"ASCredentialProviderViewController" class was implemented in my password manager to autofill password for the app clients. I've added passkey support recently but biometric/code authentication is not asked by the system when the user tries to sign in with a passkey thanks to "provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest)". For passwords: extensionContext.completeRequest(withSelectedCredential: ASPasswordCredential(), completionHandler: nil) -> Does trigger biometric/code authentication For passkeys: extensionContext.completeAssertionRequest(using: ASPasskeyAssertionCredential()) -> Does NOT trigger biometric/code authentication => Why authentication is managed by the system for password but not for passkeys ? And how to fix that?

My App needs to send and receive messages to the server, but my server does not have SSL, so I can only disable ATS in the development stage. But if I want to put the app on the shelf, then I still disable ATS when I put it on the shelf, and the server still does not have SSL. Will it be packaged? Is pp warned and terminated by Xcode? Will it be rejected by the Apple audit department? Can it be put on the App Store normally and provided to all users? Note: My server is completely safe without any security risks. I didn't apply for SSL just because I didn't have enough funds.

I've implemented Face ID in my app to authenticate after the user is authenticated, so they don't have to sign in again to log into their account. However, it asks me to enter my iPhone's passcode instead of scanning my face. Is there any way to fix this? Is there something I have to add?

I want to introduce client certificate authentication for communication between the iPad and the server. Since it is not possible to install a client certificate on the iPad using a p12 file, I am considering another method. I would like to know how to install the client certificate and private key issued by the certificate authority on the iPad without converting it to a p12 file. What are the different ways to do this?

Hi Folks, We've been using Xcode Cloud for a year without any issues. Recently, our IT team switched authentication from LDAP to Azure SAML SSO. Since then, we've been getting the following error whenever Xcode Cloud launches a build: "Run command: '/bin/rm -rf /Volumes/workspace/repository &> /dev/null && GIT_TRACE2_PERF=/tmp/git_trace2_perf GIT_TRACE2_EVENT=/tmp/git_trace2_event git init /Volumes/workspace/repository && GIT_TRACE2_PERF=.....etc." "could not read Username for 'http://bitbucket.***': Device not configured Command exited with non-zero exit-code: 128" Any idea what we need to change to get things working again? Thank you Cam

We are implementing just-in-time account creation using Platform Single Sign-on. After creating the account, we are registering the user with PSSO and we want to ensure that the IDP account used for account creation matches the IDP account used in the user registration flow. An easy way to do this appears to be using loginUsername on the ASAuthorizationProviderExtensionLoginManager object. loginUsername gets set during account creation and then we can check what the user is entering during registration. The documentation, however, marks this attribute as deprecated. There is no indication of what could be used instead. Is there some other value we could look at? Does Apple have a plan to introduce a preferred API option? Thanks!

It is clearly stated here that automatically created passwords are 20 characters long, contain 2 hyphens and exactly one uppercase letter and one digit. I have only ever seen generated passwords where the arrangement is in 3 groups of 6 (separated by the hyphens). From the description in the page referred to above, it could be that the generated password might look like: nzomZhf-qnbqd-k8ibtt i.e., a 7-5-6 pattern This would comply with the definition (if that's what it is) on the aforementioned Support page. Is it guaranteed that auto generated passwords will conform to the 3 groups of 6 pattern?

We are using aws amplify for our social logins with signInWithRedirect. When a user selects apple login on iphone and cancels the appleId popup, the user can't click any social login buttons anymore, including the apple one. Refreshing the page resolves this.

I want to add my testing app and prod app for release in associated domain file. How can I add them in apple-app-site-association. Can I add both separated by coma { "webcredentials": { "apps": [ "3ABCDEF.com.lalitha.release" , 3ABCDEF.com.lalitha.test] } } In Apple documentation example they haven't mention about adding multiple apps under web credentials [https://developer.apple.com/documentation/xcode/supporting-associated-domains]

Tried to implement the code snippets based on : https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_security_key_authentication_using_physical_keys security key. The Sign In UI did popup but after which is either it timed-out or i cancelled the operation. The performRequest function doesn't seems to trigger my external security key. Not sure if FBSSystemApp / coreauthd are part of the logs i should be looking out to see where the issue(s) is/are?

I am trying to auth with a non-apple auth provider for a multi-platform service. I'm expecting to be able to use this to fetch the OAuth code after the user logs in to their auth provider. myRedirectHost = 'https' OR 'https://my.domain.com' where I also know the redirect path and query params and will extract them. ASWebAuthenticationSession(url: url, callbackURLScheme: myRedirectHost, completionHandler: handleAuthSessionResult) This works for iOS 17.4+ with that nice enum, but what about the rest of the users?

We're using this (on a mac) to do 3rd party authentication. The completion handler is getting Authentication session got error: [The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 1.)], in domain: [com.apple.AuthenticationServices.WebAuthenticationSession] That seems to be generated if the auth window is closed. However... it's not being closed, so we end up spawning a second one to do it, and this one seems to work.

This method does not seem to work consistently: SFSafariViewControllerDelegate.safariViewController(_ controller: SFSafariViewController, initialLoadDidRedirectTo URL: URL) It was working 100% of the time until this week for me, now it has about a 1-5% success rate for detecting redirects. The docs are not clear: @discussion This method may be called even after -safariViewController:didCompleteInitialLoad: if the web page performs additional redirects without user interaction. Code snippet from calling UIViewController that conforms to SFSafariViewControllerDelegate: let config = SafariViewController.Configuration() config.entersReaderIfAvailable = false let vc = SFSafariViewController(url: url, configuration: config) vc.delegate = self self.safariViewController = vc print(self.safariViewController?.delegate) self.present(vc, animated: true) Did something change? How can I make this consistent again?

For some reason, not all of the time but most of the time, the SFSafariViewControllerDelegate method for initialLoadDidRedirectTo is not being triggered for subsequent reloads as specified in the docs. @discussion This method may be called even after -safariViewController:didCompleteInitialLoad: if the web page performs additional redirects without user interaction. I am allowing a user to log in with an OAuth 2.0 Provider on the Safari browser and expecting to detect the redirect to continue the flow from the app once their credentials have securely been consumed by the IdP in Safari. It was working consistently. It went from a 100% success rate up until this week to maybe 1/20 successful redirects. Code snippet: let config = SafariViewController.Configuration() config.entersReaderIfAvailable = false let vc = SFSafariViewController(url: url, configuration: config) vc.delegate = self self.safariViewController = vc print(self.safariViewController?.delegate) self.present(vc, animated: true) Why is it not always detecting the redirects?

I did implement "ASCredentialProviderViewController" class for my password manager in order to support passkey recently. Passkey registration and assertion works correctly but remote fullfilling is not working as expected. Use case: The user wants to sign in with passkey on some computer A QRCode is displayed and the user scan the QRCode Apple Authentication bottom sheet is opened and the client can pick my app as a provider ISSUE HERE: my app doesn't receive the passkey request parameters and is not able to generate the assertion answer I was hoping the following functions to be called but it's not the case: prepareCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier], requestParameters: ASPasskeyCredentialRequestParameters) prepareInterfaceToProvideCredential(for credentialRequest: ASCredentialRequest) provideCredentialWithoutUserInteraction(for credentialRequest: ASCredentialRequest) => Please, how can my app receive the passkey request parameters in order to generate the assertion answer in this situation?

The App Search API Validation tool is down again, and it seems it has been for a while already. Trying to access https://developer.apple.com/ios/search/ or https://search.developer.apple.com/ only redirects to https://developer.apple.com/ or https://developer.apple.com/ios/ We need the tool to verify the correctness of our AASA file See also https://developer.apple.com/forums/thread/46838 Could anyone confirm? Thank you

I searched several times online for someone who is using the new ASWebAuthenticationSession init together with matchesURL but I haven't found any mention of it. Is anyone using this new initializer? If so, can someone please share a code example? I'm trying to use the new initializer with a https redirect URL. Thank you!

created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login. sudo # sudo: auth account password session auth include sudo_local auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so authorization # authorization: auth account auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass auth sufficient pam_smartcard.so use_first_pass account required pam_opendirectory.so Is it even allowed to add a custom PAM to \etc\pam.d\login or etc\pam.d\authorization ? Is it possible to create a mechanism with custom logic and replace it withbuiltin:authenticate,privileged in system.login.console authorization right ? Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.

Hello, I am facing a passkey authentication during cross device authentication. After I called completeAssertionRequest with passkeyCredential, I am encountering the issue attach and I am unable to find where the RPID mismatch is coming from and referencing from. It would be great if I could know the source of where RPID hash (found). Thanks. Returned credential failed validation: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=14 "RPID hash did not match expected value. Expected xMTokW1VIYg2DZVB9lCtheT+0n8NxHvx4HaxTPhH4bY=, found: eE1Ub2tXMVZJWWcyRFpWQjlsQ3RoZVQtMG44TnhIdng=." UserInfo={NSLocalizedFailureReason=RPID hash did not match expected value. Expected xMTokW1VIYg2DZVB9lCtheT+0n8NxHvx4HaxTPhH4bY=, found: eE1Ub2tXMVZJWWcyRFpWQjlsQ3RoZVQtMG44TnhIdng=.}

For apps with a login service, the App Review Guidelines require: The login option limits data collection to the user’s name and email address. The login option allows users to keep their email address private as part of setting up their account. The login option does not collect interactions with the app for advertising purposes without consent. I want to use Google Authentication using GIDSignIn pod as my sole authenticator, to avoid the hassle of dealing with username and password. Is it possible to configure GIDSignIn to adhere to these data collection requirements?