Post

Replies

Boosts

Views

Activity

SSO extension with Platform SSO token issues
Hi all. So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process. Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari. I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method. But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari. Some knows why its happening? Thank you for any help or suggestion.
0
3
235
Oct ’24
Re-register device in Platform SSO
Hi, I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO. As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again. I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration. Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)
1
0
385
Oct ’24
Platform SSO saveLoginConfiguration error
Hi all. I'm trying to implement a Platform SSO extension for macOS and I'm freaking out. It's so complicated and with almost zero guidance documentation. I established a starting point in my SSO extension and I get the registration request to my beginDeviceRegistrationUsingLoginManager (I managed all the AASA file, MDM stuff). In this method I'm creating a ASAuthorizationProviderExtensionLoginConfiguration and I try to save it into the loginManager (ASAuthorizationProviderExtensionLoginManager which I get from the method) using saveLoginConfiguration. It worked fine, and without changing anything I started getting the next error: failed to save loginConfiguration: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" UserInfo={NSUnderlyingError=0x7ff77ff63b30 {Error Domain=com.apple.PlatformSSO Code=-1008 "Token endpoint URL is not approved profile URL." UserInfo={NSLocalizedDescription=Token endpoint URL is not approved profile URL.}}} This is my configuration: ASAuthorizationProviderExtensionLoginConfiguration *loginConfiguration = [[ASAuthorizationProviderExtensionLoginConfiguration alloc] initWithClientID:@"***" issuer:@"https://auth.platformsso.ping-eng.com/as" tokenEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/token"] jwksEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/jwks"] audience:@"***"]; And this is where it breaks: BOOL saveConf = [self.loginManager saveLoginConfiguration:loginConfiguration error:&confError]; Can someone help me with this error please?
2
0
968
Jan ’24
Strange screenshots warning about Watch Series 3 in App Store Connect
Hi, I'm deploying my app to the store for the last several year. I have a Watch app. No matter what I do, I get the next warning above my version information screen for each new build: You’re currently using Apple Watch Series 3 screenshots for your latest watch build. Adding screenshots for the newest devices can help you accurately represent your app’s user experience on the App Store Although I take the screenshots on a real Watch series 9. Does anyone know how I solve it?
3
0
833
Sep ’23
ASAuthorizationController performRequest returns 4097 error
Hi all, Trying to create a Passkeys registration in my app. This is the implementation I have: ASAuthorizationPlatformPublicKeyCredentialProvider *provider = [[ASAuthorizationPlatformPublicKeyCredentialProvider alloc] initWithRelyingPartyIdentifier:[[jsonDict objectForKey:@"rp"] objectForKey:@"id"]]; ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest *request = [provider createCredentialRegistrationRequestWithChallenge: [jsonDict objectForKey:@"challenge"] name:[[jsonDict objectForKey:@"user"] objectForKey:@"name"] userID:[[jsonDict objectForKey:@"user"] objectForKey:@"id"]]; ASAuthorizationController *controller = [[ASAuthorizationController alloc] initWithAuthorizationRequests:[NSArray arrayWithObject:request]]; controller.delegate = self; controller.presentationContextProvider = self; [controller performRequests]; But I get this error: Remote proxy object error handler invoked with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." Connection to agent service interrupted with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." ASAuthorizationController credential request failed with error: Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." And this is the NSError I get in authorizationController:didCompleteWithError: authorizationController error: Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent" UserInfo={NSDebugDescription=connection to service named com.apple.AuthenticationServicesCore.AuthenticationServicesAgent} Everything is defined right (associated domains in project and .well-known). Any reason I can't continue? Edit: I'm with iOS 17.0 (21A5248v) and Xcode-Beta (15A5160n) if it matters. Thanks
4
0
1.7k
Jun ’23
macOS SSO extension runs into a loop in redirect
Hi, I created an SSO extension that works fine. The extension triggers for my domain when I need to run an OIDC flow by the "authorize" path of my issuer. I finish the whole OIDC flow inside the extension and get the required parameters (access token, ID token, state, etc.), and build the "Location" header to return to the caller (in my case it triggers from Safari). I also attach the "Set-Cookie" with my cookies. For completion, I call the authorizationRequest?.complete(httpResponse: response, httpBody: nil) with a 302 code response I create which contains the cookies and the Location header. My problem is that the Safari gets the response with the redirect, removes the Extension, and a sec after the extension triggers again with the same "authorize" request. All this happens in a loop without stopping, unless I call authorizationRequest?.doNotHandle(). I checked the "Location" header to a similar one from a regular web flow that works fine (without the extension) and both are the same. Any help or idea will be blessed. Thank you!
2
0
1.2k
Jan ’23
Authorization plugin strange behavior with FileVault login
Hi all, I'm experiencing strange behavior with an authorization plugin we inserted into the authorizationdb. The plugin is working great when we log out and login regularly from the MacOS. The strange behavior starts when we log in directly from the FileVault login (and auto-login is enabled). If the user is canceling our plugin (our plugin shows a UI view as part of the login after he inserts user+password) and the user is back to the password insertion screen he can insert any password he wants, and the system will save this password as a new password for this user (replacing the old password) and then triggers our plugin again, instead of the regular flow of inserting the password and continuing to our plugin. I've never seen this behavior where the user is inserting a password as part of the login, and it will just save any password he inserts as the new password (a security vulnerability?). This is our mechanism chain: <string>builtin:policy-banner</string> <string>loginwindow:login</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>loginwindow:FDESupport,privileged</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> <string>our-auth:prepare,privileged</string> <string>our-auth:main</string> <string>our-auth:cleanup,privileged</string> <string>loginwindow:done</string> So, a summary of the flow: User powers the mac and inserts FileVault password. After the decryption process is done, our plugin triggers. The user cancels our plugin in the view, hence the view is removed, and the user is back to the password insertion screen. User can insert ANY password he wants (it will not mention to him that he is changing or changed the password). Our plugin triggers again as part of the chain. User approves our plugin and is logged in. Trying to use the old password does not work. Only the new password is working starting that moment. I must say that it only happens if the user is canceling our plugin on the first try. If he does not cancel the plugin, it will continue with the current password. Can someone help me understand why is it happening?
0
0
777
Aug ’21
Using the Latest Code Signature Format
Hello, Lately, I saw an article from Apple talking about the "Using the Latest Code Signature Format". This is the article. - https://developer.apple.com/documentation/xcode/using_the_latest_code_signature_format I'm trying to figure out the meaning of this. We have an app in the store published in 2014 and hasn't been touched since then. The article states that starting 14.2 the system checks for a new signature and in the near future it will reject apps without that signature ("In a future release, the new format will become mandatory, and the system won’t launch apps with the old signature format"). We tested the app on 14.2/3/4 and didn't get this warning message although it's stated in the article. We cannot upload a new app as it will take a tremendous amount of time to rewrite it, and if broken we will have a serious production issue as lots of customers are still using it. Can anyone shed some light on this? Thanks in advance!
4
0
1.2k
Jan ’21
iOS CI in jenkins and ANKA
Hi all,We are trying to use ANKA and jenkins in order to do CI for our iOS apps.Main problem is with the code signature. When we install a new certificate we always need to go into the machine at least once and push the "Allow always" button in the popup or else our build is stuck.Without ANKA this is what we did until the next time we update the certificates. The problem is when we start to use ANKA where each time it will install everything (like a docker) and them even pushing "Allow always" will not help when we run the jobs next time.Is there a solution for this scnario?Thanks,Noam
0
0
970
Jan ’20