Support Keychain Access Groups

[ekurutepe]

Issue #

#2508

Description

This change enables secure sharing of Cognito session between the main app and app extensions.

This is achieved through an optional awsCognitoAuthPlugin configuration parameter `KeychainAccessGroup:

{
    "auth": {
        "plugins": {
            "awsCognitoAuthPlugin": {
                "IdentityManager": {
                    "Default": {}
                },
                "CognitoUserPool": {
                    "Default": {
                        "PoolId": <Pool Id>,
                        "AppClientId": <App Client ID>,
                        "Region": <Region>
                    }
                },
                "Auth": {
                    "Default": {
                        "authenticationFlowType": "CUSTOM_AUTH",
                    }
                },
                "KeychainAccessGroup": <Access Group>
            }
        }
    }
}

General Checklist

• Added new tests to cover change, if needed
• Build succeeds with all target using Swift Package Manager
• All unit tests pass
• All integration tests pass
• Security oriented best practices and standards are followed (e.g. using input sanitization, principle of least privilege, etc)
• Documentation update for the change if required
• PR title conforms to conventional commit style
• New or updated tests include Given When Then inline code documentation and are named accordingly testThing_condition_expectation()
• If breaking change, documentation/changelog update with migration instructions

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[harsh62]

Thank you for creating PR to support passing Keychain Groups. Since the configuration file is generated by using @aws-amplify/amplify-cli , adding KeychainAccessGroup would first need to be implemented with CLI.
Manually editing the configuration file is discouraged as could be overwritten during a change done through the CLI.
So we have two options here:

• Propagate the right changes with @aws-amplify/amplify-cli as well to support this feature.
• Allow customers to dynamically pass the keychain access group to the Auth Plugin.

[harsh62]

Digging deeper into the PR and the existing implementation, I found a scenario where we also need to consider how existing items that are there in the keychain can be updated to use access group that was passed in.

[harsh62]

We should not be adding accessGroupto the legacy keychain. This would cause migration to fail from V1 to V2.

[ekurutepe]

@harsh62 thanks for looking into this PR. We have been using this branch in production for a few weeks now. I understand that the bar to be included in a popular public SDK is very high and this probably needs to address various different use cases that I am not familiar with and did not consider. Please feel free to take over and take it to the finish line. I'd kindly suggest to prioritize this internally since this feature is required to be able to safely share cognito credentials between the main app and app extensions.

[harsh62]

I am gonna close this PR as the team will be working on this feature with a different design. Will keep the issue #2508 open for more udpates.