Hi, We developed a Platform SSO extension for our IdP, Keycloak. It would be great to get some feedback on it: https://francisaugusto.com/2025/Platform_single_sign_on_diy/

Hi, I developed a Platform Single Sign-On extension and a corresponding extension for my IdP, which is Keycloak based. The code for both projects are here: https://github.com/unioslo/keycloak-psso-extension and https://github.com/unioslo/weblogin-mac-sso-extension I realized that, when using the Secure Enclave as the AuthenticationMethod, and according to Apple's documentation, the Extension doesn’t obtain fresh ID Tokens when they expire if the refresh token is still valid. When using password as the Authentication Method, it fetches new ID tokens when they expire, without prompting the user for credentials, by using the refresh token. My suggestion is that the same behavior should be implemented for Secure Enclave keys. The thing here is that usually, on OIDC flows, the ID/Access tokens are short-lived. It would make sense for the extension to provide fresh ID tokens. It doesn’t seem to make sense for me that, when using passwords, the extension would fetch these tokens, and not when having the Secure Enclave key. By not doing this, Apple almost forces the developer of an extension to fetch new ID tokens themselves, which doens’t make sense when it clearly provides fresh tokens when using passwords. It almost forces the developers to either implement that logic themselves, or to issue longer tokens, which is not so nice. How so you deal with this? Do you simply use the refresh token as an authentication token, or do you do some sort of manual refresh on the extension?

Hi, I am developing a Platform SSO in order to have integrated with our IdP, which I am also adapting to provide the right endpoints for Platform SSO. I have a few questions about the implementation: does the client-request-id need to be present on all requests? Is it unique per request, or requests that are bound together like those requesting a nonce and those who will use that nonce should use the same client-request-id? I am not sure how the loginManager.presentRegistrationViewController works. I'd like to get the user to authenticate to my IdP before device registration. So I am not sure if I should provide my own Webview or something similar or if this method should do something for me; My idea is to request user authentication once, save the state when performing device registration, so that I avoid asking for user authentication twice when performing user registration. Is this the right way to do it? How does platform SSO handles tokens? If one application of my IdP requests the authentication on a common OIDC/OAuth2 flow, should I perform some sort of token exchange? How about SAML? Platform SSO seems to be token-centric, but how does one handle SAML flows? Is it by using WebView as well?

I am developing an SSO Extension so that I can have SSO with Keycloak across applications. OIDC/OAuth2 works very well. But I am struggling with SAML. It works, but it seems that the form submission is always triggered twice. I use decisionHandler(.cancel) to stop the form submission and redirect it to the browser. I still get the form submitted both by the extension and by the browser. At some point I tried to allow the form submission in the Extension so that I get the redirect with the response to the browser. It still triggered another submission. Does anyone experience this issue?

Hi, A lot of e-mail providers supports OAuth2 authentication. However, Mail.app on macOS and iOS do not support configuring a mail account that would use OAuth2 authentication, unless it's on its hardcoded list of account providers. Is there any framework that allows setting up a custom account for my institution, so that we could begin to offer OAuth2 authentication for mail and calendar?

I am developing an app which makes use of actionable notifications. On my code (the func userNotificationCenter function), I need to read my users from the local storage on the iPhone: let query: [String: Any] = [ kSecAttrService as String: "uio-auth", kSecAttrAccount as String: "users", kSecClass as String: kSecClassGenericPassword, kSecReturnData as String: true ] var result: AnyObject? SecItemCopyMatching(query as CFDictionary, &result) let ref = result as? Data But when the same code execute when I tap on the notification on the Apple Watch, it doesn't fetch anything. It now occurs to to me: Does it mean that when an actionable notification programmed for the iOS is displayed on the Apple Watch, it tries to access its own storage, and not the iPhone? If so, is there a nice way to pass the values to the watchOS so that when the callback for the actionable notifications run, it has then the data it needs?

Hi, I was going to use the Accounts framework to attempt to add a custom internet account so that our users can authenticate to our IdP (OAuth2) for their mail accounts. When using the Accounts framework, I got this warning: 'ACAccountStore' was deprecated in iOS 15.0: Use appropriate non-Apple SDK corresponding to the type of account you want to reference instead Is there any documentation on how to code/add custom Internet Accounts to macOS/iOS?

My e-mail server supports OAuth for login. It would be nice to replace username/password with a OAuth, the same way that other accounts such as Microsoft Exchange, Google, etc, work. Is there a framework that allow me to implement such thing? Like a custom internet account in addition to vanilla imap and the others provided by Google, Microsoft, Yahoo, etc?

Hi, A few days ago, I tested actionable notifications, and I get the buttons configured for the category displayed on my iPhone when I get an alert notification. The buttons used to be displayed on the apple watch as well, but now I only get "Dismiss". Any reason for that?

Hi, If we implement actionable notifications on iOS, the buttons corresponding the actions are displayed on the Apple Watch as well. I wonder if I could detect that the button was tapped on the Apple Watch or on the iPhone, so I could react to it differently.