Enable Keychain Sharing for App Extensions

bdhazman commented 2 years ago

Is your feature request related to a problem? Please describe.

Amplify manages user authentication and credentials but while Amplify functionality (including authentication) can be used in App Extensions such as Share Extensions, authentication sessions are not shared between apps and their app extensions. This is a problem for developers who want to use the Amplify library for managing iOS authentication to their services but also build software that extends the functionality of their application with app extensions. (examples of feature request: 1, 2)

Describe the solution you'd like

An ideal solution is allowing for cross-app authentication by taking advantage of Apple's 'shared keychain' through keychain access groups in a manner similar to how Firebase does. Allowing developers to choose the keychain group their application uses would allow them to support cross-app authentication including App Extensions.

Amplify already relies on iOS's keychain so implementing this change would be a matter of making changes to how Amplify accesses and writes credentials to the system's keychain.

Making this change would give developers the opportunity to build suites of apps that require only one log in and extend functionality of their apps through deeper iOS integration with extensions such as Share Extensions and widgets.

Describe alternatives you've considered

Alternatives to this feature can result in poor user experiences or less secure workarounds.

Developers can require users to re-authenticate in app extensions or apps that could share authentication sessions but this can create more friction for users resulting in a poor user experience.
A workaround developers could take is to insecurely store auth tokens or credentials and pass them between apps (example: 1, 2) and app extensions or app groups but this isn't as secure as relying solely on the keychain in all apps/extensions.

I am open to hearing any other suggested alternatives for accessing existing authentication sessions in extensions of apps.

Is the feature request related to any of the existing Amplify categories?

Auth

Additional context

I am happy to provide contributions similar to what has been done here in order to build this feature into Amplify's Swift/iOS library.

cobywinfield commented 2 years ago

+1

github-actions[bot] commented 2 years ago

This has been identified as a feature request. If this feature is important to you, we strongly encourage you to give a 👍 reaction on the request. This helps us prioritize new features most important to you. Thank you!

royjit commented 2 years ago

We are looking into this internally and will get back to you when we have more information.

ekurutepe commented 1 year ago

Is there any update on this one? We'd like to have a secure way to share the Auth tokens between our app and share extension as well.

ekurutepe commented 1 year ago

I added support for this in the PR above ^^^

harsh62 commented 1 year ago

@ekurutepe Thanks for your contribution. Sorry for the delay. I left a comment on #2770

royjit commented 1 year ago

PR require a detailed review and design, Amplify team will update here when we move forward with this.

julianworden commented 1 year ago

I wanted to make a note about this feature request since this is something that I've been struggling a lot with figuring out over the course of the last few days. I understand that this feature is in development (which is great!), but I'm hoping that when this feature is implemented it'll also include support for anybody who's signed in via Apple, Google, etc.

Managing the auth session between a main app and app extension when someone is signed in with a username and password is pretty easy already (even though it's undocumented in the Amplify docs) and seems secure enough to me. Save the username and password as a keychain item, look for it in the extension, sign in via the extension with the password and username stored in the keychain, and that's it. However, this workflow is impossible when the user is signed in via an external provider because the password and username are not accessible.

When the user signs in via an external provider, it does create keychain items, but as far as I can tell none of these keychain items include the user's password and username, which makes them useless for the purpose of signing in via an app extension.

This might've gone without saying, but I didn't see anybody mention it above so I thought it was worth throwing it out there. Thanks!

harsh62 commented 1 year ago

I wanted to make a note about this feature request since this is something that I've been struggling a lot with figuring out over the course of the last few days. I understand that this feature is in development (which is great!), but I'm hoping that when this feature is implemented it'll also include support for anybody who's signed in via Apple, Google, etc.

Managing the auth session between a main app and app extension when someone is signed in with a username and password is pretty easy already (even though it's undocumented in the Amplify docs) and seems secure enough to me. Save the username and password as a keychain item, look for it in the extension, sign in via the extension with the password and username stored in the keychain, and that's it. However, this workflow is impossible when the user is signed in via an external provider because the password and username are not accessible.

When the user signs in via an external provider, it does create keychain items, but as far as I can tell none of these keychain items include the user's password and username, which makes them useless for the purpose of signing in via an app extension.

This might've gone without saying, but I didn't see anybody mention it above so I thought it was worth throwing it out there. Thanks!

@julianworden Thanks for your detailed analysis. We will definitely take this information into account. Appreciate the effort.

garrettmoon commented 7 months ago

We'd also really like to see this enabled!

kuserhii commented 6 months ago

Do you plan to implement it?

dandreiolteanu commented 3 months ago

Hello, any news on this? It's been over a year and no updates. It's a quite important feature to support, we cannot use app extensions properly because of this.

harsh62 commented 3 months ago

@dandreiolteanu We are actively working on this feature and will link any PR's opened to this issue so that you can see the progress our team is making.

yaroluchko commented 2 months ago

Hi @bdhazman. We've been working on this feature, feel free to try out using keychain sharing through this branch. Usage is explained in the PR. We would appreciate any feedback or comments on how to improve this feature before we release, and let us know if something is unclear or not working!

aws-amplify / amplify-swift