I want to publish an unlisted app for an enterprise audience and would like to know if the registration flow is required. Since my app will only have features that require log in Apple guidelines say it needs the registration process but to ensure that only desired users will have access I plan to create accounts from outside the app, thus making the registration within the app unnecessary. Is there any docs, guideline or policy that states that registration is not needed for unlisted apps?

When tapping on "password" in the accessory view above the keyboard, no password manger is opened. The keyboard just closes and re-opens. I have made sure a password exists and is available to be used. I have replicated this within my own app, but also from within the Settings app on the simulator (see attached gif) so I am confident it is not a coding issue on my side. I have replicated it on both iOS 17 and iOS 18 I am using Xcode Version 16.0 (16A242d) I am running macOS Sonoma Version 14.7 (23H124) I am fairly confident I have not experienced this when working on another clients app. I was using Xcode 15 for that so not sure if this is something introduced with Xcode 16.

when I performAutoFillAssistedRequests ,my keyboard cannot show passkeys that could choose,and nothing callback.i don't know the error reason.but I could request successfully by authController.performRequests.

We are using performRequestsWithOptions to enable passkey on ios app. [authController performRequestsWithOptions:ASAuthorizationControllerRequestOptionPreferImmediatelyAvailableCredentials]; Based on apple doc, this will "Tells the authorization controller to prefer credentials that are immediately available on the local device.", and fail silently if there are no credentials available. However, in recent testing, we identified that on one device, we are seeing QR code popping up even though there's no credential on the device. Question is this a bug on the OS system? If this is a bug, what are the causes that will trigger this condition? Is there a recommendation to mitigate the issue? Should we move to the new api? Thank you.

My device has open passkeys , in setting app. when I performAutoFillAssistedRequests,callback performRequests ASAuthorizationError(rawValue: 1001)".at same time,authController.performRequests could request successfully

Hi everyone, I am trying to implement 'Sign-in with Apple' to my website using nextauth verion 4.24.5 on next.js version 14.2.7. I set up the Apple ID and generated the Apple secret. The Apple ID is set to the service ID. Whenever I try and sign in on the site using Apple, (after submitting my username and password on the redirected appleid.com page), nextauth returns this error: [next-auth][error][OAUTH_CALLBACK_ERROR] https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet { error: TypeError: id_token not present in TokenSet { name: 'OAuthCallbackError', code: undefined }, providerId: 'apple', message: 'id_token not present in TokenSet' } This occurs even after specifying openid in the scope, setting the checks to pkce, setting the checks to state, setting idToken to true, and other changes to the config. I have used the AppleProvider from nextauth and my own custom provider and got the same result. The nextauth GoogleProvider works just fine so I know nextauth is set up properly. Do you know how I can fix this? my apple nextauth apple provider config: const customAppleProvider = { id: "apple", name: "Apple", type: "oauth", wellKnown: "https://appleid.apple.com/.well-known/openid-configuration", authorization: { params: { scope: "name email openid", response_mode: "form_post" }, }, state: true, checks: ["pkce"], idToken: true, clientId: process.env.APPLE_ID, clientSecret: process.env.APPLE_SECRET, profile(profile) { return { id: profile.sub, name: profile.name, email: profile.email, image: null, } }, };

We have some third-party SDKs do not support arm64 simulator, so we excluded arm64 for Any iOS Simulator SDK in Excluded Architectures. But in this case, ASWebAuthenticationSession will display abnormally. We submitted FB14853757 during the beta period, but have not received any response. This issue still exists in the official version. I hope it can be resolved. Thank you!

I'm working on Authenticating a User Through a Web Service and using https callback. When running the project on real device all works as expected, but when I run the same project with the same config on simulator I get this error: Login failed: Error Domain=com.apple.AuthenticationServices.WebAuthenticationSession Code=1 "Application with identifier bundle_id is not associated with domain my_domain. Using HTTPS callbacks requires Associated Domains using the webcredentials service type for my_domain." UserInfo={NSLocalizedFailureReason=Application with identifier bundle_id is not associated with domain my_domain. Using HTTPS callbacks requires Associated Domains using the webcredentials service type for my_domain.} Xcode 15.4 iOS 17.5 @available(iOS 17.4, *) public init(url URL: URL, callback: ASWebAuthenticationSession.Callback, completionHandler: @escaping ASWebAuthenticationSession.CompletionHandler)

Working on a file server in c/c++ and need to do following: Validate user credentials (mac Username & password) Impersonate user security context in a thread running in a daemon, so that I can enumerate user's home directory and files/folders. Regarding 2, found API: pthread_setugid_np - is this the right approach? If so, how do I verify user credentials and call this API? Found this section in TN2083: Does this mean that its really not possible to impersonate user and access their home directory etc if the user isn't logged in via terminal/console? or if they have FileVault enabled?

In AuthorizationServices support for displayName exists in: class ASAuthorizationSecurityKeyPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, displayName: String, name: String, userID: Data ) -> ASAuthorizationSecurityKeyPublicKeyCredentialRegistrationRequest but is not supported in the corresponding class: class ASAuthorizationPlatformPublicKeyCredentialProvider func createCredentialRegistrationRequest( challenge: Data, name: String, userID: Data ) -> ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest I was under the impression that this should be supported in public key credential registration?

I'm using the same code to authenticate using passkeys on iOS and macOS. On iOS (simulator, on-device, and deployed with TestFlight), I have no issues registering or authenticating with a passkey. On macOS using Catalyst, when I attempt to authenticate with a passkey (ASAuthorizationController#performRequests), I see the following error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "Application with identifier TEAMID.com.bundle is not associated with domain bundle.com" UserInfo={NSLocalizedFailureReason=Application with identifier TEAMID.com.bundle is not associated with domain bundle.com} I've double-checked my apple-app-site-association file is being served from the associated domain, and I've double-checked that the Apple CDN is also returning that same association file with webcredentials for my team/bundle. Any ideas why it would succeed in iOS environments but fail under macOS with Catalyst?

We use ASWebAuthenticationSession in our app to perform SAML auth on iOS devices. It works fine with Safari. However, if we config other browsers, such as Chrome, as a default browser on iOS device, ASWebAuthenticationSession still load Safari in embedded window and auth cookies is only stored in Safari. Can ASWebAuthenticationSession work with default browser on iOS similar as it works on MacOS? Thanks, Ying

Similar to this thread. How do we go about testing or triggering the UI for this new iOS/macOS 18 API? https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller/prepareinterfaceforuserchoosingtexttoinsert() Thanks!

I’m working on an iOS app using WKWebView, and I’ve implemented the following authentication flow: Sign-In Process: The sign-in process is handled natively. Access Token Storage: Once the user is signed in, the access token is stored within the app. WebView Cookie Setting: When a webview is opened, the app sets the access token in the webview’s cookies. Token Validation: The web server validates the access token from the cookie. Problem: I’m encountering an issue where the authentication state between the native app and the webview doesn’t always synchronize correctly. Specifically: Sign-In Issue: If a user signs in while the webview is already open, the native app attempts to set the cookie in the webview. However, there are cases where the cookie isn’t set properly, and the server fails to retrieve the access token, similar to when a user is signed out. Sign-Out Issue: When a user signs out, the native app deletes the cookie. Although the app reports success in deleting the cookie, the webview sometimes still retains the cookie, which can cause inconsistencies. These issues don’t happen consistently, and the behavior seems to be somewhat random. My Questions: Is there a problem with how I’m sharing authentication between the native app and the webview? Do you have any suggestions or best practices for ensuring that the cookie management between the native app and WKWebView is reliable? Thank you in advance for your help! I believe that the native app should manage the cookies for the WKWebView. However, I’m encountering issues where the cookies are not always synchronized properly between the native app and the webview.

Hi, Trying to upgrade our SSO login with url and not uriScheme using ASWebAuthenticationSession.init(url:, callback:, completionHandler:) Problem is the documentation is very basi so I was trying to experiemnt and ran into a weird bug ... apparently if I subclass ASWebAuthenticationSession.Callback like this: class CustomThingie: ASWebAuthenticationSession.Callback { override func matchesURL(_ url: URL) -> Bool { PLogDebug("CustomThingie - match url: \(url) - does match? \(super.matchesURL(url))") return super.matchesURL(url) } } The session black box thingie does nothing. That is "do you want to login ..." does not appear, nor any web modal. session.start() does nothing when: session = ASWebAuthenticationSession( url: editedUrl, callback: CustomThingie.customScheme(uriScheme), completionHandler: onComplete ) session.start() works fine when: session = ASWebAuthenticationSession( url: editedUrl, callback: .customScheme(uriScheme), completionHandler: onComplete ) Any insights why is it so? Regards, Martynas

How can I trigger, or rather, when is the ASCredentialProviderViewController.prepareOneTimeCodeCredentialList(for:) method triggered? I can't seem to get it to work. I've added the ProvidesOneTimeCodes key to the Info.plist. I've added the com.apple.developer.authentication-services.autofill-credential-provider entitlement. Example of the extension: class CredentialProviderViewController: ASCredentialProviderViewController { override func prepareOneTimeCodeCredentialList(for serviceIdentifiers: [ASCredentialServiceIdentifier]) { print("********************************* prepareOneTimeCodeCredentialList \(serviceIdentifiers)") } override func prepareInterfaceForUserChoosingTextToInsert() { print("********************************* prepareInterfaceForUserChoosingTextToInsert") } } The app is enabled in the AUTOFILL FROM: in Settings App.

I have a security agent plugin that uses NSXPCConnection to communicate with a launch daemon. This works well, but I want to make sure the launch daemon has not been compromised. I added code to call setCodeSigningRequirement in my module that handles the client side of the NSXPCConnection. However, when used in the security agent plugin, remoteObjectProxyWithErrorHandler reports an error NSCocoaErrorDomain Code=4102 "The code signature requirement failed." If I call my xpc module from a test application, I do not receive an error and everything works as expected. I have tried different code signing requirements. Even with just "anchor apple generic" I still get the error. The console log shows two entries of interest com.apple.SecurityAgentHelper.arm64 default 09:13:29.677567-0500 SecurityAgentHelper-arm64 EOGSecurityServiceClient biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}

Hello, I am writing an AuthenticationService plugin to provide Passkeys to a web browser. The problem is that, after I call ASCredentialProviderExtensionContext.completeRegistrationRequestWithSelectedPasskeyCredential with the attestation object I composed, the operation fails and the MacOS system log contains the error com.apple.AuthenticationServices.Helper: (AuthenticationServices) [com.apple.AuthenticationServices:Authorization] Returned credential failed validation: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1002 "Found unsupported attestation type." UserInfo={NSLocalizedFailureReason=Found unsupported attestation type.} Is there a way to find out what part of my attestation is triggering this error? P.S. the same code is able to generate a valid passkey on Windows platforms, so it's not completely broken Thanks, Alberto

I created a simple web browser using WKWebView, but as far as I can tell, there is not a way to auto-populate credentials or save credentials a user enters into a login form at a 3rd-party website like Netflix (i.e., not my own app domain). Is this correct? If this is wrong, what are the APIs to support this? My use case is that I want to create an immersive app in visionOS that includes a window that lets the user surf the web (among other things). Ideally, I could just use a Safari window in my immersive app, but I don't think this is possible either. My work around is to create my own web browser... which works, minus the credential issue. Is it possible to bring a Safari window into an immersive visionOS app's experience? (IMHO, that would be a great feature)

Hi there, I'm having some trouble with getting a OAuth Authorization Code redirect with a custom scheme to work with ASWebAuthenticationSession. I am trying to build an app that integrates with an authentication provider, in which I have configured like this: Callback URL: myapp://auth In my iOS app, I have define this as a custom scheme in my info.plist file. <dict> <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleTypeRole</key> <string>Editor</string> <key>CFBundleURLName</key> <string>com.abc.def</string> <key>CFBundleURLSchemes</key> <array> <string>myapp</string> </array> </dict> <dict/> </array> </dict> Excuse the messy-ish code below, but I just want to see this work. import SwiftUI @main struct MyApp: App { var body: some Scene { WindowGroup { AContentView() .onOpenURL { url in print("Received URL in onOpenURL: \(url)") Self.handleURL(url) } } } static func handleURL(_ url: URL) { print("Handled URL: \(url)") } } import AuthenticationServices struct AContentView: View { @Bindable var viewModel = SomeViewModel() @State private var authSession: ASWebAuthenticationSession? @State private var presentationContextProvider = PresentationContextProvider() var body: some View { VStack { Button(action: doIt) { Text("Authenticate") } } } func doIt() { Task { @MainActor in await viewModel.onLaunchAsync() // this asynchronously gets some stuff that is used to build `viewModel.loginUrl` authenticate() } } func authenticate() { let authURL = viewModel.loginUrl! // Replace with your auth URL let callbackURLScheme = "myapp" authSession = ASWebAuthenticationSession(url: authURL, callback: .customScheme(callbackURLScheme)) { callbackURL, error in if let error = error { print("Authentication error: \(error.localizedDescription)") return } guard let callbackURL = callbackURL else { print("No callback URL") return } print("Callback URL: \(callbackURL)") MyApp.handleURL(callbackURL) } authSession?.presentationContextProvider = presentationContextProvider authSession?.start() } } class PresentationContextProvider: NSObject, ASWebAuthenticationPresentationContextProviding { func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor { return UIApplication.shared.windows.first! } } I'm running Proxyman, and can see the calls the iOS app makes. When I click the "authenticate" button, I get the expected request to open Safari, and login to a web form provided by an authentication provider. Next, I am redirected to a "choose consents" page, where I can choose scopes. Finally, on this page, I click "Allow" at the bottom of this list of scopes, but instead of being 'sent' back to the app, the redirect doesn't work. The final API call the web screen makes is to a /consent endpoint which replies with an HTTP 302, and a Location header as below: Location: myapp://auth#code=<something>. This doesn't close the window, either in a simulator or a real device. I can verify that my scheme is working correctly, as if I manually in Safari browse to myapp://auth#code=1234 it asks me if I want to open in my app, and I can see my print firing off. Am I missing something? What am I doing wrong here? While I could implement this myself using WKWebView / WKNavigationDelegate to intercept the new location, see if its my custom scheme, and then close it out, that seems hacky, and AFAIK ASWebAuthenticationSession should support my use-case. Many thanks!