Authentication Services

RSS for tag

Improve the experience of users when they enter credentials to establish their identity using Authentication Services.

Posts under Authentication Services tag

96 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

Cookie sharing between ASWebAuthenticationSession and Safari (ios)
I'm currently trying to add an OIDC connection to an iOS application. I'm using AppAuth, which will use ASWebAuthenticationSession (because we're targeting recent versions of iOS). We have a login web page that will write a cookie. We'd like this cookie to be shared between the application (using ASWebAuthenticationSession) and the system browser (Safari) so that the user can be recognized and avoid having to log in again. The web page writes a permanent cookie (with an expiry date) and the iOS application uses ASWebAuthenticationSession. And I did not set prefersEphemeralSession to true. So we should be OK with the documentation (SFSafariViewController no longer shares cookies, and session cookies are not shared between ASWebAuthenticationSession and Safari). It should work, if I understand the documentation correctly. Did I miss a point? Or is it a known problem? I also tried to create a simple web page that read and write a cookie to do dome tests. function writeCookie() { var value = "something"; var maxAge = "max-age=" + (365 * 24 * 60 * 60); var expiration = new Date(); expiration.setTime(expiration.getTime() + (365 * 24 * 60 * 60 * 1000)); var expires = "expires=" + expiration.toUTCString(); var sameSite = "SameSite=None"; var secure = ";Secure"; document.cookie = cookieName + "=" + value + ";" + maxAge + ";path=/;" + sameSite + secure; } function readCookie() { var cookies = document.cookie.split(';'); var value = ""; for (var i = 0; i < cookies.length; i++) { var cookie = cookies[i].trim(); if (cookie.indexOf(cookieName) == 0) { value = cookie.substring(cookieName.length + 1, cookie.length); break; } } if (value !== "") { alert("Cookie value : " + value); } } And iOS code: currentAuthorizationFlow = OIDAuthState.authState(byPresenting: request, presenting: viewController) { authState, error in if let authState = authState { print("Authorization succeed") self.authState = authState if let accessToken = authState.lastTokenResponse?.accessToken, let idToken = authState.lastTokenResponse?.idToken { completion(.success(TokenResponse(accessToken: accessToken, idToken: idToken))) return } } self.authState = nil completion(.failure(error)) }
1
1
1k
Apr ’24
AppKit/Mac Catalyst apps are being rejected by App Review for launching default web browser for login
It seems that all macOS apps currently going through App Review which use ASWebAuthenticationSession (or SwiftUI webAuthenticationSession) are being rejected, because: Reason given: Guideline 4.0 - Design The user is taken to the default web browser to sign in or register for an account, which provides a poor user experience. See here for more details: https://forums.developer.apple.com/forums/thread/750400 If webAuthenticationSession is no longer permitted for production apps, what is the current recommended approach for implementing OAuth 2 authentication?
2
2
607
Jun ’24
iOS Requests Permission to Sign In when Signing/Logging Out
When using an ASWebAuthenticationSession to log in, with prefersEphemeralSession = false to enable SSO, the system presents an alert asking if the user wants to allow "SomeApp" to Sign In with "someauthprovider.xyz". The system presents exactly the same alert when you want to log out, and it is confusing for users. It's my understanding that the system does this because the alert really means "would you like to allow this app to let some page access Safari's shared cookie vault?" in lay terms, and is not distinguishing between create, read, update, or delete. It would be splendid if Apple changes this dialog depending on the operation. I would also like to know if there is any other way to fix this.
1
0
592
Apr ’24
App review rejected due to OTP login system
We have recently rolled out a one-time-password only log in system for our app. Access to our app is by invite only and users are required to register outside of the app to set up their account (it is an app for events & conferences). The majority of users have requested this login system as it is more secure and easier than a traditional password. I submitted the app for review, but it was rejected as the Apple tester required the email access code that was sent when they entered the tester email address we have in the app description. Does anyone have any advice on how we can remedy this so that our app does not keep getting rejected for this reason? Thanks
0
0
398
Apr ’24
OAuth using ASWebAuthenticationSession, redirect URI
Hello, My app uses OAuth to connect to two services. To get the authorization ocde, originally, they both allowed a URI in the form of "com.SmartVentsTwo://auth". Now, the second one changed and requires that the URI be a complete URL starting with HTTPS. Needless to say the second stopped working. I read several different articles and posts about this difference telling me a range of things to do from simply adding "https://com.SSmarVentsTwo://auth" to the URL types in the project settings, to creating a redirect from my website. It would seem the most secure would be the former since it doesn't require extra jumps, but it didn't work. When I tried it, after logging in and authorizing the request, i got a "could not find server" error. What are the exact steps I need to follow to accommodate the change? (Thank you very much!!)
7
0
1.3k
Apr ’24
Trader Account - Phone Verification
Hello, I'm trying to enroll on the trader account program but after filling out the form, then entering the email verification code that was sent I don't ever receive the phone OTP code that I'm supposed to receive. I'm not from the US, my country code is +51 so I select that on the dial code combo-box then enter my number that is 9 digits long. However, I tried with a US phone from a friend and it works just fine, he does receive the confirmation code. How can I fix this? I already have an app stuck for over 1 week because of this. I've called apple support multiple times and they send me to send evidence via email which I have. They've told me it was "scaled" to the engineering them but of course that's gonna take a long while for it to be fixed. Has anyone encountered a similar problem? I believe there's gotta be a quirk or something in that form that will actually get the system to work.
4
1
947
Apr ’24
New initializer for ASWebAuthenticationSession
I have noticed that there is a new initializer for ASWebAuthenticationSession in macOS 14.4. The standard initializer has been deprecated without further info. The new initializer looks as follows: init(url: URL, callback: ASWebAuthenticationSession.Callback, completionHandler: ASWebAuthenticationSession.CompletionHandler) This initializer takes a callback object for class ASWebAuthenticationSession.Callback. But this class cannot be initialized and also not be subclassed. When you try to do this there will be the following error in Xcode 'init()' is unavailable The documentation also does not give any hint on how to use it, it just defines 2 class methods and a method called func matchesURL(URL) -> Bool which could mean that by using this method you could match any arbitrary URL to continue the process. Has anyone figured out what to do with this?
1
0
907
Mar ’24
Mutual TLS authentication using PIV card fails to send the entire client cert chain
My organization is using mutual TLS authentication for HTTPS, with PIV cards storing the certs. We observe that some OS X devices send only the leaf certs when establishing the mTLS connection, whereas others send the entire chain. We cannot validate the leaf cert without the intermediate cert, so those clients are rejected. What drives the decision whether to send the whole chain, vs the leaf cert only? For more details, and some things we observed. The PIV cards are US DoD CAC cards: https://www.cac.mil/common-access-card/ The client cert chain on the card looks like this: Leaf client cert, CN=LastName.Name Intermediate cert, CN=DOD ID CA-70 "Root" cert, CN=DoD Root CA 6 through 8.: Additional interoperability certs. Our system is set up to trust the "root" cert CN=DoD Root CA 6. Neither the leaf cert, nor other certs in the chain are trusted by Apple Keychain Trust Store by default. We find that most laptops will send the entire chain, 1 through 8, when establishing the mTLS connection with our servers. This allows us to validate them correctly. On a subset of OS X devices, Google Chrome will only send the leaf chain. This happens even when we use exact same PIV card, and exact same PIV reader as on working laptops. Safari will not send any cert at all. We found that if we explicitly add the CN=DoD Root CA 6 to the Apple Trust Store, Google Chrome and Safari will start sending a short chain, containing only certs 1 through 3. This allows the server to validate them. When we remove it from Trust Store, Chrome is back to sending only leaf, but Safari will not even send the leaf. Again, this only happens on some laptops; on most of the laptops, both Safari and Google Chrome will send the entire chain, regardless of whatever is set up in Trust Store. My suspicion is that for some reason, on those laptops, Safari will not send the client certs that OS X doesn't trust. This makes sense, but this is not the behavior we want. We want the same behavior on the working laptops, which is to send the whole chain. All of our laptops are on OS X 14.4
0
0
601
Mar ’24
Apple Sign In required when only for existing customers?
I'm getting ready to release the first version of our app, which is designed for existing (paying) customers of our service. The app will only have a Sign In functionality for the first few versions, ie users cannot create a new account through the app. We currently only have password or Google authentication through the website. I'm wondering how the app store guidelines apply here. It seems that since the March 4, 2020 update, Apple Sign In is required when using any other third party oauth providers (Google for our case). However I'm unclear if the listed exceptions cover this scenario. To state the obvious, users do not have a way currently to create an account with Apple Sign In, so exactly 0 users will ever succeed in logging in with that button if I'm required to put it. I understand the guidelines if we're talking about creating accounts, but since this is Sign In only, is it still required to provide as an option? Thanks in advance!
0
0
674
Mar ’24
Certificate based authentication along with 2FA
I would like implement certificate based authentication using MSCA as authenticator and along with 2FA as otp/push. Same I have achieve using authorization plugin where as first factor as user name and password and for second factor it going to my server for otp varification. In this case I would like to go to MACS for primary as certificate authentication and after that I would like to go to my server for second factor.
0
0
428
Mar ’24
iCloud Password Manager for associated domains broken in iOS 17.4
I’m looking to see if anybody else has noticed that iOS 17.4 seems to have broken password autofill for associated domains. Meaning if I open my app to the login page (web view) it recognizes the associated domains and they password in my keychain. If I tap on my user name my keychain is unlocked with biometrics (FaceID) and I’m returned to the page, but the user name and password field is not filed in. This just started happening in iOS 17.4 (17.3.1 works fine for example). Interestingly, if you choose the 🔑 icon on the right side of the keyboard and then choose your credentials you get a blank page until you tap in a text field then the username and password show up. I have filled out a bug report with Apple, but in the mean time I was curious if anybody else has seen this or have a solution.
3
0
935
Mar ’24
Determining if user has passkey for service already?
I'm working my way through adding passkey support to my app. At app launch, I'd like to test to see if the user has already created a passkey for the service, and if not, immediately present the account creation UI. Is there an API call I can make to see if the user already has a credential? From the examples I’ve found, it seems I should just try to sign in, and I’ll get an error callback if there are no stored credentials. Is that right?
4
0
1.4k
Mar ’24
"excludeCredentials" restricted to iOS 17.4 in Xcode 15.3
The below code used to compile for iOS 16.0 and above when using Xcode 15.2. Now it seems that ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest.excludeCredentials is only available on iOS 17.4 an above in Xcode 15.3? Is there any reason that's the case? let request = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: id).createCredentialRegistrationRequest(challenge: challengeData, name: name, userID: userIDData) // ERROR: 'excludedCredentials' is only available in iOS 17.4 or newer request.excludedCredentials = registrationOptions.excludeCredentials
1
0
737
Mar ’24
Question on the new passkey provider interface
How do we find such info as attestationPreference through the prepareInterface() API? Is there a way to access ASAuthorizationPublicKeyCredentialRegistrationRequest? I don't seem to see how we can achieve this through ASPasskeyCredentialRequest in prepareInterface(forPasskeyRegistration:) for iOS. A more broader question is: do we even have access to the WebAuthn extensions in third-party passkey manager? Thanks, Joshua
2
0
675
Mar ’24
SignInWithApple / AuthenticationServices fails SwiftUI
Xcode 15.2, iOS 17.2 I have a piece of code that displays videos. It has been working for at least 6 months. Suddenly only the first video played. The following videos would only play audio with the video being frozen at the first frame. I noticed that SwiftUI would start to instantiate multiple instances of my player observable class instead of just one. After chasing the problem for most of a day I found that if I completely removed every piece of code referencing AuthenticationServices then everything would work fine again. Even if I add the following piece of code which is not used or called in any way. Then SwiftUI will start to act weird. func configure(_ request: ASAuthorizationAppleIDRequest) { request.requestedScopes = [.fullName, .email] } If I comment out request.requestedScopes = [.fullName, .email] everything works fine. The SignInWithApple is configured and works fine if I enable the code. Any suggestions on how to solve or any work arounds would be highly appreciated.
1
0
639
Sep ’24
ASCredentialProviderViewController method not called – prepareCredentialListForServiceIdentifiers:requestParameters:
We extended the ASCredentialProviderViewController in our app to provide passkeys and everything seems to be working fine (from the user's perspective). But we are curious why prepareCredentialListForServiceIdentifiers:requestParameters: is never called. Since: Passkey credentials seem only to be used / offered when added to the ASCredentialIdentityStore. We duplicated a passkey in our app for about 15 times and all passkeys for the same service were still offered by the credential chooser from iOS and not in our app (via "prepareCredentialListForServiceIdentifiers:requestParameters:"). we believe that in the current versions of iOS "prepareCredentialListForServiceIdentifiers:requestParameters:" is not used. It would be nice to get some clarification since it currently seems not possible to test the implementation of this method!
2
0
664
May ’24
anonymous authentication
Garritt, Kudos for leadership on making Apple PassKeys a reality. would like to consult with Apple security/privacy/authentication teams about new anon/auth tools for web security and device logins generally. concepts are shared in uspto pending patent app 17/572336, for which notice of allowance has issued. thanks, timo founder and seo PoKos Communications Corp. 603.491.9792 (m)
0
0
608
Feb ’24
What's the best approach to introduce user authentication for VisionOS
Hey community! I have an idea of social network for VisionOS. I'm trying to figure out the best approach to implement authentication flow for the users. I'm looking into Auth0 Package, but facing some issues with platform compatibility. Are there any recommendations? I have auth0 in iOS app and that works just fine. I use webAuth() method and during migration to VisionOS I got the next error: "Module 'Auth0' has no member named 'webAuth'". I discovered the source code a little bit and found the next condition in "Auth0" file that are not passing: #if WEB_AUTH_PLATFORM. That should be the root cause why error occues on compilation stage. I tried to apply the flag "-DWEB_AUTH_PLATFORM" to "Swift Compiler - Custom Flags", but it didn't help. Are there any tweaks that I can apply to my project and make it work? I would be happy if someone provide any relevant information. Thank you!
1
0
700
Jan ’24