Hi everyone, I’m working on building a passwordless login system on macOS using the NameAndPassword module. As part of the implementation, I’m verifying if the password provided by the user is correct before passing it to the macOS login window. Here’s the code snippet I’m using for authentication: // Create Authorization reference AuthorizationRef authorization = NULL; // Define Authorization items AuthorizationItem items[2]; items[0].name = kAuthorizationEnvironmentPassword; items[0].value = (void *)password; items[0].valueLength = (password != NULL) ? strlen(password) : 0; items[0].flags = 0; items[1].name = kAuthorizationEnvironmentUsername; items[1].value = (void *)userName; items[1].valueLength = (userName != NULL) ? strlen(userName) : 0; items[1].flags = 0; // Prepare AuthorizationRights and AuthorizationEnvironment AuthorizationRights rights = {2, items}; AuthorizationEnvironment environment = {2, items}; // Create the authorization reference [Logger debug:@"Authorization creation start"]; OSStatus createStatus = AuthorizationCreate(NULL, &environment, kAuthorizationFlagDefaults, &authorization); if (createStatus != errAuthorizationSuccess) { [Logger debug:@"Authorization creation failed"]; return false; } // Set authorization flags (disable interaction) AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights; // Attempt to copy rights OSStatus status = AuthorizationCopyRights(authorization, &rights, &environment, flags, NULL); // Free the authorization reference if (authorization) { AuthorizationFree(authorization, kAuthorizationFlagDefaults); } // Log the result and return if (status == errAuthorizationSuccess) { [Logger debug:@"Authentication passed"]; return true; } else { [Logger debug:@"Authentication failed"]; return false; } } This implementation works perfectly when the password is correct. However, if the password is incorrect, it tries to re-call the macOS login window, which is already open. even i though i did not used the kAuthorizationFlagInteractionAllowed flag. This causes the process to get stuck and makes it impossible to proceed. I’ve tried logging the flow to debug where things go wrong, but I haven’t been able to figure out how to stop the system from re-calling the login window. Does anyone know how to prevent this looping behavior or gracefully handle an incorrect password in this scenario? I’d appreciate any advice or suggestions to resolve this issue. Thanks in advance for your help!

My existing chrome extension has "Sign in with Apple" given that we have iOS users. When user clicks "Continue with Apple" button in the extension log in pop up, this is what we do: javascript window.open( 'https://appleid.apple.com/auth/authorize?client_id=' + clientID + '&redirect_uri=' + backEndURL + '&response_type=id_token%20code&response_mode=form_post&scope=email%20name', 'Sign in with Apple', 'height=500,width=400,left=600,top=200,status=no,location=no,toolbar=no,menubar=no' ) In chrome, this opens a popup window with that URL. In Safari Converted Web Extension, it opens custom Apple sign in flow, where it says: "Do you want to sign in to XXX with your Apple ID YYY?" and then with my mac password I'm able to authenticate. Afterwards, nothing happens. Expected: a redirect to the URL specified in the window.open. Now let's do a trick: I'll wrap the above window.open code into javascript setTimeout (() = {window.open (...)}, 3000) Because of security reasons, safari then won't open the popup after 3s and will display a notification in the toolbar "Popup blocked..". If we allow the popup, then it finally opens as a normal window popup and after sign in, it redirects to our backend and it successfully authenticates. Any ides what how to solve this? P.S. We're not able to use embedded Sign in with Apple JS - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple script because we can't host a remote code in the extension (it will be deprecated soon). So, we arere using this. - https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

We are currently trying to fix a bug when using SignIn with Apple. It appears that on some occasions we are not receiving a user's profile info (name, email) when a new account is created. After doing some investigation we believe this bug is due to the same Apple login being used as an already deleted account. ASF only appears to send profile info the very first time an Apple login is used. If that account is deleted and another is created with the same apple login we won't receive the profile info. As a result we are not in compliance with Apple's guidelines requiring that we use the provided profile info with Apple SigIn, and need to prompt users to enter it again. Is there a process in place to properly "clear" a user after their account is deleted in our system, so that the next time a user creates an account with the same Apple login, we receive their profile info again?

I'm experiencing the same situation as this post from several months ago, which never received an answer to their follow up question. https://forums.developer.apple.com/forums/thread/759255 The documentation for adding a message filter extension says "you must set up shared credentials as described in Shared Web Credentials" (https://developer.apple.com/documentation/sms_and_call_reporting/sms_and_mms_message_filtering/creating_a_message_filter_app_extension) However credentials are not forwarded to the server and calling SecAddSharedWebCredential from within the extension isn't possible. So I don't understand why the documentation states Shared Web Credentials must be set up. After setting them up, then what is expected to happen with them, or what are you supposed to do with them next. The documentation just says to set them up, it doesn't say how/if they are used or how to use them in the specific context of a message filter extension

Hi folks We have a Developer ID Application which we create using electron. We made our last release for our Application on Nov'24 which was correctly working. Using the same code, we tried creating a notarized application again which started showing the following error while opening our Application. Monterey- M2- When we directly run the dmg on the dev machine, it does not give us the prompt. But if we download it from somewhere and run, the prompt comes up even in dev machine. We executed some commands to verify the notarization: 1- spctl --assess -vv /Applications/Refresh\ Pro.app On both dev machine and non-dev machine, the output was "accepted" /Applications/Refresh Pro.app: accepted source=Notarized Developer ID origin=Developer ID Application: Prograde Digital Incorporated (*******) 2- xcrun stapler validate /Applications/Refresh\ Pro.app On dev machine, we executed this command and the output is as follows. Processing: /Applications/Refresh Pro.app The validate action worked! 3- codesign -vvv --deep --strict /Applications/Refresh\ Pro.app/ /Applications/Refresh Pro.app: valid on disk /Applications/Refresh Pro.app: satisfies its Designated Requirement We have created a bug attaching the dmg. Please suggest anything we can try to make the release out the door. Bug link- https://feedbackassistant.apple.com/feedback/16811025

Our app uses Sign in with Apple. In recent weeks (or months), we've noticed that emails sent to @privaterelay.appleid.com addresses are not being delivered. We're not receiving any bouncebacks or error messages from the mail server, but the emails never reach the user's mailbox. We've also checked spam folders, with no luck. We have verified that our Email Sources are configured correctly in Apple Developer settings. Is there any way to debug or trace what might be happening with these messages? Thanks in advance!

The Passwords App is accessing websites found in the ASCredentialIdentityStore associated with a 3rd Party password management app (SamuraiSafe). This behaviour appears to be associated with looking up website favicons in order to display in Passwords. However the websites contacted are not stored in the Passwords App/iCloud KeyChain - only the 3rd Party password management app (SamuraiSafe). This is effectively leaking website information stored in the 3rd Party password management app. I first noticed this behaviour on macOS, and it appears to happen every 8 days. Today it was seen on iOS. The behaviour is revealed through the App Privacy Report on iOS (and LittleSnitch on macOS). I would not be surprised to see the Passwords App do this for websites saved in the Passwords App/iCloud KeyChain, however I believe it should not be arbitrarily testing every website found in the ASCredentialIdentityStore as reference to that website url should be entirely under the control of the end user. See attached screenshots from App Privacy Report. Filed bug with Apple: FB16682423

We are using device certificates for authentication when logging into our web page. After updating an iPhone 12 to iOS 18, the authentication process takes up to two minutes to respond. Upon investigating IIS, it was found that the certificate is not being presented from the iPhone, resulting in a timeout. This issue is affecting our operations, and we need a solution urgently. Could you please advise on how to resolve this?

Hello Apple Developer Support, I am experiencing an issue with Apple Sign-In and Private Relay across two separate organizations. I have a web application that supports Apple Sign-In, configured under organization ID: 62P86SVLK4. Users can log in using their Apple accounts with the Hide My Email (Private Relay) feature enabled. This web application was created a long time ago and initially only had a web component. Recently, we developed a native mobile version of this application, which also supports Apple Sign-In. However, due to business constraints, the mobile application was created under a different organization ID: T6JT35U9NW. The Issue Since the web and mobile applications are registered under different organizations, accounts created using Apple Sign-In with Private Relay are not recognized across both applications. For example: A user creates an account in the web app using Apple Sign-In with Private Relay. When they attempt to log in to the mobile app with Apple Sign-In (also using Private Relay), authentication fails because the generated Private Relay email addresses do not match between the two organizations. Question Is there any way to link Private Relay accounts across these two organizations so that users who signed up on the web application can log in to the mobile application seamlessly? I appreciate any guidance on how to resolve this issue. Best regards, Kamil Gronert

Context We are experiencing inconsistent behaviour with "Sign in with Apple" across different environments (we have an app for "A" and "B" regions) on our web client in browsers. Specifically, we have observed two key issues: Missing email and email_verified Claims in ID Token In some cases, the ID token received after successful authentication does not contain the email and email_verified claims. Here the docs state that "Alternatively, if the managed Apple ID is in Apple School Manager, the email claim may be empty. Students, for example, often don’t have an email that the school issues.", but this was experienced with a non-student Apple ID. This issue was observed for certain users in the "A" environment, while the same users had no issues in the "B" environment. For one affected user, removing and re-enabling the "Sign in with Apple" integration resolved the issue (https://account.apple.com/account/manage/section/security). However, for another user, the integration could not be removed, preventing this workaround (button was active, but did nothing). In contrast, for some users, authentication works correctly in both environments without missing claims. Inconsistent Display of App Icon and App Name The app icon and app name do not always appear on the Apple login interface. One user observed that the app icon and name were displayed in "A" but not in "B". Another user had the opposite experience, with the app icon and name appearing in "B" but not in "A". A third user did not see the app icon or name in either environment. Questions Why does the app icon and name not always appear on the "Sign in with Apple" login screen? How is it possible that the ID token sometimes lacks email and email_verified claims when using the same Apple ID in different environments?

I'm trying to set up Apple OAuth on my website. Whenever I go to Certificates, Identifiers & Profiles, It gives me the error 'Unable to find team with the given Team ID'

Under iOS 18.0.1, I can't do any development that uses HTTPS, because I can't authorize my generated certificates on my phone. This was not a problem in the past. Normally you AirDrop a root certificate authority to your phone, install the "profile" for it, and then trust it in Settings / General / About / Certificate Trust Authority. Then you can connect to another server on your network that's using the accompanying certificates. But after sucessfully installing two profiles on my phone, neither shows up in Certificate Trust Authority. Anybody else seeing this? This problem, in combo with this one (which prevents running on my Mac as an iPad app) has completely halted my project. I've found reports of this problem that blamed an empty "common name" field in the certs, but that field is populated in both of these.

Hi, I need to make a "Sign with apple" button. I followed all the instructions and I managed to get apple's response with id_token. I have to continue testing the application but I no longer get the "user" object (name, lastname). How can I get the user object back to continue development?

Hi, We are using the MSAL library to authenticate users, with SSO authentication implemented through the Microsoft Authenticator app. The problem is that once or twice a day, a prompt for forced authentication appears, indicating that silent token acquisition is failing and resulting in a requirement for forced authentication. Below are some of the logs: ================================================= 2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] Silent flow finished. Result (null), error: -51115 error domain: MSIDErrorDomain 2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] acquireTokenSilent returning with error: (MSALErrorDomain, -50002) Masked(not-null) ==================================================== We initially raised this issue with Microsoft, but according to them: In the app's logs, the single one failure it contains, was when the SSO extension returned the error com.apple.AuthenticationServices.AuthorizationError, -6000 during a silent call. This error code is generated by the system framework (Apple), not by our code. It indicates that the framework encountered an unexpected internal issue before or after calling the SSO extension. MSAL returning interaction_required to the client app is the most effective way to recover from this error (as you mention, after the user selects the account the app continues working as expected). Additionally, as you also mention, the interactive call is made by switching to Authenticator (not displaying a "window" without leaving Eva Lite app), which means MSAL is not able to use the SSO extension and is using the fallback to legacy authentication. The recommended next step is for the customer to request support directly from Apple as this is an issue on their side. Additionally, the customer can also try to update to the latest iOS, in case Apple has already fixed this issue. ============================================= STEPS TO REPRODUCE There is no such steps its just that this is an enterprise application which is getting used on managed devices[iPhone 14]. The device are managed using some intune policy. Platform and Version: iOS Development Environment: Xcode 15, macOS 13.6.1 Run-time Configuration: iOS 18 Please let me know if there are any solutions to resolve this problem. Thank you.

Hi https://appleid.apple.com/auth/authorize?client_id=com.adobe.services.adobeid-na1.web shows: invalid_request But https://appleid.apple.com/auth/authorize?client_id=xrqxnpjgps shows: invalid_client I've created a Primary App ID and ticked "Sign In with Apple". I've created a Service ID and ticked "Sign In with Apple" (identifier is xrqxnpjgps). When I click "Configure" for the "Sign In with Apple" of the Service ID, it is linked to the Primary App ID. Why do I get an invalid_client error? I've contacted the support by mail, and have been redirected here, does someone here have the ability/access/knowledge/will to figure out the cause and then tell me? Regards

I am developing apps using NWJS framework, which access devices on the local network. I am doing this on Sequoia on Macos (Desktop). I have developed other apps using NWJS before, but on earlier versions of Macos. My issue is, I am unable to give my app permission to app to access devices on local network on one of the apps. Some background: Other apps which I have used which access devices on the local network, on first-time launching, have given a prompt asking me if I want to allow or deny access to local device for the app. However, on first-time launching (and many others after that), It simply says the device cannot be reached, and I never get a prompt asking me if I want to allow or deny access to local device for my app. In its barebones proof-of-concept stage of my app, I have an iframe who's src attribute is the IP address of a device known on the network with that address. I have tried the protocol https://192.168.1.99 and http://192.168.1.99 in the src attribute. This protocol works in another app I have built where upon first-time launch, I was able to get a prompt and give it the needed permission. If I check in System Settings > Privacy and Security > Network, the app doesn't appear where I can toggle a setting. I also am unable to explicitly add my app to the list. ** This worked for one app, but not another: In researching this issue, it was recommended that I add the following keys in info.plist: com.apple.developer.networking.multicast - boolean true NSLocalNetworkUsageDescription - string description NSNearbyInteractionUsageDescription - string description This worked for one of my apps, but not another, which has a nearly identical structure. In fact, other than CFBundleIdentifier, CFBundleDisplayName and CFBundleName, info.plist is identical. Why did this work one time, and how can I get my app to prompt for permission for local network access?

Hi everyone, I’m currently facing an issue while trying to submit an update for my app to the App Store. The review process is blocking the update due to a "Privacy - Data Use and Sharing" warning, stating that our app requests "tracking purchase history for tracking purposes." However, we have already removed this functionality and deleted the NSUserTrackingUsageDescription key from our latest build. Despite this, the warning persists, and we are unable to proceed with the update. I have already contacted Apple Support, but in the meantime, I wanted to ask the community: Has anyone else encountered this issue, and if so, how did you resolve it? Is there a way to force a refresh of privacy-related settings in App Store Connect? Are there any additional steps we need to take to completely remove this tracking flag from our app submission? Any insights or guidance would be greatly appreciated! Thanks in advance for your help.

I’m implementing passkey registration and authentication in an iOS 17 app with a credential provider extension, but I’m running into an issue. Setup: I have a credential provider target configured. The app correctly shows the pop-up to register the passkey with my app. My Info.plist is set up properly. Issue: When the following function is triggered: override func prepareInterface(forPasskeyRegistration registrationRequest: ASCredentialRequest) { "code to generate registrationRequest..." let controller = ASAuthorizationController(authorizationRequests: [registrationRequest]) controller.delegate = self controller.presentationContextProvider = self controller.performRequests() } I get the following error: Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 I do not own the relying party domain (e.g., https://webauthn.io), so I cannot configure an apple-app-site-association file on the website. Question: How can I register and authenticate passkeys on any site that allows passkeys (such as webauthn.io) when I don’t control the webpage? Are there any workarounds or best practices for handling this in iOS 17? Any insights would be greatly appreciated!

I'm looking for confirmation on the security aspects of fdesetup authrestart when used on a FileVault-enabled Mac. As I understand it, this command temporarily stores the decryption key in memory to allow the system to restart without requiring manual entry of the FileVault password. However, I have a few security-related concerns: Storage of the Decryption Key: Where exactly is the key stored during an authenticated restart? Is it protected within the Secure Enclave (for Apple Silicon Macs) or the T2 Security Chip on Intel Macs? Key Lifetime & Wiping: At what point is the decryption key erased from memory? Does it persist in any form after the system has fully rebooted? Protection Against Physical Attacks: If an attacker gains physical access to the machine before the restart completes, is there any possibility that they could extract the decryption key from memory? Cold Boot Attack Resistance: Is there any risk that advanced forensic techniques (such as freezing RAM to retain data) could be used to recover the decryption key after issuing an authenticated restart? Malware Resistance: Could a compromised system (e.g., root access by an attacker) intercept or misuse the decryption key before the restart? I understand that on Apple Silicon and T2-equipped Macs, FileVault keys are tied to hardware-based encryption, making unauthorized access difficult. However, I'd like to confirm whether Authenticated Restart introduces any new risks compared to a standard FileVault-enabled boot process.

Hello. I’m running the 18.3 beta on an 15 pro and have noticed the green camera indicator light turns on when I switch apps. I also am unable to use my flashlight until it turns off (usually a second or two). I’ve checked my privacy and access settings and nothing looks out of the norm. I’ve also closed all rubbing apps, but the issue continues.