@ pradeepfromsymc
Using SFAuthorizationPluginView also helps me display the UX and invoke my app I have written an authorization plugin using SFAuthorizationPluginView and it does get invoked at the lock screen but it doesn't display the UI at all. I get an alert box saying "You must enter your password to continue" with OK and Cancel buttons.
If I just set rule (method below) to "authenticate-session-owner-or-admin" in system.login.screensaver while not adding mechanism of my Authorization Plugin in 'authenticate' then I get editable username and password fields and I can login with native macOS credentials.
@eskimo
>> use-login-window-ui
If you remove that then you fall back to a legacy code path that is compatible with third-party authorisation plug-ins I've tried to invoke my Authorization Plugin at lock screen by doing this. But, it displays only a black screen if I write my mechanism in the "authenticate" entry of authdb. It displays username and password fields (NOT a feature of my auth plugin) if "authenticate" entry of authdb is not changed.
I've tried this:
sudo security authorizationdb write system.login.screensaver < myfile.plist
The file is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent.</string>
<key>created</key>
<real>619370235.93105304</real>
<key>modified</key>
<real>619370235.93105304</real>
<key>rule</key>
<array>
<string>authenticate-session-owner-or-admin</string>
</array>
<key>session-owner</key>
<true/>
<key>version</key>
<integer>1</integer>
</dict>
</plist>
I've used this file also:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
				<key>allow-root</key>
				<false/>
				<key>authenticate-user</key>
				<true/>
				<key>class</key>
				<string>user</string>
				<key>created</key>
				<real>592759977.27845001</real>
				<key>group</key>
				<string>admin</string>
				<key>mechanisms</key>
				<array>
								<string>CustomAuthorizationPlugin:invoke</string>
								<string>builtin:authenticate,privileged</string>
								<string>builtin:auto-login,privileged</string>
								<string>builtin:forward-login,privileged</string>
								<string>PKINITMechanism:auth,privileged</string>
</array>
<key>rule</key>
<array>
<string>authenticate-session-owner-or-admin</string>
</array>
				<key>modified</key>
				<real>601410763.90900505</real>
				<key>session-owner</key>
				<true/>
				<key>shared</key>
				<false/>
				<key>timeout</key>
				<integer>2147483647</integer>
				<key>tries</key>
				<integer>10000</integer>			
<key>modified</key>
<real>498674468.80855602</real>
<key>version</key>
<integer>0</integer>
</dict>
</plist>
I've changed authenticate entry of authDB using:
sudo security authorizationdb write authenticate < myfile.plist
My file for it is:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>619370235.93105304</real>
<key>group</key>
<string>admin</string>
<key>mechanisms</key>
<array>
<string>CustomAuthorizationPlugin:invoke</string>
<string>builtin:forward-login,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
</array>
<key>modified</key>
<real>619370235.93105304</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
</plist>
I've even tried this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>allow-root</key>
<false/>
<key>authenticate-user</key>
<true/>
<key>class</key>
<string>user</string>
<key>created</key>
<real>619370235.93105304</real>
<key>group</key>
<string>admin</string>
<key>mechanisms</key>
<array>
<string>CustomAuthorizationPlugin:invoke</string>
</array>
<key>modified</key>
<real>619370235.93105304</real>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
<key>timeout</key>
<integer>2147483647</integer>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
</plist>
__
let domain = "hotmail.com"
let temp = "1_1"
let mail = "rehan\(temp)@\(domain)"
Post
Replies
Boosts
Views
Activity
and this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>created</key>
<real>619370235.93105304</real>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
<string>CustomAuthorizationPlugin:invoke</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
</array>
<key>modified</key>
<real>619370235.93105304</real>
<key>shared</key>
<true/>
<key>tries</key>
<integer>10000</integer>
<key>version</key>
<integer>0</integer>
</dict>
</plist>
I've tried multiple different file entries for both 'authenticate' and 'system.login.screensaver' entries of authDB but nothing worked.
Meanwhile I've figured out why authdb was reset for @mattklepp writing GMIAuthPlugin.
authenticate-session-owner-or-admin overwrites the whole plist file and does not keep the mechanism part we want.
There is some error in his plist file. My own file has almost same entries but am able to write them to authDB and they remain at there.
Also I heard that Knock to Unlock app uses login agent to control the lock screen. So, perhaps the only option I have is to develop a separate login agent to handle lock screen along with my existing Authorization Plugin for logout and reboot cases. Any way to get my existing plugin displayed at lockscreen also?
__
let domain = "hotmail.com"
let temp = "1_1"
let mail = "rehan\(temp)@\(domain)"
The Objective-C or C based examples https://github.com/tburgin/PSU_2015 and https://github.com/OCForks/NullAuthPlugin don't solve the issue. I need its Swift based version.
Also those examples don't allow us to add new 'labels' and text fields in the login screen. I don't want to display a cocoa application kind of thing in login screen as it ruins the proper feel of login screen.
And all these requirements are actually fulfilled by Microsoft. There are examples which cover all the required stuff.
An excellent example by Microsoft for replacing login screen in Windows is this:
https://github.com/Aliceljm1/WinSdkDemo/tree/41e7fb64f8711b7415b0b5d6fa4b3aa93dfcc4e5/v7.1/Samples/security/credentialproviders