Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amplify uses 'shared-access-group' keyChain store, while also making an assumption it's private #3277

Closed
myeyesareblind opened this issue Oct 4, 2023 · 4 comments
Closed

Amplify uses 'shared-access-group' keyChain store, while also making an assumption it's private #3277

myeyesareblind opened this issue Oct 4, 2023 · 4 comments
Labels
auth Issues related to the Auth category feature-request Request a new feature

Comments

@myeyesareblind
Copy link

myeyesareblind commented Oct 4, 2023
edited
Loading

Describe the bug

We have a few build of our app - AhHoc, Beta, Alpha, AppStore.

At some point, we found that when internal dev installs & launches 'Beta', it will magically sign off user from AppStore or any other build.
Turns out, we have 'keychain-access-group' entitlement added to the app.
Now, by default, KeyChain writes to ('first-keychain-access-group' ?? app-id).
Which makes the keyChain store actually shared across all the apps.
We are using cognito & it writes to the same key.

https://developer.apple.com/documentation/security/ksecattraccessgroup

If you don’t explicitly set a group, keychain services defaults to the app’s first access group, which is either the first keychain access group, or the app ID when the app has no keychain groups

I don't know why Apple has made such design choice, but the Amplify 'must' set keychain-group to app-id, otherwise it makes it shared.

Here is my keychain item that I got from Cognito, as you can see there is 'Access Group' added.
Screenshot 2023-10-04 at 23 00 49
Screenshot 2023-10-04 at 23 00 55

Steps To Reproduce

There are no steps, as it's mostly about build configuration.
The issue can be observed if organisation has few applications (with different bundleids) that have a shared keychain-access-group.
Both application would write into the same keychainItem.

Expected behavior

Cognito KeyChain is not shared across the apps.

Amplify Framework Version

2.3.0

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

5.9

CLI version

12.1.1

Xcode version

14.3.1

Relevant log output

na

Is this a regression?

No

Regression additional context

No response

Platforms

iOS, macOS

OS Version

iOS 16

Device

iPhone X

Specific to simulators

No response

Additional context

My team spend quite some time figuring this out ...
@atierian atierian added bug Something isn't working auth Issues related to the Auth category investigating This issue is being investigated labels Oct 4, 2023
@atierian
Copy link
Member

atierian commented Oct 4, 2023

Thanks for reporting this and for the thorough explanation @myeyesareblind!

We're actively investigating it and will get back back to you here as soon as possible.

@thisisabhash
Copy link
Member

Hello,
Thank you for posting this.
Currently, you may workaround this by adding a unique keychain access group(eg. Bundle ID of your app flavor) to top of the list in the
keychain group.

access-group

We currently have a feature request in place for adding an accessGroup parameter to AWSCognitoAuthPlugin to support Keychain access groups. You may track that feature request there. #2508

@harsh62 harsh62 added pending-community-response Issue is pending response from the issue requestor feature-request Request a new feature and removed investigating This issue is being investigated bug Something isn't working labels Oct 5, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Oct 5, 2023

This has been identified as a feature request. If this feature is important to you, we strongly encourage you to give a 👍 reaction on the request. This helps us prioritize new features most important to you. Thank you!

@thisisabhash
Copy link
Member

Tracking this in #2508 and closing this.

@github-actions github-actions bot removed the pending-community-response Issue is pending response from the issue requestor label Oct 5, 2023
This was referenced Aug 9, 2024
Closed
Closed
Closed
@harsh62 harsh62 mentioned this issue Jan 7, 2025
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Issues related to the Auth category feature-request Request a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@myeyesareblind @harsh62 @thisisabhash @atierian