Skip to content

[Auth] Fixed macOS extension keychain access by adding recommended kS… #9102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 20, 2021
Merged

[Auth] Fixed macOS extension keychain access by adding recommended kS… #9102

merged 2 commits into from
Dec 20, 2021

Conversation

kamilpowalowski
Copy link
Contributor

@kamilpowalowski kamilpowalowski commented Dec 15, 2021
edited
Loading

Fixes #8950, #6876

I'm working on the app that used Firebase Auth for authentication. I have an iOS app with iOS Share Extension and macOS app with macOS Share Extension.
By adding Keychain Access Group, I can use authenticated accounts between the main iOS app and iOS Share Extension. But the same code doesn't work on macOS.
When the app is installed on macOS or when I'm trying to access it from macOS Share Extension, I always get a prompt to keychain access. I started to dig, and I found the keychain parameter https://developer.apple.com/documentation/security/ksecusedataprotectionkeychain
from its documentation, we can find

use the data protection key when adding, searching for, or deleting an item to which the kSecAttrAccessible or kSecAttrAccessGroup attributes apply.

It's highly recommended that you set the value of this key to true for all keychain operations. This key helps to improve the portability of your code across platforms.

It can be added to all platforms:

The data protection key affects operations only in macOS. Other platforms automatically behave as if the key is set to true, and ignore the key in the query dictionary. You can safely use the key on all platforms.

kSecUseDataProtectionKeychain key is also mentioned in https://developer.apple.com/documentation/security/ksecattraccessgroup documentation

This attribute applies to macOS keychain items only if you also set a value of true for the kSecUseDataProtectionKeychain key, the kSecAttrSynchronizable key, or both.

But I have to limit it a bit with @available parameter.

I took screenshot from keychain without that key (only main app listed)
Screen Shot 2021-12-15 at 13 15 43

and a screenshot from keychain after key added (KeychainGroup access instead is listed)
Screen Shot 2021-12-15 at 13 15 36

ncooke3
ncooke3 reviewed Dec 15, 2021
View reviewed changes
Copy link
Member

@ncooke3 ncooke3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for the investigation and contribution @kamilpowalowski! I've approved the CI workflows.

Have you completed the Google CLA?

@kamilpowalowski
Copy link
Contributor Author

@ncooke3 No problem :) I need that for my own app so I was motivated.

Yes, I completed Google CLA yesterday.

ncooke3
ncooke3 reviewed Dec 15, 2021
View reviewed changes
@ncooke3 ncooke3 requested a review from rosalyntan December 15, 2021 13:11
ncooke3
ncooke3 approved these changes Dec 15, 2021
View reviewed changes
Copy link
Member

@ncooke3 ncooke3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I added one request below. Thanks again @kamilpowalowski!

@paulb777 paulb777 added the macOS Issues or feature requests for macOS. label Dec 15, 2021
rosalyntan
rosalyntan approved these changes Dec 16, 2021
View reviewed changes
Copy link
Member

@rosalyntan rosalyntan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution! One minor comment, and there's a new merge conflict in the changelog that needs to be resolved before merging this, but otherwise LGTM!

@rosalyntan rosalyntan merged commit 480178b into firebase:master Dec 20, 2021
@rosalyntan rosalyntan mentioned this pull request Dec 20, 2021
Closed
@nidegen
Copy link

nidegen commented Dec 22, 2021

@kamilpowalowski do you have an idea by any chance if this would also fix a similar bug on tvOS?

@kamilpowalowski
Copy link
Contributor Author

@nidegen, I don’t think so. It fixes a behavior related strictly to macOS. On macOS, you have access to the whole keychain. On other systems, you shouldn't have that problems. But (if possible) you should try to set shareAuthStateAcrossDevices to true. It may solve your problem.

@paulb777 paulb777 mentioned this pull request Dec 29, 2021
Merged
granluo pushed a commit that referenced this pull request Dec 29, 2021
@kamilpowalowski @granluo
[Auth] Fixed macOS extension keychain access by adding recommended kS… (
b7f8878 
#9102)

* [Auth] Fixed macOS extension keychain access by adding recommended kSecUseDataProtectionKeychain key

* Refactored FIRAuthStoredUserManager to extract keychain query building to separated function.
@firebase firebase locked and limited conversation to collaborators Jan 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@paulb777 paulb777 paulb777 left review comments

@rosalyntan rosalyntan rosalyntan approved these changes

@ncooke3 ncooke3 ncooke3 approved these changes

Assignees

@rosalyntan rosalyntan

Labels
api: auth macOS Issues or feature requests for macOS.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SwiftUI/macOS Auth: "[App] wants to use your confidential information stored in 'com.firebase.FIRInstallations.installations' in your keychain."
5 participants
@kamilpowalowski @nidegen @paulb777 @rosalyntan @ncooke3