Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(auth): adding support for keychain sharing using app groups #3947

Open
wants to merge 7 commits into
base: main
Choose a base branch
from

Conversation

harsh62
Copy link
Member

@harsh62 harsh62 commented Jan 7, 2025

Issue #

#2508
#3277

Integration Tests:

Integration Tests (Except DataStore & API)

Integration Tests | DataStore - All

Integration Tests | API - All

Description

This allows Amplify Swift developers to set the access group they would like the auth session to be shared on. This PR, as opposed to this PR, does not require the other app with which the auth session is being shared with to be reloaded. This helps immensely when writing a product with app extensions.

Changes made

AWSCognitoCredentialAuthCredentialStore now uses access group to create keychain instance with said access group.
If an access group is specified:

  • a different keychain service is used, specifically for shared items.
  • fetchAuthSession reconfigures the plugin when called, so that app reload is not required

Migration:

  • Amplify developers can specify if they want migration to happen by setting the migrateKeychainItemsOfUserSession to true within the accessGroup struct
  • migration involves moving any auth keychain items from the old access group (old access group name is stored in UserDefaults) to the new access group
  • migration is a batched operation, and the items will no longer be accessible from the old access group

Usage

Migrating to a Shared Keychain

To use a shared keychain:

  1. In Xcode, go to Project Settings → Signing & Capabilities
  2. Click +Capability
  3. Add Keychain Sharing capability
  4. Add a keychain group
  5. Repeat for all apps for which you want to share auth state, adding the same keychain group for all of them

To move to the shared keychain using this new keychain access group, specify the accessGroup parameter when instantiating the AWSCognitoAuthPlugin. If a user is currently signed-in, they will be logged out when first using the access group:

let accessGroup = AccessGroup(name: "\(teamID).com.example.sharedItems")
let secureStoragePreferences = AWSCognitoSecureStoragePreferences(
  accessGroup: accessGroup)
try Amplify.add(
  plugin: AWSCognitoAuthPlugin(
    secureStoragePreferences: secureStoragePreferences))
try Amplify.configure()

If you would prefer the user session to be migrated (which will allow the user to continue to be signed-in), then specify the migrateKeychainItemsOfUserSession boolean in the AccessGroup struct to be true like so:

let accessGroup = AccessGroup.none(migrateKeychainItemsOfUserSession: true)
let secureStoragePreferences = AWSCognitoSecureStoragePreferences(
  accessGroup: accessGroup)
try Amplify.add(
  plugin: AWSCognitoAuthPlugin(
    secureStoragePreferences: secureStoragePreferences))
try Amplify.configure()

Sign in a user with any sign-in method within one app that uses this access group. After reloading another app that uses this access group, the user will be signed in. Likewise, signing out of one app will sign out the other app after reloading it.

Migrating to another Shared Keychain

To move to a different access group, update the name parameter of the AccessGroup to be the new access group. Set migrateKeychainItemsOfUserSession to true to migrate an existing user session under the previously used access group.

Migrating from a Shared Keychain

If you’d like to stop sharing state between this app and other apps, you can set the access group to be AccessGroup.none or AccessGroup.none(migrateKeychainItemsOfUserSession: true) if you’d like the session to be migrated.

General Checklist

  • Added new tests to cover change, if needed
  • Build succeeds with all target using Swift Package Manager
  • All unit tests pass
  • All integration tests pass
  • Security oriented best practices and standards are followed (e.g. using input sanitization, principle of least privilege, etc)
  • Documentation update for the change if required
  • PR title conforms to conventional commit style
  • New or updated tests include Given When Then inline code documentation and are named accordingly testThing_condition_expectation()
  • If breaking change, documentation/changelog update with migration instructions

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Copy link

codecov bot commented Jan 7, 2025

Codecov Report

Attention: Patch coverage is 37.87879% with 82 lines in your changes missing coverage. Please review.

Project coverage is 67.71%. Comparing base (67d40be) to head (4b087b1).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
...WSPluginsCore/Keychain/KeychainStoreMigrator.swift 0.00% 38 Missing ⚠️
...dentialStorage/AWSCognitoAuthCredentialStore.swift 58.00% 21 Missing ⚠️
Amplify/Categories/Auth/Models/AccessGroup.swift 0.00% 13 Missing ⚠️
...s/Core/AWSPluginsCore/Keychain/KeychainStore.swift 0.00% 6 Missing ⚠️
...gnitoAuthPlugin/Task/AWSAuthFetchSessionTask.swift 55.55% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3947      +/-   ##
==========================================
- Coverage   67.79%   67.71%   -0.08%     
==========================================
  Files        1125     1128       +3     
  Lines       52126    52244     +118     
==========================================
+ Hits        35337    35377      +40     
- Misses      16789    16867      +78     
Flag Coverage Δ
API_plugin_unit_test 70.33% <ø> (ø)
AWSPluginsCore 69.34% <2.22%> (-1.03%) ⬇️
Amplify 47.84% <0.00%> (-0.05%) ⬇️
Analytics_plugin_unit_test 85.20% <ø> (ø)
Auth_plugin_unit_test 73.68% <66.21%> (-0.06%) ⬇️
DataStore_plugin_unit_test 83.45% <ø> (-0.03%) ⬇️
Geo_plugin_unit_test 74.86% <ø> (ø)
Logging_plugin_unit_test 63.11% <ø> (ø)
Predictions_plugin_unit_test 35.42% <ø> (ø)
PushNotifications_plugin_unit_test 88.43% <ø> (ø)
Storage_plugin_unit_test 76.88% <ø> (ø)
unit_tests 67.71% <37.87%> (-0.08%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 7, 2025 03:28 — with GitHub Actions Inactive
@harsh62 harsh62 force-pushed the harsh62/keychain-sharing-auth-plugin branch from 3351577 to 4b087b1 Compare January 13, 2025 18:29
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 18:30 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 21:36 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 21:36 — with GitHub Actions Inactive
@harsh62 harsh62 temporarily deployed to IntegrationTest January 13, 2025 21:36 — with GitHub Actions Inactive
@harsh62 harsh62 deployed to IntegrationTest January 13, 2025 21:52 — with GitHub Actions Active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants