheck? Is it redundant? How does App Attest fit into all of this? If my goal is to minimize if not eliminiate fraudulent/malicious use of my app's APIs, should I use Private Access Tokens, DeviceCheck, and App Attest simultaneously to maximize my protection? If not, what is accepted to be the best practice? I admire Apple's dedication to privacy and security, but as a new developer I feel Apple could make it easier for their app developers to find out and implement the latest best practices.

Tuesday morning at 3am, a burglar broke into my house and stole my VisionPro (s/n MWFYJ49L0V) that was running VisionOS 2.0 Beta. Apple Support advised me to keep the device on my account to stop the crooks from activating it. Is keeping the VisionPro (running a 2.0 beta) active on my personal iCloud account indefinitely like this okay, or a risk to my private data and ID?

My team is very interested in integrating the new automatic passkey upgrade functionality into our app. Our app does not currently use passwords, but instead to log in utilizes phone number and SMS code verification (along with email code verification if the device is unknown). While watching the session on automatic passkey upgrades, it is noted that the system/credential manager checks to ensure that a password was just autofilled for the same account before allowing an automatic passkey upgrade. Since our app does not use passwords, does this mean we are ineligible for taking advantage of automatic passkey upgrades? Or, is there something else we can do to ensure the upgrade goes through?

I'm experiencing an issue with microphone recording in my app when launched from a Shortcut. The app works correctly when launched directly, but launching it through the Shortcut results in the "Session activation failed" error (code 561015905). Here's what I've done so far: My app has microphone permission granted. The startRecording function sets the audio session category to .playAndRecord. I've implemented error handling within startRecording to catch the error code. The Shortcut workflow includes an action to launch the app (no explicit microphone permission request within the Shortcut). xcode version - 15.2 iphone ios version - 17.4.1

Hello, We are currently facing an issue with Apple Sign In that only occurs very rarely, and that for some reason mainly affects the Apple Review team, as everyone in the company can register with their personal Apple Account, and we can see multiple users in production using Apple Login. The problem is that when our BackEnd tries to validate the information on https://appleid.apple.com/auth/token we receive a "{"error":"invalid_request"}". We have no idea what is causing this intermittent issue and we currently have no way to reproduce it. We have been loging both succesull request and failing request and all look very simmilar and we have no ideia what may be causing the 400 here is an example of a curl that generated the problem curl --location 'https://appleid.apple.com/auth/token' --header 'Accept: application/json' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'client_id=----SECRET----'' --data-urlencode 'client_secret=----SECRET----' --data-urlencode 'grant_type=authorization_code' --data-urlencode 'code=----SECRET----'' --data-urlencode 'redirect_uri=----SECRET----'' Any ideia what may be causing this?

Dear Experts, I have App Attest deployed in an app that is currently in TestFlight. Its works OK most of the time. For one particular user, however, attestKey fails with DCErrorInvalidKey for a new key that it has just created. I have some insight into what the app is doing because I send diagnostics to the server. It seems that for this user, the sequence of events is: Initially the app has no key ID saved. The user initiates an action that requires App Attest-signed communication with my server. The app calls generateKey which seems to succeed. The app fetches a challenge from the server. The app calls attestKey. attestKey returns DCErrorInvalidKey. The app doesn't save the key ID persistently, so next time the same thing happens. attestKey really shouldn't fail with the invalid key error for a key that it has just created, should it? What could be going on here?

It seems there was a new security feature added to macOS 15 - and now it asks every time after reboot if user wishes to continue and allow access the app to record screen and audio, while capture is blocked. Which renders remote access apps useless, a specially for headless computers like my Mac mini.

I am trying to auth with a non-apple auth provider for a multi-platform service. I'm expecting to be able to use this to fetch the OAuth code after the user logs in to their auth provider. myRedirectHost = 'https' OR 'https://my.domain.com' where I also know the redirect path and query params and will extract them. ASWebAuthenticationSession(url: url, callbackURLScheme: myRedirectHost, completionHandler: handleAuthSessionResult) This works for iOS 17.4+ with that nice enum, but what about the rest of the users?

My team is currently working on implementing passkeys and wanted to better understand the various errors that can be thrown both when creating and logging in with a passkey. To my understanding, after invoking the passkey request via the authorization controller, if an error occurs, the authorizationController(controller:didCompleteWithError:) delegate method will be called. The error will be a ASAuthorizationError, and there are a few codes listed here. The docs are a bit vague about when each of these errors can occur and what the difference is between them, so I am posting this in the hopes of gaining more clarity. The errors for which we'd like some clarification are: failed This is pretty generic, how might this code be different than the other failure reasons, and what could cause it to be thrown either for creation or for authorization? invalidResponse Does this mean that the system received an invalid response from the Relying Party? notHandled What might cause the authorization request not to be handled? notInteractive What does it mean for the authorization request to not be interactive? Does this mean that none of the specified credentialIDs are available? Finally, is it possible for both creation and authorization to throw all of these errors, or are there some that are exclusive? Any help would be appreciated, thank you.